How do I resolve problems connecting to my Amazon RDS DB instance?

Last updated: 2019-08-30

I can't connect to my Amazon Relational Database Service (Amazon RDS) DB instance. Why can't I connect, and how do I fix it?

Short Description

The inability to connect to an Amazon RDS DB instance can be caused by a number of factors. Here are a few of the most common reasons:

  • The RDS DB instance is in a state other than available, so it can't accept connections.
  • The source you use to connect to the instance is missing from the sources authorized to access the RDS DB instance in your security group, network ACLs, or local firewalls.
  • The incorrect DNS name or endpoint was used to connect to the DB instance.
  • The Multi-AZ instance failed over, and the secondary instance uses a subnet or route table that doesn't allow inbound connections.
  • The user authentication is incorrect.

Resolution

Be sure that your instance is in the available state

If you recently launched or rebooted your DB instance, confirm that the instance is in the available state in the Amazon RDS console. Depending on the size of your DB instance, it can take up to 20 minutes for the instance to become available for network connections.

If your instance is in the failed state, see My RDS DB instance is in the failed state.

Be sure that your DB instance allows connections

Be sure that traffic from the source connecting to your DB instance isn't gated by one or more of the following:

  • Any Amazon Virtual Private Cloud (Amazon VPC) security groups associated with the DB instance. If necessary, add rules to the security group associated with the VPC that allow traffic related to the source in and out of the DB instance. You can specify an IP address, a range of IP addresses, or another VPC security group. For general information about VPC and DB instances, see Scenarios for Accessing a DB Instance in a VPC.
  • Any DB security group associated with the DB instance. If the DB instance isn't in a VPC, it might be using a DB security group to gate traffic. Update your DB security group to allow traffic from the IP address range, Amazon Elastic Compute Cloud (Amazon EC2) security group, or EC2 Classic instance that you use to connect.
  • Connections outside a VPC. Be sure that the instance is publicly accessible and that the instance is associated with a public subnet (the route table allows access from an internet gateway). For more information, see Scenarios for Accessing a DB Instance in a VPC.
  • Network access control lists (ACLs). Network ACLs act as a firewall for resources in a specific subnet in a VPC. If you use ACLs in your VPC, be sure that they have rules that allow inbound and outbound traffic to and from the DB instance.
  • Network or local firewalls. Check with your network administrator to determine if your network allows traffic to and from the ports the DB instance uses for inbound and outbound communication.
    Note: Amazon RDS doesn't accept internet control message protocol (ICMP) traffic, including ping.

Troubleshoot potential DNS name or endpoint issues

When connecting to your DB instance, you use a DNS name (endpoint) provided by the Amazon RDS console. Be sure that you use the correct endpoint, and that you provide the endpoint in the correct format to the client you use to connect to the DB instance. For a list of DB engine connection tutorials, which includes instructions on how to find and properly use an endpoint in various client applications, see Getting Started with Amazon RDS.

For example, use nslookup to the DB instance endpoint from an Amazon EC2 instance within the VPC:

nslookup myexampledb.xxxx.us-east-1.rds.amazonaws.com 
Server: xx.xx.xx.xx 
Address: xx.xx.xx.xx#53

See the following example of a non-authoritative answer:

Name: myexampledb.xxxx.us-east-1.rds.amazonaws.com 
Address: 172.31.xx.x"

Check the route tables associated with your Multi-AZ deployment

When you create a Multi-AZ deployment, you launch multiple replica DB instances in different Availability Zones to improve the fault tolerance of your application. Be sure that the subnets associated with each instance are associated with the same or similar route tables. Otherwise, if your primary instance fails over to a standby replica, and the standby replica is associated with a different route table, traffic that was previously routed to your DB instance might no longer be routed correctly.

For more information about how to configure route tables, see Working with Route Tables. For additional information about Multi-AZ deployments, see High Availability (Multi-AZ) for Amazon RDS.

Note: If you can connect to your DB instance but you get authentication errors, see How do I reset the master user password for my Amazon RDS DB instance?

Verify the connectivity

Verify your connection by running one of the following commands:

telnet <RDS endpoint> <port number>
nc <RDS endpoint> <port number>

If either the telnet or nc commands succeed, it indicates that a network connection was established, and the issue is likely caused by the user authentication to the database, such as user name and password.