Unlocking Cost Savings and Security: Migrating MongoDB to AWS Graviton with Encryption

A few months ago, our team faced an exciting opportunity: reducing cloud costs by migrating our MongoDB workloads from x86-based EC2 instances to ARM-powered AWS Graviton instances. The challenge? Our existing setup relied on Bitnami’s MongoDB marketplace solution, which only supported x86_64 architecture. This meant I had to manually install MongoDB on Graviton, ensure its reliability, and later, tackle a crucial oversight — encryption for data in transit and at rest.

This journey not only optimized our infrastructure but also reinforced our security posture. Here’s how I navigated the migration, the technical roadblocks I overcame, and the lessons learned.

This journey not only optimized our infrastructure but also reinforced our security posture. Here’s how I navigated the migration, the technical roadblocks I overcame, and the lessons learned.

Phase 1: Building a Custom MongoDB AMI for Graviton

Challenge:

Bitnami’s MongoDB AMI did not support ARM-based EC2 instances, requiring a fresh installation of MongoDB from binaries.

Solution:

1. Set Up a New EC2 Instance — I launched an Amazon Linux 2 Graviton instance.
2. Installed MongoDB from Binary — MongoDB doesn’t provide ARM-native RPMs, so I manually downloaded and installed the necessary binaries.
3. Created a Custom AMI — Once I had a working MongoDB setup, I built an AMI, enabling easy replication across multiple instances.

✅ Outcome: Successfully launched MongoDB on AWS Graviton instances, cutting costs without sacrificing performance.

Phase 2: Strengthening Security with TLS Encryption

Challenge:

After migrating, we realized our MongoDB connections lacked encryption, making data vulnerable in transit.

Solution:

1. Generated TLS Certificates — Using OpenSSL, I created a certificate authority (CA) and signed certificates.
2. Configured MongoDB for TLS — I updated mongod.conf to enforce TLS using the generated certificates.
3. Stored Certificates Securely — Instead of managing certificates manually, I used AWS Parameter Store for secure storage and retrieval.

✅ Outcome: Implemented TLS encryption, ensuring all client-server communications were secure.

Phase 3: Ensuring Data at Rest Encryption

Challenge:

MongoDB Community Edition doesn’t support at-rest encryption. Moving to the Enterprise Edition wasn’t feasible, as we were already transitioning to AWS RDS PostgreSQL.

Solution:

1. Leveraged AWS EBS Encryption — Since EBS offers seamless at-rest encryption using AWS KMS, I encrypted all MongoDB volumes.
2. Recreated Encrypted Volumes — I created new encrypted EBS volumes and migrated the MongoDB data.
3. Verified Encryption — Ensured the data was fully encrypted at rest with minimal performance overhead.

✅ Outcome: Achieved at-rest encryption without the need for an expensive MongoDB Enterprise license.

Key Takeaways

1. Graviton Adoption Lowers Costs — Switching from x86 to Graviton led to significant cost savings with no impact on performance.
2. Security Enhancements Are Non-Negotiable — TLS for in-transit encryption and EBS for at-rest encryption are critical for protecting sensitive data.
3. Research and Adaptability Matter — Solving infrastructure challenges requires diving deep into documentation, testing multiple solutions, and leveraging AWS-native services.

Final Thoughts

This project reinforced my ability to navigate complex migrations, improve security posture, and optimize cloud costs. More importantly, it was a testament to problem-solving in a real-world production environment.