Why can't I connect to my Amazon RDS DB or Amazon Aurora DB instance using RDS Proxy?

Last updated: 2020-12-03

I can't connect to my Amazon Relational Database Service (Amazon RDS) or Amazon Aurora DB instance through an RDS Proxy. Why can't I connect to my database?

Short description

There are a number of reasons you might experience connection failures with RDS Proxy, despite RDS Proxy being in the Available state. RDS Proxy connection failures have the following causes:

  • Security group rules, either at the DB instance or at the RDS Proxy, are preventing the connection
  • RDS Proxy currently works only within a VPC, so connections from outside the private network fail
  • The DB instance isn't accepting the connection because of modification or because it's in a non-available state
  • Incorrect authentication credentials used (when native user name/password mode is used)
  • The IAM user or role associated with the client isn't authorized to connect with RDS Proxy (when IAM DB authentication is used)

Use the troubleshooting steps in this article to resolve these issues.

Resolution

Check that client can reach RDS Proxy within private network of VPC

RDS Proxy can be used only within a VPC, and can't be publicly accessible (although the DB instance can be). If you connect from outside a private network, your connection times out.

  • If the client is from the same VPC, check that the security group for your RDS Proxy allows connections from the client on the default port according to the database engine (3306 for MySQL, 5432 for PostgreSQL). Add rules to the security group associated with the VPC to allow the required traffic.
  • If the client is from another VPC, you can use VPC peering. Review the security group and route tables to manage the traffic from the other VPC.
  • If your client is from a corporate network, use Direct Connect or Site-to-Site VPN to connect directly to the VPC.
  • If your client needs to connect through the public internet, use SSH Tunneling as an intermediate host to connect into the RDS Proxy within the same VPC.

Check that RDS Proxy can connect with the DB instance

RDS Proxy must establish a connection with your DB instance to manage the connection pool. It uses the user name and password stored in the Secret Manager and then establishes the connection. Use the best practices below to make sure that RDS Proxy can connect with your DB instance:

  • Check that the credentials in the Secret Manager are valid and can connect to the DB instance.
  • Make sure that the security group of your DB instance allows traffic from the RDS Proxy.
    • If the security groups of the RDS Proxy and DB instance are different, you can mention the security group of the RDS Proxy in the inbound rule of the security group of your DB instance.
Inbound rules for the RDS instance in order to allow connections from RDS proxy:
Protocol : TCP
Port range : Port on which the DB engine is running on the DB instance
Source : Security group of RDS Proxy
    • If both the RDS Proxy and DB instance use the same security group, verify that the inheritance rule of the security group is mentioned in the inbound rules.
Inbound rules for the RDS instance in order to allow connections from RDS proxy:
Protocol : TCP
Port Range : Port on which the DB engine is running on the RDS instance
Source : Common security group (for self referencing the security group)
  • Because the RDS Proxy initiates the connection for managing the pool, the outbound traffic must be allowed to reach the DB instance. The security group must allow the required traffic in its outbound rules.
Outbound rules for the RDS Proxy in order to allow traffic reach the RDS instance:
Protocol : TCP
Port range : Port on which the DB engine is running on the RDS instance
Destination : Security group of DB instance

Note: If you already have the following outbound rules attached to the security group of the RDS Proxy, then there is no need to explicitly add the security group. 
Outbound rules: ALL --- 0.0.0.0/0
  • Check that the IAM role associated with the RDS Proxy has the required access to fetch and use the credentials required for connections.
    • Make sure that the IAM role has the trust policy for rds.amazonaws.com.
    • Make sure that the IAM policy has access to call secretsmanager:GetSecretValue action on the secret.
    • Make sure that the IAM policy has access to call kms:Decrypt action on the AWS Key Management Service (AWS KMS) key used to encrypt the secret. You can get the details of the KMS key used by AWS Secrets Manager from the AWS KMS console. Note that the KMS key ID must be used for the Resource section.
    Example Policy:
    
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "secretsmanager:GetSecretValue",
                "Resource": [
                    "arn:aws:secretsmanager:region:account_id:secret:secret_name"
                ]
            },
            {
                "Effect": "Allow",
                "Action": "kms:Decrypt",
                "Resource": "arn:aws:kms:region:account_id:key/key_id",
                "Condition": {
                    "StringEquals": {
                        "kms:ViaService": "secretsmanager.region.amazonaws.com"
                    }
                }
            }
        ]
    }
  • For more information on what might be stopping the proxy from connecting to the DB instance, review the TargetHealth structure in the output from the describe-db-proxy-targets command. Review the State, Reason, and Description fields for more information on the connection health of the RDS Proxy target.
  • aws rds describe-db-proxy-targets --db-proxy-name $DB_PROXY_NAME

    For more information, see Verifying connectivity for a proxy.

    Check that the DB instance currently accepts connections

    Review the current status of your DB instance and confirm that it is in the AVAILABLE state. For more information on reviewing the status of your DB instance, see the RDS and Aurora documentation for DB instance status.

    Check that the IAM user/role is associated with a client with required permissions

    Note: This step is required only if you have enabled IAM DB Authentication on RDS Proxy.

    The client must generate a token to authorize the connection request. To do this, the IAM user and IAM role associated with this client must have the rds-db:connect IAM policy. Also, make sure to use the RDS Proxy ID in the ARN for the Resources attribute in the policy.

    Example: 
    "Resource": "arn:aws:rds-db:us-east-2:1234567890:dbuser:prx-ABCDEFGHIJKL01234/db_user"

    Review the RDS Proxy logs

    Enable the Enhanced Logging feature of RDS Proxy. Enabling logging gives detailed information about the SQL statements. These logs are a useful resource to help you understand certain authentication issues. These logs should be enabled only for debugging because they add an overhead to performance. To minimize overhead, RDS Proxy automatically turns this setting off 24 hours after you enable it.


    Did this article help?


    Do you need billing or technical support?