How do I troubleshoot connectivity issues between my Amazon ECS tasks for an Amazon EC2 launch type and an Amazon RDS database?

Last updated: 2020-10-15

My application is running as a set of tasks launched by Amazon Elastic Container Service (Amazon ECS) on Amazon Elastic Compute Cloud (Amazon EC2) instances. My application can't communicate with the Amazon Relational Database Service (Amazon RDS) database.

Resolution

Verify your network configurations

To verify if a container instance can establish a connection to the database, complete the following steps for either Linux-based or Windows-based container instances:

For Linux-based container instances:

1.    Use SSH to connect to the container instance where your task is placed.

2.    To connect to your RDS database, run the following command:

$ telnet test.ab12cde3fg4.us-east-1.rds.amazonaws.com 3306

Note: Replace test.ab12cde3fg4.us-east-1.rds.amazonaws.com with your database endpoint. Replace 3306 with your database port.

The output looks similar to the following:

> Trying 172.31.122.28
 > Connected to test.ab12cde3fg4.us-east-1.rds.amazonaws.com
 > Escape character is '^]'.

Important: Telnet isn't pre-installed on Amazon ECS-optimized Amazon Machine Images (AMIs). To install Telnet, run the sudo yum install telnet -y command.

For Windows-based container instances:

1.    Use the Remote Desktop Protocol (RDP) to connect to the container instance where your task is placed.

2.    To connect to your RDS database, run the following command using either the Windows command prompt or Windows PowerShell:

$ telnet test.ab12cde3fg4.us-east-1.rds.amazonaws.com 3306

Note: Replace test.ab12cde3fg4.us-east-1.rds.amazonaws.com with your database endpoint. Replace 3306 with your database port.

Important: Telnet isn't pre-installed on Amazon ECS-optimized Windows AMIs. To install Telnet, run the Install-WindowsFeature -Name Telnet-Client command using PowerShell as administrator.

If the connection is established, a blank page appears.

If the connection isn't established and you receive "Connection Timed Out" or "Connect failed' errors, then complete the following steps:

1.    Check if the attached security groups allow access to the RDS database. You can use either the DescribeInstances API call, or the Description tab for your selected instance ID in the Amazon EC2 console.

Note: In the bridge and host networking mode, security groups attached to the container instance govern access to the database. In the awsvpc network mode, the security groups associated during the launch of the service or task govern access.

Tip: As a best practice, create a security group that allows incoming traffic from the database port. Then, attach the security group to the database and container instance, or associate the security group with tasks based on awsvpc.

2.    Check if the network access control list (network ACL) and route table associated with the subnet allow access to the database.

Verify the database connection parameters

1.    In the environment section of your container definition, pass your environment variables securely. To pass them securely, reference your environment variables from AWS Systems Manager Parameter Store or AWS Secrets Manager.

Note: An application uses parameters (such as database endpoint, database port, and database access credentials) to establish a connection with the database. These parameters are usually passed as environment variables to the task.

2.    If the container in your task can establish a connection with the database, but can't authenticate due to incorrect connection parameters (such as database user name or database password), then reset your database password.

3.    Remove any leading or trailing character spaces from your connection parameters.

Note: Syntax errors can result in a failed connection between your container and the RDS database.


Did this article help?


Do you need billing or technical support?