Connecting to an RDS from an EC2 on the same VPC
Check your security groups, that is the likely culprit. Hosts inside a VPC using DNS names will always use the private-IP of the remote resource, so the NAT / IG portion isn't important.
Related videos on Youtube
Theodore
Updated on September 18, 2022Comments
-
Theodore over 1 year
I have an RDS instance running on one subnet without NAT, and an EC2 instance running on another subnet with an Internet Gateway configured, both located in the same VPC. I have configured the RDS instance to not be publicly accessible.
I am using the following command in my remote EC2 (running on the second subnet) to connect to the RDS instance:
mysql -h xxxx.eu-central-1.rds.amazonaws.com -P 3306 -u root -p
I have entered the correct password which I have set when configuring the RDS, but I get the following error:
ERROR 2003 (HY000): Can't connect to MySQL server on 'XXX.eu-central-1.rds.amazonaws.com' (110)
I've checked, it's not a name resolution problem. The ec2 converts the endpoint to the correct internal ip.
Here are my settings:
RDS
VPC: the same as the EC2
AVAILABILITY ZONE:
eu-central-1b
SUBNET: in the RDS panel I can see all the subnets, yet I can see that there is one less available ip in the private subnet of zone b
SECURITY GROUP: private security group (no outbound rules, and in the inbound, single rule with the mysql port and the public security group as the source)
PUBLICLY ACCESSIBLE: no
MULTI AZ: no
EC2
VPC: the same as the RDS
AVAILABILITY ZONE:
eu-central-1b
SUBNET: public subnet of zone b
SECURITY GROUP: public security group (all ports from any source as the inbound rule, and ssh, http and https ports from any source as the outbound rule)
I can access the EC2 instance using http and ssh. It works as expected.
VPC
VPC: both RDS and EC2 uses the same
SUBNETS: one public and one private for each AZ, 4 in total
DHCP: the default one (
domain-name = eu-central-1.compute.internal
domain-name-servers = AmazonProvidedDNS
)ROUTE TABLES: for the public subnets, route to
local
(automatically) and to the internet getaway, for the private, only thelocal
(automatically)ACLs: public:
allow all
both in the inbound and in the outbound. private:allow all
on the inbound only. There is also a line with the id*
withdeny all
, on both ACLs, both on inbound and on outbound, but I'm pretty sure that is suppose to be there, I can't delete it.What am I doing wrong? Am I missing something?
-
jordanm over 7 yearsAre both subnets in the same VPC? Is your security group for the RDS instance configured to allow connections to that host or subnet?
-
Tim over 7 yearsI did a bit more reading and checked my account. I think database security groups are from the old EC2 classic, so my earlier advice is likely incorrect. I'll edit my answer and delete previous invalid comments.
-
Tim over 7 yearsSuggest instead of describing the rules you think you have in place that you take screenshots of the console to demonstrate them. You would have to show what subnet the EC2 instance is in, the security group associated with the EC2 instance, and the same for the RDS instance. You should also try pinging the RDS endpoint and check you're getting a private IP - ie one within your VPC range, in particular within the correct subnet.
-
-
Theodore over 7 yearsHi, I have created a security group and enabled it. I have edited my original message with some more info about the case, hope that helps!
-
Theodore over 7 yearsHi, I have created and enabled a security group but the problem still exists. I have added some more info to my original question, maybe that will help!
-
Theodore about 7 yearsThe problem at the end was related to the security groups, just as you said. I accidentally blocked the inbound traffic for all ports.