How can I troubleshoot connectivity to an Amazon RDS instance that uses a public or private subnet of a VPC?
Last updated: 2020-01-02
I am having trouble connecting to my Amazon Relational Database Service (Amazon RDS) DB instance. How can I troubleshoot connectivity issues in a public or private subnet of an Amazon Virtual Private Cloud (Amazon VPC)?
Amazon RDS databases can be launched in the public or private subnet of a VPC. Connection problems can be caused by an incorrect VPC configuration or by configuration or connectivity issues on the client that you are connecting from.
To resolve these issues, see the following resolutions depending on your environment.
My instance is in a public subnet, and I can't connect to it over the internet from my local computer
This issue can occur when the Publicly Accessible property of the instance is set to No. To check whether an instance is publicly accessible, you can use the Amazon RDS Console or the AWS Command Line Interface (AWS CLI).
To change the Publicly Accessible property of the Amazon RDS instance to Yes:
1. Verify that your VPC has an internet gateway attached to it and that the inbound rules for the security group allow connections.
2. Open the Amazon RDS console.
3. Choose Databases from the navigation pane, and then select the DB instance.
4. Choose Modify.
5. Under Network & Security, choose Yes for Public accessibility.
6. Choose Continue.
7. Choose Modify DB Instance.
Note: You don't need to choose Apply Immediately. For more information about how Apply Immediately can affect downtime, see Using the Apply Immediately Parameter.
My instance is in a private subnet, and I can't connect to it from my local computer
You can resolve this issue by using a public subnet. When you use a public subnet, all the resources on the subnet are accessible from the internet. If this solution doesn't meet your security requirements, use AWS Site-to-Site VPN. With Site-to-Site VPN, you configure a customer gateway that allows you to connect your VPC to your remote network.
To switch to a public subnet:
1. Open the Amazon RDS console.
2. Choose Databases from the navigation pane, and then choose the DB instance.
3. From the Connectivity & Security section, copy the endpoint of the DB instance.
4. Perform an nslookup to the DB instance endpoint from an EC2 instance within the VPC. See the following example output:
nslookup myexampledb.xxxx.us-east-1.rds.amazonaws.com Server: xx.xx.xx.xx Address: xx.xx.xx.xx#53 Non-authoritative answer: Name: myexampledb.xxxx.us-east-1.rds.amazonaws.com Address: 172.31.xx.x
5. After you have the private IP address of your RDS DB instance, you can relate the private IP address to a particular subnet in VPC based on the subnet CIDR range and private IP address.
6. Open the Amazon VPC console, and then choose Subnets from the navigation pane.
7. Choose the subnet that is associated to the DB instance that you found in step 5.
8. From the Description pane, choose the Route Table.
9. Choose Actions, and then choose Edit routes.
10. Choose Add route, and then enter the following:
For IPv4 traffic, enter 0.0.0.0/0 in the Destination box, and then select the internet gateway ID in the Target list.
For IPv6 traffic, enter ::/0 in the Destination box, and then select the internet gateway ID in the Target list.
11. Choose Save.
Important: If you change a subnet to public, this makes other instances in the subnet also accessible from the internet if the instances have an associated public address.
If the instance still isn't accessible after following these steps, check to see if the instance is Publicly Accessible by following the steps in My instance is in a private subnet, and I can't connect to it from my local computer.
My DB instance can't be accessed by an Amazon Elastic Compute Cloud (Amazon EC2) instance from a different VPC
Create a VPC peering connection between the VPCs. A VPC peering connection allows two VPCs to communicate with each other using private IP addresses.
Important: If the VPCs are in the same AWS account, be sure that the IPv4 CIDR blocks don't overlap. For more information, see Unsupported VPC Peering Configurations.
5. On the EC2 instance, test the VPC peering connection by using a networking utility. See the following example:
nc -zv <hostname> <port>
If the connection is working, the output will look similar to the following:
$ nc -zv myexampledb.xxxx.us-east-1.rds.amazonaws.com 5439 found 0 associations found 1 connections: 1: flags=82<CONNECTED,PREFERRED> outif en0 src xx.xxx.xxx.xx port 53396 dst xx.xxx.xxx.xxx port 5439 rank info not available TCP aux info available Connection to myexampledb.xxxx.us-east-1.rds.amazonaws.com port 5439 [tcp/*] succeeded!