Skip to main content
Version: 52.0.0

Using a9s MongoDB

This topic describes how to use a9s MongoDB.

Use a9s MongoDB with an Application

To use a9s MongoDB with an application, create a Service Instance and bind the Service Instance to your application. For more information on managing Service Instances, see Managing Service Instances with the cf CLI.

View the a9s MongoDB Service

After the service is installed, you can see the a9s-mongodb and its service plans appear in your CF marketplace. Run cf marketplace to see the service listing:

$ cf marketplace
Getting services from marketplace in org test / space test as admin...
service plans description
a9s-mongodb mongodb-single-small, mongodb-cluster-small, This is the anynines MongoDB 7.0 service SSPL.
mongodb-single-big, mongodb-cluster-big

Create a Service Instance

To provision a MongoDB database, run cf create-service. For example:

cf create-service a9s-mongodb mongodb-single-small my-mongodb-service

Depending on your infrastructure and service broker utilization, it may take several minutes to create the Service Instance.

Run the cf services command to view the creation status. This command displays a list of all your Service Instances. To view the status of a specific Service Instance, run cf service NAME-OF-YOUR-SERVICE.

Bind an Application to a Service Instance

After your database is created, run cf bind-service to bind the service to your application:

cf bind-service a9s-mongodb-app my-mongodb-service

Restage or Restart Your Application

To enable your application to access the Service Instance, run cf restage or cf restart to restage or restart your application.

Obtain Service Instance Access Credentials

After a Service Instance is bound to an application, the credentials of your MongoDB database are stored in the environment variables of the application. Run cf env APP-NAME to display the environment variables.

You can find the credentials in the VCAP_SERVICES key.

$ cf env a9s-mongodb-app
Getting env variables for app a9s-mongodb-app in org test / space test as admin...

"a9s-mongodb": [
"credentials": {
"default_database": "d22906",
"hosts": [
"password": "EXAMPLE-PASSWORD",
"uri": "EXAMPLE-URI",
"username": "EXAMPLE-USERNAME"
"label": "a9s-mongodb",
"name": "my-mongodb-service",
"plan": "mongodb-single-small",
"tags": [
"document store",
"eventual consistent"

You can use the host, username and password values to connect to your database with a MongoDB client.

Best Practices

There are some best practices for using service binding information in apps in a separate document.

Delete an a9s MongoDB Service Instance


Before deleting a Service Instance, you must backup data stored in your database. This operation cannot be undone and all the data is lost when the service is deleted.

Before you can delete a Service Instance, you must unbind it from all apps.

List Available Services

Run cf services to list your available services.

$ cf services

Getting services in org test / space test as admin...

name service plan bound apps last operation
my-mongodb-service a9s-mongodb mongodb-single-small a9s-mongodb-app create succeeded

This example shows that my-mongodb-service is bound to the a9s-mongodb-app application.

Unbind a Service Instance

Run cf unbind-service to unbind the service from your application.

cf unbind-service a9s-mongodb-app my-mongodb-service

Delete a Service Instance

After unbinding the service, it is no longer bound to an application. Run cf delete-service to delete the service:

cf delete-service my-mongodb-service

It may take several minutes to delete the service. Deleting a service deprovisions the corresponding infrastructure resources.

Run the cf services command to view the deletion status.

Upgrade the Service Instance to another Service Plan

Once created, you can upgrade your Service Instance to another, larger service plan. A larger service plan provides more CPU, RAM and storage. For more information, see the Update a Service Instance of the Managing Service Instances with the cf CLI topic.

cf update-service my-mongodb-service -p a-bigger-plan

Add a Graphite Endpoint


Streaming of logs and metrics might not be available for your plan! If unsure, please check your plan description.

If you want to monitor your service with Graphite, you can set the custom parameter graphite. It expects the host and port where the Graphite metrics should be sent to.

For example, in order to send Graphite metrics to an endpoint, you can use the following command:

cf update-service my-instance -c '{ "graphite": "" }'

The endpoint would then receive metrics in the format:

<service_guid>.<service_type>.<host>.<metric> <metric_value> <metric_timestamp>

Metrics Frequency

By default, metrics will be emitted every 10 seconds. You can change the interval via the custom parameter metrics_frequency.

For example, in order to send Graphite metrics to an endpoint every minute, you would set the custom parameter metrics_frequency to 60 using the following command:

cf update-service my-instance -c '{  "metrics_frequency": 60 }'

For replica set service instances, we suggest using smaller values for metrics_frequency to obtain finer-grained information regarding replication lag. Note that using very small values can generate a huge amount of metrics data.

Metrics Prefix

Depending on your graphite provider, you might need to prefix the metrics with a certain value, like an API key for example. In this case you can leverage the custom parameter metrics_prefix.

cf update-service my-instance -c '{  "metrics_prefix": "my-api-key-for-a-certain-provider" }'

The resulting metric path would have the format:


Metric Groups

Group NameDescription
memoryMemory Information
assertsError Handling Information
networkNetwork Information
replicasReplication Information
replica setsNode-specific replication information
commandsCommands information
errorsErrors information
connectionsConnection information
locksConcurrency Information
opcountersDatabase operations counters
oplatenciesDatabase operation latencies

The metric groups listed above are available both in a9s MongoDB 5.0 and a9s MongoDB 7.0. However, small differences exist between the two versions. We highlight those differences when applicable.

Metric Group Patterns

Each metric group has a set of patterns that describe the metrics contained in each group.


A document that reports on the system architecture of the mongod and current memory use.

MongoDB Documentation


A document that reports on the number of assertions raised since the MongoDB process started. While assert errors are typically uncommon, if there are non-zero values for the asserts, you should examine the log file for more information. In many cases, these errors are trivial, but are worth investigating.

MongoDB Documentation


A document that reports data on MongoDB's network use. These statistics measure ingress connections only, specifically the traffic seen by the mongod or mongos over network connections initiated by clients or other mongod or mongos instances. Traffic from network connections initiated by this instance (i.e. egress connections) is not measured in these statistics.

MongoDB Documentation


In addition, in a9s MongoDB 7.0 we have the following network metrics from the metrics group:


A document that reports on the replica set configuration.

MongoDB Documentation


For the *.*.mongodb.*.*.*.*.metrics.repl.stateTransition.lastStateTransition metric we use the following encoding:

MongoDB Valuea9s Value
Replica Sets

In addition to these global replication metrics, we also provide metrics for each node in a cluster. The format for these metrics is slightly different as it accounts for the names of each specific node and the names of the replica-sets, as assigned by MongoDB. Note that these metrics are made available only when when the current host is part of a replica set.

The overall format is

<service_guid>.mongodb.<host>.<node>.<space>.<domain>.replSet.<replica_set>.<target_node>.<metric> <metric_value> <metric_timestamp>

As an example, metrics could look like this: 1.0 1709920512

The <node> part indicates the node in which the metrics are collected. The <target_node> indicates the node for which the metric is collected. This distinction is important when trying to interpret the metric names because in specific nodes we can only obtain certain metrics w.r.t. other nodes.

The metrics listed below are obtained in each node, for each of the nodes in a replica set.


The first metrics in the list above are not followed by any <target_node> value, because these provide information about the current node only. Specifically, the primary and secondary metrics take boolean values to indicate whether the current node has a Primary or Secondary status in the replica set.

In case the node has neither status, the myState metric is informative. The values of this latter metric correspond to Mongo's Replica States.

Below, we list the collected metrics. Note that some of them behave differently depending on the role of the node (i.e., Primary or Secondary) in which the collection takes place.


The lag metric denotes the replication lag between the current node and the <target_node>. This metric is reported for all other nodes in the replica set if the current node is a Primary. However, if the current node is a Secondary, it will report this metric only for itself in relation to the other nodes in the set. Note that some caveats may apply for the lag metric. In particular, if there is a partition in the cluster, the nodes might not be able to communicate with each other to the point that they are not able to infer the replication lag.

From a Primary's perspective, the lag will be reported as -1 for each node that is not reachable/healthy.

From a Secondary's perspective, the lag that is reported will be -1 only if this node is _isolated_, i.e. none of the other nodes are reachable/healthy. If any of the other nodes is reachable, the lag will be calculated based on the state of the current node and the other healthy node(s).

Similarly, the seconds_since_last_contact is reported for all other nodes if the current node is a Primary. This is also the case if the current node is a Secondary. In cases of partitions, the value of this metric will keep increasing.

Note that our definition of healthy coincides with a state value of 1 (primary) or 2 (secondary). If the nodes enter any other states they are in a non-healthy state like recovering or doing startup, for more information see Replica States.


A document that reports on the use of database commands. The fields in metrics.commands are the names of database commands. For each command, the serverStatus reports the total number of executions and the number of failed executions.

MongoDB Documentation

*.*.mongodb.*.*.*.*.metrics.commands.create.validator.jsonSchema 0
*.*.mongodb.*.*.*.*.metrics.commands.collMod.validator.jsonSchema 0
*.*.mongodb.*.*.*.*.metrics.commands.aggregate.allowDiskUseTrue 0

Note that the list above is based on the metrics offered by a9s MongoDB 5.0. In a9s MongoDB 7.0 the following metrics are not offered anymore:


A document that reports on getLastError use.

MongoDB Documentation


A document that reports on the status of the connections. Use these values to assess the current load and capacity requirements of the server.

MongoDB Documentation


In a9s MongoDB 7.0, we also provide the following:

Operation Counters

A document that reports on database operations by type since the mongod instance last started. These numbers will grow over time until the next restart. Analyze these values over time to track database utilization.

MongoDB Documentation

Operation Latencies

A document that reports on the latencies of certain database operations. The operation types listed here should be interpreted alongside the ones in the previous section.

MongoDB Documentation


The queryableEncryptionLatencyMicros metric is only available in a9s MongoDB 7.0.


A document that reports on concurrency operations such as the acquiring of locks. These metrics can be useful to see the modes of operations and whether there is high contention for certain operations. These metrics are only available in a9s MongoDB 7.0.

MongoDB Documentation


The lock modes reported by the metrics above are described below:

Lock ModeLock TypeDescription
wIntent Exclusive LockA write lock on a coarse-grained resource (e.g. a collection) which enables exclusive write locks to be used for that resource
WExclusive LockA write lock on a fine-grained resource (e.g. a record) which allows only one transaction to modify the resource and none to read
rIntent Shared LockA read lock on a coarse-grained resource (e.g. a collection) which enables exclusive read locks to be used for that resource
RShared LockA read lock on a fine-grained resource (e.g. a record) which allows transactions to read the resource, but not write to it

As you might have noticed, the metric document contains subdocuments that provide numerous metrics. However, it can also provide some simpler metrics that reflect the current use and state of a running mongod instance.

MongoDB Documentation


In a9s MongoDB 7.0, the following are also available:


Note that as part of the metrics document, there are many subdocuments that provide numerous other metrics. We expand on some of these documents in the following sections.


Uncategorized collection of metrics.

MongoDB Documentation


In a9s MongoDB 7.0, we also provide *.*.mongodb.*.*.*.*.extra_info.threads.

Cloud Foundry Org and Space Guid

The Platform Operators can enable support on a global level to prefix the Graphite metrics with the Cloud Foundry organization and space names. This means that all metrics of all Service Instances (not only yours!) contain that information.

In this case the Graphite metric paths have the following format:


When you enable in addition the metrics_prefix for your instance, you will end up with the metric path format:


Add a Syslog Endpoint

The cf update-service command used with the -c flag can let you stream your syslog to a third-party service. In this case, the command expects a JSON string containing the syslog key. You can also change the interval for the syslog with the same key as for the graphite endpoint interval.

cf update-service my-mongodb-service \
-c '{ "syslog": [""], "interval": "5" }'

Cloud Foundry Application Security Groups

This topic describes how to check whether a security group was created.

Each a9s Data Service will automatically create and update Cloud Foundry security groups in order to protect Service Instances to be accessed by applications not running in the same Cloud Foundry applications space. To get a better understanding about Security Groups you can have a look on the Understanding Application Security Groups topic.

Get Service Instance GUID

Run cf service INSTANCE_NAME --guid to get the guid of the Service Instance.

$ cf service my-mongodb --guid

Check available Security Groups

To see all available security groups use cf security-groups.

$ cf security-groups
Getting security groups as

Name Organization Space
#0 public_networks
#1 dns
#2 tcp_open
#3 guard_432fb752-876d-443b-a311-a075f4df2237 demonstrations demo
#4 guard_ca16f111-5073-40b7-973a-156c75dd3028 demonstrations demo

There we can see a security group with the named guard_ca16f111-5073-40b7-973a-156c75dd3028 was successfully created.


In some circumstances the connection between the application and the Service Instance is not possible, in this case check if a security group was created.

Backup and Restore Service Instances

a9s MongoDB provides an easy way to create backups and restore them if needed. For a more detailed description, please see the a9s Service Dashboard documentation.

Make a Service Instance Locally Available

It is possible to access any of the a9s Data Services locally. That means you can connect with a local client to the service for any purpose, such as debugging. CF provides a smart way to create SSH forward tunnels via a pushed application. For more information about this feature, see the Accessing Apps with SSH section of the CF documentation.

First of all you must have an application bound to the service. How to do this see Bind an Application to a Service Instance.

NOTE: cf ssh support must be enabled in the platform. Ask your administrator if you are not sure.

Get The Service Url and Credentials

When you follow the Obtain Service Instance Access Credentials instruction, you will get the hostname and credentials of the service:

$ cf env a9s-mongodb-app
Getting env variables for app a9s-mongodb-app in org test / space test as admin...

"a9s-mongodb": [
"credentials": {
"host": [
"password": "a9s-brk-usr",
"username": "a9s-password"
"label": "a9s-mongodb",
"name": "my-mongodb-service",
"plan": "mongodb-cluster-small"

Notice the host d67901c.service.dc1.a9svs, the username a9s-brk-usr and the password a9s-password. You will need this in the next step.

Create a Tunnel to The Service

With the cf ssh command mentioned before, you can create a ssh forward tunnel to the management dashboard. Use port 27017 to connect to the a9s MongoDB Instance.

$ cf ssh a9s-mongodb-app -L 27017:d67901c.service.dc1.a9svs:27017

When the ssh tunnel is open you can access the instance over the address localhost:27017.

NOTE: Don't forget to close the session with exit.

Service keys

To gain access to the service manually rather than binding apps to it, you can use service keys.

Creating a service key

To create a key to the Service Instance mongodb1 call mykey run:

cf create-service-key mongodb1 mykey

Listing service keys

To list all the keys for the mongodb1 Service Instance run this:

cf service-keys mongodb1

Accessing service keys

To obtain the key mykey from the mongodb1 Service Instance run:

cf service-key mongodb1 mykey

Deleting service keys

To delete a service key mykey from the Service Instance mongodb1 run:

cf delete-service-key mongodb1 mykey

Default Roles

All users, upon creation, are granted the following roles on the default database:

collectionModifierRoleCustom roleGrants the user the collMod and compact privileges.
readWriteBuilt-inGrants the user both read and write privileges.

Creating a Fork of a Service Instance

Forking a Service Instance involves creating a backup of it, modifying the backup a bit, and restoring it to a different Service Instance. This can also be used to migrate to a newer MongoDB version. For migration, it is recommended that no new data is written into MongoDB during the procedure (e.g., stop the app bound to it prior to starting with these steps).

For this process, you will need a Service Instance you want to fork and a new Service Instance you want to fork to. To learn how to create a new Service Instance, look at the Create a Service Instance section. You can get a list of all of your a9s-mongodb Service Instances by running the following command:

cf s | grep a9s-mongodb

The output should be a table of your a9s-mongodb instances:

mongodb1   a9s-mongodb70   mongodb-nano                create succeeded
mongodb2 a9s-mongodb70 mongodb-nano create succeeded

In this guide we will be forking from mongodb1 to mongodb2.

Now, you have established which Service Instances you will be operating on, you will need service keys. For information on creating, obtaining and managing service keys see the Service keys section.

The next thing to do is to log into the Service Instance dashboard to set the encryption password (if it hasn't already been set and create a backup. To find your dashboard URL, for the instance you want to fork from (mongodb1 in this example), run this:

cf service mongodb1 | grep -E '^|dashboard:.*' --color='always'

Then log into the dashboard using your Cloud Foundry credentials.

Make sure you set a encryption password for the backups using the Service Instance dashboard (Change Backup Settings). Create a backup using the dashboard. Download the backup to your local machine. The filename will be something like racsd92baee-1522222422893. Decrypt the backup and write its contents to a file:

cat racsd92baee-1522222422893 | openssl enc -aes256 -md md5 -d -pass 'pass:mytopsecretpassword' | gunzip -c > backup.gz

In case you are not able to download the backup using the a9s Dashboard, you must contact the Platform Operator.

For the next steps you will need the MongoDB tools. You can install them by following the official MongoDB installation manual.

To upload the backup to the new fork Service Instance you will need to create a tunnel, for port 27017, using an app bound to the new Service Instance. As you are creating a new instance, that you likely don't want connected to production until it has the data, its advisable to deploy a small demo app for tunneling through (you can dispose of it later). A small app can be found here, you will need to edit the manifest, then follow the section Make a Service Instance Locally Available.

To run the restore you will need the credentials for the Service Instance that will become a fork. In this example the credentials can be found like this:

cf service-key mongodb2 mykey

Then carry out the restore.


For the MongoDB restoration it is required use the mongorestore program. For information on restoration commands see the Official MongoDB documentation.


  • <original-default_database> - It is the name of the previous database present at the backup. Noteworthy, if you do not have the name of the database, it is necessary to contact the platform operator.
  • <default_database> - It is the name of the current database when the backup will be restored.
  • <backup.gz> - Backup dump previously downloaded, decrypted, and uncompressed.
mongorestore --uri="mongodb://<username>:<password>@localhost:27017/<default_database>" \
--gzip --archive=<backup.gz> --nsInclude='<original-default_database>.*' \
--nsFrom='<original-default_database>.*' --nsTo='<default_database>.*'


mongorestore --uri="mongodb://a9s-brk-usr-733e61a812ea27627f991d91f4a6b48db5631294:a9se1d35f1466318718cb508be4856d33631fd8c4b9@localhost:27018/mod94cfad" \
--gzip --archive=/tmp/mydump.gz --nsInclude='mod3ce8d.*' --nsFrom='mod3ce8d.*' --nsTo='mod94cfad.*'

If this is an SSL instance, remember to add the SSL options:

mongorestore --uri="mongodb://<username>:<password>@localhost:27017/<db-name>" \
--gzip --archive=<backup.gz> --nsInclude='<original-default_database>.*' \
--nsFrom='<original-default_database>.*' --nsTo='<default_database>.*' --ssl \

For information on restoration commands see the Official MongoDB documentation.


For restoring a cluster, it is necessary contact the Platform Operator.

Creating Local Copy of the Data

For creating a local copy of the data, you can follow these steps at Creating Local Copy of the Data.

Setup Disk Usage Alerts

Each service comes with the a9s Parachute. This component monitors ephemeral and persistent disk usage. See the a9s Parachute documentation how to configure the component.

Enable AppDynamics support

This feature is disabled by default. You can ask your operator to enable this feature for your Service Instance. When enabled, any user created in the MongoDB instance will have the required privileges as described here.

Any service binding (cf bind-service) created before AppDynamics support was enabled will have to be re-created (execute cf unbind-service followed by cf bind-service). This is due to the fact the Cloud Foundry currently does not support implementing logic that will automate this process.