How do I connect my Amazon RDS database to my Amazon ECS tasks?
Last updated: 2019-08-02
My application is running as tasks launched by Amazon Elastic Container Service (Amazon ECS), and it can't communicate with the Amazon Relational Database Service (Amazon RDS) database. How can I resolve this issue?
Verify your network configurations
To verify if a container instance can establish a connection to the database, complete the following steps, based on your type of container instances:
For Linux-based container instances:
1. Use SSH to connect to the container instance where your task is placed.
2. Run the following command, replacing test.cx40dfn3as4.us-east-1.rds.amazonaws.com and 3306 with the database endpoint and database port for the RDS database that you're connecting to:
$ telnet test.cx40dfn3as4.us-east-1.rds.amazonaws.com 3306 > Trying 172.31.122.28 > Connected to test. cx40dfn3as4.us-east-1.rds.amazonaws.com > Escape character is '^]'.
Important: Telnet isn't pre-installed on Amazon ECS-optimized Amazon Machine Images (AMIs). To install Telnet, run the sudo yum install telnet -y command.
For Windows-based container instances:
1. Use RDP to connect to the container instance where your task is placed.
2. Run the following command using either the Windows command prompt or Windows PowerShell, replacing test.cx40dfn3as4.us-east-1.rds.amazonaws.com and 3306 with the database endpoint and database port for the RDS database that you're connecting to:
$ telnet test.cx40dfn3as4.us-east-1.rds.amazonaws.com 3306
Important: Telnet isn't pre-installed on Amazon ECS-optimized Windows AMIs. To install Telnet, run the Install-WindowsFeature -Name Telnet-Client command using PowerShell (as administrator).
If the connection is established, a blank page appears.
If the connection isn't established and you receive "Connection Timed Out" or "Connect failed' errors, then complete the following steps:
1. Check if your attached security groups allow access to the RDS database by using the DescribeInstances API call, or by choosing the Description tab for your selected instance ID in the Amazon EC2 console.
Note: In the bridge and host networking mode, security groups attached to the container instance govern access to the database. In the awsvpc network mode, the security groups associated during the launch of the service or task govern access. Amazon ECS tasks share the subnet that belongs to the container instance regardless of the network mode.
Tip: As a best practice, create a security group that allows incoming traffic from the database port. Then, attach the security group to the database and container instance, or associate the security group with tasks based on awsvpc.
2. Check if the network access control lists (ACLs) and route table associated with the subnet allow access to the database.
Note: For more information, see Why can't I connect to a service when the security group and network ACL allow inbound traffic?
Verify the database connection parameters
1. In the environment section of your container definition, pass your environment variables as plaintext, or reference them from AWS Systems Manager Parameter Store or AWS Secrets Manager.
Note: An application uses parameters (such as database endpoint, database port, and database access credentials) to establish a connection with the database. These parameters are usually passed as environment variables to the task.
2. If the container in your task can establish a connection with the database, but can't authenticate due to incorrect connection parameters (such as database user name or database password), then reset your database password.
3. Remove any leading or trailing character spaces from your connection parameters.
Note: Syntax errors can result in a failed connection between your container and the RDS database.