How do I troubleshoot problems connecting to an Amazon RDS cluster or instance running Amazon Aurora?

Here are some of the most common reasons you might have trouble connecting to an Amazon Aurora DB cluster or instance:

  • The DB instance is still being created and is not yet in the available state.
  • The DB instance security group, ACLs, or a local firewall are blocking the connection from the source instance or its IP addresses.
  • The route table associated with your VPC's subnets is not allowing or routing traffic from your local machine or DB instance.
  • The DB instance is not publicly accessible when connecting from a local machine through the Internet.
  • DNS name resolution is failing, potentially because the DB instance isn't connecting to the correct Aurora endpoint.

Make sure your instance is in the available state

When you create a new RDS DB instance, it can take up to 20 minutes for the instance to move into the available state. Instances in any state other than available (for example, creating) might not be ready to receive network connections.

You can check the current state of your instance by opening the RDS console, selecting Instances from the left navigation pane, and checking the Status column next to your instance. If you prefer, you can also check the status of your instance using the AWS CLI or the RDS API.

Check your security groups, ACLs, route tables, and local firewalls

Make sure the security groups, network access control lists (ACLs), and route tables associated with your VPC allow connections from the source IP address on the database engine port. Run a networking utility such as nc (netcat), telnet, or traceroute to see if and where traffic to and from your DB instance is failing or timing out.

Note: When using traceroute, use the TCP (-T) option; ICMP packets are blocked by RDS.

When troubleshooting connection timeouts, first check that the security group associated with your DB instance has an inbound rule that allows traffic from the source you're connecting from:

  1. Open the RDS console and select your DB instance.
  2. From the Instance Actions menu, choose See Details.
  3. Under Security and Network, choose the security group next to Security Groups.
  4. From the Actions menu, choose Edit Inbounds.
  5. Add a rule or update a current rule to allow traffic from the source you're connecting from, and then choose Save.
    Note: It's a security best practice to limit inbound traffic to only sources that you trust. Do not allow all inbound traffic.

Next, ensure that the network ACL associated with your DB instance allows inbound traffic from the source you're connecting from, and allows outbound traffic on ephemeral or high ports (ports 1024-65535):

  1. Select the instance in the RDS console, and from the Instance Actions menu, choose See Details.
  2. Select a subnet from the list next to Subnets.
  3. Select the Network ACL tab and ensure the rules allow the necessary inbound and outbound traffic.
  4. Repeat steps 2 and 3 for any other subnets in the Subnets list.

Last, ensure that your route table allows inbound connections from the source you're connecting from:

  1. Select the instance in the RDS console, and from the Instance Actions menu, choose See Details.
  2. Select a subnet from the list next to Subnets.
  3. Select the Route Table tab and ensure inbound connections from the source you're connecting from are allowed.
    Note: Publicly accessible Aurora clusters must be in public subnets, which should route traffic to the Internet through an Internet gateway (IGW), not through an Elastic Network Interface (ENI) or NAT device.

Check whether your RDS instance is publicly accessible

If the DB instance is launched with Publicly accessible set to No, you can only connect to it from resources in the same VPC, and your RDS instance is launched with no public IP addresses. To check the state of the Publicly accessible attribute, select the DB instance in the RDS console and choose See Details from the Actions menu.

If you would like to connect from your local machine, resources outside of the VPC that contains the RDS instance, the Internet, or another AWS region, ensure that the instance or cluster is in a public subnet, and set Publicly accessible to Yes.

If you want to connect from a local network, configure a VPN connection.

Make sure that your RDS instance is connecting to the correct endpoint

Because Amazon Aurora is a managed service, you must connect to Aurora DNS endpoints using MySQL client tools.

Make sure you connect to the correct Aurora endpoint. To verify the cluster and reader endpoints your DB cluster is currently connecting to, select your DB cluster in the Cluster pane of the RDS console.

You can perform an nslookup or dig against the Aurora endpoint to make sure the DNS endpoint resolves properly. For example, if you run nslookup using the endpoint of your DB instance, and the endpoint resolves to the IP address of your instance, you receive a response similar to the following:

Non-authoritative answer:
Name:    {endpoint of your DB instance}
Address:    {IP address of your DB instance}

Note: An output similar to this does not guarantee that traffic from your connection source will route properly to the endpoint.  

Aurora, connection, VPC, security group, firewall, DB, authentication, name resolution

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-01-10

Updated: 2017-03-20