Can't connect to RDS instance from EC2 instance

Solution 1

Looks like sometime between the last posting and this posting, Amazon fixed the DNS routing issue, because everything works fine now for multi-AZ rds...

Solution 2

I had similar problem, when I spun a new EC2 instance, but didn't change setting in RDS security group of inbound IP address allowed to connect to port 3306 of my RDS instance.

The confusing bit was an option in RDS dashboard, called Security Groups. You don't need it to solve the problem.

What you really need is:

• Go to list of RDS instances
• Click on the instance you are trying to connect
• Click Security group rules section

This should open a new browser tab or window with details of security group. Locate several tabs in bottom part, select Inbound rules tab and click Edit button.

Change value to the IP address of your EC2 instance or IPv4 CIDR blocks, e.g.

174.33.0.0/16

To get this value, you can either ssh into your instance and run ip addr or run EC2 Manager in browser and locate value of Private IPs in your instance details.

Solution 3

Additional information for people who might run into similar issues trying to connect to RDS or RedShift:

1) Check security groups

Verify the security group for the RDS instance allows access from the security group your source server belongs to (or its IP added directly if external to AWS). The security group you should be looking at is the one specified in the RDS instance attributes from the RDS console UI (named "security group").

NOTE: Database security groups might be different from AWS EC2 security groups. If your RDS instance is in classic/public EC2, you should check in the "database security group" section of the RDS UI. For VPC users, the security group will be an normal VPC security group (the name sg-xxx will be listed in the RDS instance's attributes).

2) Confirm DNS isn't an issue.

Amazon uses split DNS, so a DNS lookup external to AWS will return the public IP while a lookup internal to AWS will return a private IP. If you suspect it is a DNS issue, have you confirmed different IPs are returned from different availability zones? If different AZs get different IPs, you will need to contact AWS support.

3) Confirm network connectivity by establishing a socket connection.

Tools like tracepath and traceroute likely won't help since RDS currently drops ICMP traffic.

Test port connectivity by trying to establish a socket connection to the RDS instance on port 3306 (mysql, or 5432 for postgres). Start by finding the IP of the RDS instance and using either telnet or nc:

telnet x.x.x.x 3306
nc -vz x.x.x.x 3306

a) If your connection attempt isn't successful and immediately fails, the port is likely blocked or the remote host isn't running a service on that port. you may need to engage AWS support to troubleshoot further. If connecting from outside of AWS, try to connect from another instance inside AWS first (as your firewall might be blocking those connections).

b) If your connection isn't successful and you get a timeout, packets are probably being dropped/ignored by a firewall or packets are returning on a different network path. You can confirm this by running netstat -an | grep SYN (from a different CLI window/session while running and waiting for the telnet/nc command to timeout). Connections in the SYN state mean that you've sent a connection request, but haven't received anything back (SYN_ACK or reject/block). Usually this means a firewall or security group is ignoring or dropping packets.

Check to make sure you're not using iptables or a NAT gateway between your host and the RDS instance. If you're in a VPC, also make sure you allow egress/outbound traffic from the source host.

c) If your socket connection test was successful, but you can't connect with a mysql client (CLI, workbench, app, etc.), take a look at the output of netstat to see what state the connection is in (replace x.x.x.x with the actual IP address of the RDS instance):

netstat -an | grep x.x.x.x

If you were getting a connection established when using telnet or NC, but you see the 'SYN' state when using a mysql client, you might be running into an MTU issue.

RDS, at the time this is written, may not support ICMP packets used for PMTUD (https://en.wikipedia.org/wiki/Path_MTU_Discovery#Problems_with_PMTUD). This can be a problem if you're trying to access RDS or RedShift that's in a VPC from a classic ec2 instance via ClassicLink. Try lowering the MTU with the following, then testing again:

sudo ip link show
# take note of the current MTU (likely 1500 or 9001)
sudo ip link set dev eth0 mtu 1400

If the lower MTU worked, be sure to follow up with AWS customer support for help and mention that you are seeing an MTU issue while trying to connect to your RDS instance. This can happen if TCP packets are wrapped with encapsulation for tunneling, resulting in a lower usable MTU for packet data / payload. Lowering the MTU on the source server allows the wrapped packets to still fit under the limit.

If it didn't work, set your MTU back to it's default and engage AWS support for further troubleshooting.

Author by

Mark Shust at M.academy

Full stack engineer & solutions architect with over 15 years of web development experience in the eCommerce, real estate, business-to-business, and information technology industries. Expertise in PHP, Javascript, Magento, ReactJS, Docker, Node.js, Laravel, and user interface design.

Updated on July 05, 2022