I followed the instructions here to set up an SSH tunnel to connect externally: https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-from-outside-a-vpc.html

Once I have the tunnel established I CAN connect using the GUI client Robomongo and "Studio 3T". So that verifies that the ec2 machine does have access and my SSH tunnel is working.

But despite that, NodeJS is not happy with the connection. I am getting one of 2 errors depending on my config.

config 1:

const url = 'mongodb://root:some-password@localhost:27017?ssl=true&replicaSet=rs0&readPreference=secondaryPreferred';
const ca = [fs.readFileSync('./rds-combined-ca-bundle.pem')];
const options = {
    sslValidate: false, // you will see why in the next config
    sslCA: ca,
    useNewUrlParser: true,
    useUnifiedTopology: true,
};
const client = new MongoClient(url, options);

After several seconds I get:

(node:7640) UnhandledPromiseRejectionWarning: MongoServerSelectionError: connect ENETUNREACH 172.31.26.210:27017
    at Timeout._onTimeout (/Volumes/foo/source/node_modules/mongodb/lib/core/sdam/topology.js:430:30)
    at listOnTimeout (internal/timers.js:549:17)
    at processTimers (internal/timers.js:492:7)

config 2:

const url = 'mongodb://root:some-password@localhost:27017?ssl=true&replicaSet=rs0&readPreference=secondaryPreferred';
const ca = [fs.readFileSync('./rds-combined-ca-bundle.pem')];
const options = {
    sslValidate: true, // now this is true
    sslCA: ca,
    useNewUrlParser: true,
    useUnifiedTopology: true,
};
const client = new MongoClient(url, options);

After several seconds I get:

(node:7682) UnhandledPromiseRejectionWarning: MongoServerSelectionError: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:docdb-2020-07-14-23-38-05.cluster-cpapk5zw6fa0.us-west-2.docdb.amazonaws.com, DNS:docdb-2020-07-14-23-38-05.cluster-ro-cpapk5zw6fa0.us-west-2.docdb.amazonaws.com, DNS:docdb-2020-07-14-23-38-05.cpapk5zw6fa0.us-west-2.docdb.amazonaws.com
    at Timeout._onTimeout (/Volumes/foo/source/node_modules/mongodb/lib/core/sdam/topology.js:430:30)
    at listOnTimeout (internal/timers.js:549:17)
    at processTimers (internal/timers.js:492:7)

You cannot connect to a replica set deployment through a tunnel, since the driver will (try to re) connect to the hostnames specified in replica set configuration as soon as it receives a response from any of the replica set members.

You can connect through a tunnel in single topology. Remove replicaSet URI option from your URI. Naturally this only gives you a connection to the specified node, you don't get automatic failover etc.

See also