Why can't I connect to Amazon RDS after setting it up?

Question

So, I just created the Amazon RDS account. And I started an instance of database.

The "endpoint" is:
abcw3n-prod.cbmbuiv8aakk.us-east-1.rds.amazonaws.com

Great! Now I try to connect to it from one of my other EC2 instances.

mysql -uUSER -pPASS -habcw3n-prod.cbmbuiv8aakk.us-east-1.rds.amazonaws.com

But nothing works and it just hangs.

I tried to ping it, and nothing works either. Nothing happens.

Do I need to change some settings?

score 50 · Accepted Answer · answered Apr 25 '11 at 22:46

50

By default RDS does not allow any connection that is not specified within the Security Group (SG). You can allow based on CIDR addressing or by Amazon account number which would allow any EC2 under that account to access it.

answered Apr 25 '11 at 22:46

Jeremy Bouse

11,241
2
27
40

score 29 · Answer 2 · answered Apr 25 '11 at 20:17

29

It is "just hanging" as you have not configured the firewall to accept mySQL connections from your other instance, as such the packet is being dropped at the firewall level, to resolve this you need to:

head into your AWS console
EC2 tab
Note down the security group of your mySQL server (well call this SG-MYSQL for now)
click security groups on the left of the console
click your group in the center menu SG-MYSQL
click inbound tab
select mySQL from the list, add the details of your client server and save the rule

NOTE the source IP for the server will not be your elastic IP (in most cases anyway) you will have an internal ip on the device (ifconfig on linux will show you this).

answered Apr 25 '11 at 20:17

Oneiroi

2,008
1
15
28

1

I've done that on my EC2 server. I've opened all the standard ports. – Alex Apr 25 '11 at 20:20
My EC2 server can connect to every other MySQL database just fine (the databases on other servers.) Just not my new RDS database. How can I check if I created the RDS database correctly? – Alex Apr 25 '11 at 20:22
1

I have no EC2 instance and my RDS couldn't connect to outside world until I did this. – Umair A. Nov 22 '14 at 14:02
1

excellent point to use elastic IP! – user1641443 Mar 23 '15 at 09:42
1

Thanks for this. The walkthrough has made all the difference! – Mr T Feb 22 '16 at 22:18
1

Created an account at server fault just to upvote this. THANK YOU. – CaptainMarvel Aug 05 '17 at 22:25
Tried everything, nothing works. – Akshay Hazari Feb 26 '18 at 07:44

score 11 · Answer 3 · answered May 24 '15 at 23:30

11

A lot of talk here about security groups, but also check:

Do the associated Subnets seem properly configured?
Are the Subnets part of a Routing Group that seems properly configured (Internet Gateway specified, etc?)
Does the RDS say it's Publicly Accessible?
And of course check the RDS Security Group and EC2 Security Group
- Don't forget your actual source IP may be an internal IP (if accessing internally via a VPC) or an external IP (which may be a router's IP, or an EC2 instance's Instance IP which is distinct from its Load Balancer / Elastic IP) -- to troubleshoot, you may try to allow access to all IPs and ports.

(The routing group was my problem; in creating a new subnet, I neglected to add it to a routing group with a gateway.)

answered May 24 '15 at 23:30

willbradley

328
2
6

1

To clarify: ALL the subnets you choose in the RDS subnet group should have routing tables that have the internet gateway specified. My issue was that two of the subnets I chose were my "private" subnets, that had a NAT gateway specified for outbound traffic rather than the internet gateway, and RDS happened to choose a server in one of those subnets. Refer to this article if you're not too familiar with routing: https://medium.com/@mda590/aws-routing-101-67879d23014d – timetofly Dec 29 '17 at 17:42
1

I was affected by the same issue as @timetofly. I had a one-off job that I decided to run on ECS Fargate, which required a NAT to download files. Setting up the NAT broke my connection to RDS from my laptop. When the job finished, I updated my subnets to only use the Internet Gateway, and I was good to go. – vitale232 Jun 28 '19 at 18:17
Setting 'Publicly Accessible' to 'Yes' was crucial for me: https://aws.amazon.com/premiumsupport/knowledge-center/rds-connectivity-instance-subnet-vpc/ – kip2 Oct 27 '20 at 19:14

score 4 · Answer 4 · answered Apr 25 '11 at 21:04

4

Fixed.

Had to grant access to it in the security groups under the DB...

answered Apr 25 '11 at 21:04

Alex

8,111
24
71
99

7

Can you elaborate on what you did to grant access? – David Csonka Jun 22 '12 at 05:15
2

My database has a security group with one rule. Allow access from ANYWHERE to port 1433. I can't connect -_- – The Muffin Man May 29 '14 at 16:44

score 1 · Answer 5 · answered Mar 26 '17 at 11:22

1

I had the same issue ;

Security Groups > rds-launch-wizard (or any name that was choosen for the db SG)
select the Inbound tab > edit
add new role
MySQL
Source -> insert the aws vm ip (for ex: 12.3.14.80/32)

worked for me ...

answered Mar 26 '17 at 11:22

loudstil

11
2

score 1 · Answer 6 · answered Jul 10 '17 at 05:30

In an attempt to open up security completely for testing before locking down access, both my database instance and my EC2 instance used the same security group, and both inbound and outbound port 3306 were configured to allow connections from Anywhere. The problem -- I was able to connect to Aurora from my notebook but oddly enough not from my EC2 instance, as if the EC2 instance wasn't Anywhere. The solution was to add another inbound mysql/Aurora rule and specify that same security group id as the source for inbound connections. My security group has a rule that refers to itself, and I can connect from either my notebook or my EC2 instance.

score 0 · Answer 7 · answered Dec 02 '19 at 20:17

Make sure that your VPC and subnets are wide enought.

The following CIDR configuration works great for two subnets:

VPC 10.0.0.0/16 10.0.0.0 — 10.0.255.255 (65536 addresses)
Subnet 1 10.0.0.0/17 10.0.0.0 — 10.0.127.255 (32768 addresses, half)
Subnet 2 10.0.128.0/17 10.0.128.0 — 10.0.255.255 (32768 addresses, other half)

Adjust it if you need three subnets.

I wasn't being able to connect to my RDS database. I've manually reviewed any detail and everything was alright. There were no indications of any issues whatsoever and I couldn't find any suitable information in the documentation. My VPC was configured with narrow CIDR: 10.0.0.0/22 and each subnet had a 255 addresses. After I've changed CIDR to 10.0.0.0/16 and split it totally between two subnets my RDS connection started to working. It was a pure luck that I've managed to find a source of the problem, because it doesn't make any sense to me.

score -3 · Answer 8 · answered Dec 16 '16 at 14:09

-3

mysql inbound rule should be like below

this is the problem with security group.

answered Dec 16 '16 at 14:09

Nirmal Dhara

119
1

5

Is there a reason you're bumping a five year old question to answer it with the same answer that's been there for years? Giving `0.0.0.0/0` access to `3306` isn't a great idea, either. – ceejayoz Dec 16 '16 at 14:12
i tried to show the user what they should change and how they can change, you know there are many users like me can not solve the problem by reading the above ans. it may not help you but there are user looking for this. you gave the down vote as it does not help you. – Nirmal Dhara Dec 16 '16 at 15:06
5

My downvote comes from saying people should open up MySQL to the entire internet. It's a dangerous approach. – ceejayoz Dec 16 '16 at 15:10
i got it. i just show the place where they can edit the security groups, they can choose from dropdown whatever they want. – Nirmal Dhara Dec 16 '16 at 15:13
it helped. just add your public_ip/32 instead of 0.0.0.0/0 CIDR Block to be safer. – Yash Ojha Aug 11 '20 at 05:15

Why can't I connect to Amazon RDS after setting it up?

8 Answers8

Linked