How do I resolve problems when connecting to my Amazon RDS DB instance?
Last updated: 2020-08-14
I can't connect to my Amazon Relational Database Service (Amazon RDS) DB instance. Why can't I connect, and how do I fix this?
The inability to connect to an Amazon RDS DB instance can be caused by a number of factors. Here are a few of the most common reasons:
- The RDS DB instance is in a state other than available, so it can't accept connections.
- The source you use to connect to the DB instance is missing from the sources authorized to access the DB instance in your security group, network access control lists (ACLs), or local firewalls.
- The wrong DNS name or endpoint was used to connect to the DB instance.
- The Multi-AZ DB instance failed over, and the secondary DB instance uses a subnet or route table that doesn't allow inbound connections.
- The user authentication is incorrect.
Tip: You can use the following troubleshooting steps to identify the source of the connectivity issue. Or you can use the AWSSupport-TroubleshootConnectivityToRDS AWS Systems Manager Automation document to diagnose the issue for you. This automation document can diagnose network ACLs based on the primary IP address of the Amazon Elastic Compute Cloud (Amazon EC2) instance, but ephemeral ports aren't verified. The automation doc also checks security groups based on the primary IP address of the EC2 instance, but it doesn't check specific ports. For more information, see Running a simple automation workflow.
Be sure that your DB instance is in the available state
If you recently launched or rebooted your DB instance, confirm that the DB instance is in the available state in the Amazon RDS console. Depending on the size of your DB instance, it can take up to 20 minutes for the DB instance to become available for network connections.
If your DB instance is in the failed state, see Why is my Amazon RDS DB instance in a failed state?
Be sure that your DB instance allows connections
Be sure that traffic from the source connecting to your DB instance isn't gated by one or more of the following:
- Any Amazon Virtual Private Cloud (Amazon VPC) security groups associated with the DB instance. If necessary, add rules to the security group associated with the VPC that allow traffic related to the source in and out of the DB instance. You can specify an IP address, a range of IP addresses, or another VPC security group. For general information about VPC and DB instances, see Scenarios for accessing a DB instance in a VPC.
- Any DB security group associated with the DB instance. If the DB instance isn't in a VPC, it might be using a DB security group to gate traffic. Update your DB security group to allow traffic from the IP address range, Amazon EC2 security group, or EC2 Classic instance that you use to connect.
- Connections outside a VPC. Be sure that the DB instance is publicly accessible and that the DB instance is associated with a public subnet (for example, the route table allows access from an internet gateway). For more information, see Scenarios for accessing a DB instance in a VPC.
- Network ACLs. Network ACLs act as a firewall for resources in a specific subnet in a VPC. If you use ACLs in your VPC, be sure that they have rules that allow inbound and outbound traffic to and from the DB instance.
- Network or local firewalls. Check with your network administrator to determine if your network allows traffic to and from the ports the DB instance uses for inbound and outbound communication.
Note: Amazon RDS doesn't accept internet control message protocol (ICMP) traffic, including ping.
Troubleshoot potential DNS name or endpoint issues
When connecting to your DB instance, you use a DNS name (endpoint) provided by the Amazon RDS console. Be sure that you use the correct endpoint, and that you provide the endpoint in the correct format to the client you use to connect to the DB instance. For a list of DB engine connection tutorials, which includes instructions on how to find and properly use an endpoint in various client applications, see Getting started with Amazon RDS.
For example, use nslookup to the DB instance endpoint from an Amazon EC2 instance within the VPC:
nslookup myexampledb.xxxx.us-east-1.rds.amazonaws.com Server: xx.xx.xx.xx Address: xx.xx.xx.xx#53
See the following example of a non-authoritative answer:
Name: myexampledb.xxxx.us-east-1.rds.amazonaws.com Address: 172.31.xx.x"
Check the route tables associated with your Multi-AZ deployment
When you create a Multi-AZ deployment, you launch multiple replica DB instances in different Availability Zones to improve the fault tolerance of your application. Be sure that the subnets associated with each DB instance are associated with the same or similar route tables. Otherwise, if your primary DB instance fails over to a standby replica, and the standby replica is associated with a different route table, then traffic that was previously routed to your DB instance might no longer be routed correctly.
Note: If you can connect to your DB instance but you get authentication errors, see How do I reset the master user password for my Amazon RDS DB instance?
Verify the connectivity
Verify your connection by running one of the following commands:
telnet <RDS endpoint> <port number> nc <RDS endpoint> <port number>
If either the telnet or nc commands succeed, then a network connection was established, and the issue is likely caused by the user authentication to the database, such as user name and password.