How can I troubleshoot connectivity to an Amazon RDS instance that uses a public or private subnet of a VPC?

Last updated: 2019-04-10

I am having trouble connecting to my Amazon Relational Database Service (Amazon RDS) DB instance. How can I troubleshoot connectivity issues in a public or private subnet of an Amazon Virtual Private Cloud (Amazon VPC)?

Short Description

Amazon RDS databases can be launched in the public or private subnet of a VPC. Connection problems can be caused by an incorrect VPC configuration or by configuration or connectivity issues on the client that you are connecting from.

To resolve these issues, see the following resolutions depending on your environment.

Resolution

My instance is in a public subnet, and I can't connect to it over the internet from my local computer

This issue can occur when the Publicly Accessible property of the instance is set to No. To check whether an instance is publicly accessible, you can use the Amazon RDS Console or the AWS Command Line Interface (AWS CLI).

To change the Publicly Accessible property of the Amazon RDS instance to Yes:

1.    Verify that your VPC has an internet gateway attached to it and that the inbound rules for the security group allow connections.

2.    Open the Amazon RDS console.

3.    Choose Databases from the navigation pane, and then select the DB instance.

4.    Choose Modify.

5.    Under Network & Security, choose Yes for Public accessibility.

6.    Choose Continue.

7.    Choose Modify DB Instance.

Note: You don't need to choose Apply Immediately. For more information about how Apply Immediately can affect downtime, see Using the Apply Immediately Parameter.

My instance is in a private subnet, and I can't connect to it from my local computer

You can resolve this issue by using a public subnet. When you use a public subnet, all the resources on the subnet are accessible from the internet. If this solution doesn't meet your security requirements, use AWS Site-to-Site VPN. With Site-to-Site VPN, you configure a customer gateway that allows you to connect your VPC to your remote network.

To switch to a public subnet:

1.    Open the Amazon RDS console.

2.    Choose Databases from the navigation pane, and then choose the DB instance.

3.    From the Connectivity & Security section, copy the endpoint of the DB instance.

4.    Perform an nslookup to the DB instance endpoint from an EC2 instance within the VPC. See the following example output:

nslookup myexampledb.xxxx.us-east-1.rds.amazonaws.com
Server: xx.xx.xx.xx
Address: xx.xx.xx.xx#53

Non-authoritative answer:
Name: myexampledb.xxxx.us-east-1.rds.amazonaws.com
Address: 172.31.xx.x

5.    After you have the private IP address of your DB instance, you can find the subnet in which the DB instance resides based on the CIDR.

6.    Open the Amazon VPC console, and then choose Subnets from the navigation pane.

7.    Choose the associated subnet, and in the Description pane, choose the Route Table.

8.    Choose Actions, and then choose Edit routes.

9.    Choose Add route, and then enter the following:
For IPv4 traffic, enter 0.0.0.0/0 in the Destination box, and then select the internet gateway ID in the Target list.
For IPv6 traffic, enter ::/0 in the Destination box, and then select the internet gateway ID in the Target list.

10.    Choose Save.

Important: If you change a subnet to public, this makes other instances in the subnet also accessible from the internet if the instances have an associated public address.

If the instance still isn't accessible after following these steps, check to see if the instance is Publicly Accessible by following the steps in My instance is in a private subnet, and I can't connect to it from my local computer.

My DB instance can't be accessed by an Amazon Elastic Compute Cloud (Amazon EC2) instance from a different VPC

Create a VPC peering connection between the VPCs. A VPC peering connection allows two VPCs to communicate with each other using private IP addresses.

1.    Create and accept a VPC peering connection.

Important: If the VPCs are in the same AWS account, be sure that the IPv4 CIDR blocks do not overlap.

2.    Update both route tables.

3.    Update your security groups to reference peer VPC groups.

4.    On the EC2 instance, test the VPC peering connection by using a networking utility. See the following example:

nc -zv <hostname> <port>

If the connection is working, the output will look similar to the following:

$ nc -zv myexampledb.xxxx.us-east-1.rds.amazonaws.com 5439
found 0 associations
found 1 connections:
     1:    flags=82<CONNECTED,PREFERRED>
    outif en0
    src xx.xxx.xxx.xx port 53396
    dst xx.xxx.xxx.xxx port 5439
    rank info not available
    TCP aux info available

Connection to myexampledb.xxxx.us-east-1.rds.amazonaws.com port 5439 [tcp/*] succeeded!