49

I created a basic test PostgreSQL RDS instance in a VPC that has a single public subnet and that should be available to connect over the public internet. It uses the default security group, which is open for port 5432. When I try to connect, it fails. I must be missing something very straightforward -- but I'm pretty lost on this.

Here're the database settings, note that it's marked as Publicly Accessible: RDS Settings

Here're the security group settings, note it's wide open (affirmed in the RDS settings above by the green "authorized" hint next to the endpoint): Security Group settings

Here's the command I'm trying to use to connect:

psql --host=myinstance.xxxxxxxxxx.us-east-1.rds.amazonaws.com \
     --port=5432 
     --username=masteruser 
     --password 
     --dbname=testdb

And this is the result I'm getting when trying to connect from a Yosemite MacBook Pro (note, it's resolving to a 54.* ip address):

psql: could not connect to server: Operation timed out
    Is the server running on host "myinstance.xxxxxxxxxx.us-east-1.rds.amazonaws.com" (54.xxx.xxx.xxx) and accepting
    TCP/IP connections on port 5432?

I do not have any kind of firewall enabled, and am able to connect to public PostgreSQL instances on other providers (e.g. Heroku).

Any troubleshooting tips would be much appreciated, since I'm pretty much at a loss here.

Update

Per comment, here are the inbound ACL rules for the Default VPC: Network ACL configuration

Edward Q. Bridges
  • 1,201
  • 1
  • 9
  • 9
  • 1
    Did you happen to mess with the NetworkACLs? I would look there for a possible setting that could be blocking internet access. – Optichip Jan 03 '15 at 16:57
  • Thanks for the reply! The ACLs appear to not be blocking anything, since the first rule is to allow all ports from all sources, per attached. – Edward Q. Bridges Jan 03 '15 at 21:16

4 Answers4

60

The issue was that the inbound rule in the Security Group specified a security group as the source. Changing it to a CIDR that included my IP address fixed the issue.

Open the database security group in AWS; and choose "Edit inbound rules"; "Add rule". There is a "My IP" option in the dropdown menu; select that option to auto-populate with your computer's public IP address in CIDR notation edit security group, edit its inbound rules, add a rule, choose "My IP" option in the "Source" column

The Red Pea
  • 103
  • 4
Edward Q. Bridges
  • 1,201
  • 1
  • 9
  • 9
18

Was facing similar issue, and this is how I resolved it:

Click on the security group for the RDS instance and check the inbound rules. You might see something like this:

enter image description here

Have to set the IP range to contain your IP or just select "Anywhere" in the Source dropdown, to make it accessible from localhost or anywhere:

enter image description here

Miguel Mota
  • 351
  • 3
  • 6
  • 1
    Yes this works. I kept the Custom rule that was there and added a new rule which picked up my IP address automatically. – MSC Aug 17 '18 at 03:29
5

I had similar issue while connecting to postgres . Event though i had publically access true , i was not able to connect.

I added one rule inbound rule in security group and now it is working perfectly fine .

enter image description here

Abhash Kumar
  • 151
  • 1
  • 1
0

Just wanted to add my findings to save someone some time. This solution described above worked on a dev ec2 instance but after i migrated to a new server it stopped working. It turned out both of my RDS instance and EC2 instance were in the same VPC so the RDS instance could not see the public IP that i had added to its security group. To get this working you need to add to the RDS instances security group, the private ip of the EC2 instance that you can find in details.

Muhammed Bilal Iqbal
  • 1
  • 1