How can I connect to an Amazon RDS DB instance from an Amazon SageMaker notebook instance that's in a different VPC?

Last updated: 2020-12-16

How can I connect an Amazon SageMaker notebook instance to an Amazon Relational Database Service (Amazon RDS) DB instance that's in a different virtual private cloud (VPC)?

Resolution

1.    Create a VPC peering connection.

2.    After the VPC peering connection is active, update the route tables. The RDS DB instance subnet and the SageMaker notebook instance subnet must have a route to each other. For example, for the following CIDR blocks:

SageMaker VPC CIDR block: 192.168.0.0/16

RDS DB instance VPC CIDR block: 10.0.0.0/24

The Amazon RDS DB Instance subnet route table looks like this:

Destination Target
10.0.0.0/24 local
192.168.0.0/16 Select the VPC peering connection from the dropdown list

The SageMaker notebook instance subnet route table looks like this:

Destination Target
10.0.0.0/24

Select the VPC peering connection from the dropdown list

192.168.0.0/16 local

3.    Confirm that both security groups are configured correctly. To allow traffic from the notebook instance to the RDS DB instance:

On the notebook instance security group: Be sure that there's an outbound rule that allows traffic to the RDS DB instance.

On the DB instance security group: Be sure that there's an inbound rule that allows the notebook instance's security group, VPC CIDR block, or subnet CIDR block.

4.    To test the connection, run the following command in a terminal on the SageMaker notebook instance. Replace these values in the example:

test.ab12cde3fg4.us-east-1.rds.amazonaws.com: the DB instance endpoint

3306: the DB instance port

nc test.ab12cde3fg4.us-east-1.rds.amazonaws.com 3306 -zv

Troubleshooting

If the notebook instance has direct internet access enabled, then the test command might fail (for example, "Connection timed out"). If this happens, run the following command to check the notebook instance's routing table at the operating system level:

route -n

When direct internet access is enabled, the routing table looks like this:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.0.1      0.0.0.0         UG    0      0        0 eth0
10.0.32.0       0.0.0.0         255.255.224.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.255.0   U     0      0        0 veth_def_agent
169.254.169.254 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
172.16.0.0      0.0.0.0         255.255.224.0   U     0      0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-5a785eca34a3
192.168.0.0     0.0.0.0         255.255.128.0   U     0      0        0 eth2
192.168.0.0     192.168.0.1     255.255.0.0     UG    0      0        0 eth2

In this example, the DB instance's VPC CIDR block is 10.0.0.0/24. The operating system's routing table doesn't have a route to 10.0.0.0/24. Instead, traffic to the RDS VPC CIDR block uses the primary network interface (eth0), which handles public traffic. To resolve the connection issue, modify the routing table to use eth2, which is the notebook instance's VPC elastic network interface:

1.    Note the SageMaker VPC router address. In this example, 192.168.0.0/16 (the notebook instance's VPC CIDR block) is routed to 192.168.0.1. This means that 192.168.0.1 is the VPC router address.

2.    Add the route to the routing table in the notebook instance terminal. Replace these values in the example:

10.0.0.0/24: the RDS DB instance's VPC CIDR block

192.168.0.1: the SageMaker notebook instance's VPC router address

sudo ip route add 10.0.0.0/24 via 192.168.0.1 dev eth2

3.    Confirm that the new route is in the routing table:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.0.1      0.0.0.0         UG    0      0        0 eth0
10.0.0.0        192.168.0.1     255.255.255.0   UG    0      0        0 eth2
10.0.32.0       0.0.0.0         255.255.224.0   U     0      0        0 eth1
169.254.0.0     0.0.0.0         255.255.255.0   U     0      0        0 veth_def_agent
169.254.169.254 0.0.0.0         255.255.255.255 UH    0      0        0 eth0
172.16.0.0      0.0.0.0         255.255.224.0   U     0      0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-5a785eca34a3
192.168.0.0     0.0.0.0         255.255.128.0   U     0      0        0 eth2
192.168.0.0     192.168.0.1     255.255.0.0     UG    0      0        0 eth2

4.    Test the connection again:

sh-4.2$ nc test.ab12cde3fg4.us-east-1.rds.amazonaws.com 3306 -zv
Connection to test.ab12cde3fg4.us-east-1.rds.amazonaws.com 3306 port [tcp/mysql] succeeded!

Note: Changes to the operating system routing table don't persist between notebook instance sessions. This means that you lose the changes when you stop and start the SageMaker notebook instance. To mitigate this, use a lifecycle configuration to add the route every time that you start the notebook instance.