How can I troubleshoot connectivity to an Amazon RDS DB instance that uses a public or private subnet of a VPC?

Last updated: 2020-10-30

I cannot connect to my Amazon Relational Database Service (Amazon RDS) DB instance. How can I troubleshoot connectivity issues in a public or private subnet of an Amazon Virtual Private Cloud (Amazon VPC)?

Short description

Amazon RDS databases can be launched in the public or private subnet of a VPC. Connection problems can be caused by an incorrect VPC configuration or by configuration or connectivity issues on the client that you are connecting from.

To resolve these issues, see the following resolutions depending on your environment.


Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

My DB instance is in a public subnet, and I can't connect to it over the internet from my local computer

This issue can occur when the Publicly Accessible property of the DB instance is set to No. To check whether a DB instance is publicly accessible, you can use the Amazon RDS Console or the AWS CLI.

To change the Publicly Accessible property of the Amazon RDS instance to Yes:

1.    Verify that your VPC has an internet gateway attached to it. Make sure that the inbound rules for the security group allow connections.

2.    Open the Amazon RDS console.

3.    Choose Databases from the navigation pane, and then select the DB instance.

4.    Choose Modify.

5.    Under Connectivity, extend the Additional configuration section, and then choose Publicly accessible.

6.    Choose Continue.

7.    Choose Modify DB Instance.

Note: You don't need to choose Apply Immediately. For more information about how Apply Immediately can affect downtime, see Using the Apply Immediately parameter.

My DB instance is in a private subnet, and I can't connect to it from my local computer

You can resolve this issue by using a public subnet. When you use a public subnet, all the resources on the subnet are accessible from the internet. If this solution doesn't meet your security requirements, use AWS Site-to-Site VPN. With Site-to-Site VPN, you configure a customer gateway that allows you to connect your VPC to your remote network.

To switch to a public subnet:

1.    Open the Amazon RDS console.

2.    Choose Databases from the navigation pane, and then choose the DB instance.

3.    From the Connectivity & Security section, copy the endpoint of the DB instance.

4.    Perform an nslookup to the DB instance endpoint from an EC2 instance within the VPC. See the following example output:

Server: xx.xx.xx.xx
Address: xx.xx.xx.xx#53

Non-authoritative answer:
Address: 172.31.xx.x

5.    After you have the private IP address of your RDS DB instance, you can relate the private IP address to a particular subnet in the VPC. This is based on the subnet CIDR range and private IP address.

6.    Open the Amazon VPC console, and then choose Subnets from the navigation pane.

7.    Choose the subnet that is associated to the DB instance that you found in step 5.

8.    From the Description pane, choose the Route Table.

9.    Choose Actions, and then choose Edit routes.

10.    Choose Add route, and then enter the following:
For IPv4 traffic, enter in the Destination box, and then select the internet gateway ID in the Target list.
For IPv6 traffic, enter ::/0 in the Destination box, and then select the internet gateway ID in the Target list.

11.    Choose Save.

Important: If you change a subnet to public, this makes other DB instances in the subnet also accessible from the internet. This happens if the DB instances have an associated public address.

If the DB instance still isn't accessible after following these steps, check to see if the DB instance is Publicly Accessible. To do this, follow the steps in My DB instance is in a private subnet, and I can't connect to it from my local computer.

My DB instance can't be accessed by an Amazon Elastic Compute Cloud (Amazon EC2) instance from a different VPC

Create a VPC peering connection between the VPCs. A VPC peering connection allows two VPCs to communicate with each other using private IP addresses.

1.    Create and accept a VPC peering connection.

Important: If the VPCs are in the same AWS account, be sure that the IPv4 CIDR blocks don't overlap. For more information, see Unsupported VPC peering configurations.

2.    Update both route tables.

3.    Update your security groups to reference peer VPC groups.

4.    Enable DNS resolution support for your VPC peering connection.

5.    On the EC2 instance, test the VPC peering connection by using a networking utility. See the following example:

nc -zv <hostname> <port>

If the connection is working, the output looks similar to the following:

$ nc -zv 5439
found 0 associations
found 1 connections:
     1:    flags=82<CONNECTED,PREFERRED>
    outif en0
    src port 53396
    dst port 5439
    rank info not available
    TCP aux info available

Connection to port 5439 [tcp/*] succeeded!