How can I troubleshoot connectivity to an Amazon RDS DB instance that uses a public or private subnet of a VPC?

Last updated: 2022-02-24

I cannot connect to my Amazon Relational Database Service (Amazon RDS) DB instance. How can I troubleshoot connectivity issues in a public or private subnet of an Amazon Virtual Private Cloud (Amazon VPC)?

Short description

Amazon RDS databases can be launched in the public or private subnet of a VPC. Connection problems can be caused by an incorrect VPC configuration or by configuration or connectivity issues on the client that you are connecting from.

To resolve these issues, see the following resolutions depending on your environment.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

My DB instance is in a public subnet, and I can't connect to it over the internet from my local computer

This issue can occur when the Publicly Accessible property of the DB instance is set to No. To check whether a DB instance is publicly accessible, you can use the Amazon RDS Console or the AWS CLI.

To change the Publicly Accessible property of the Amazon RDS instance to Yes:

1.    Verify that your VPC has an internet gateway attached to it. Make sure that the inbound rules for the security group allow connections.

2.    Open the Amazon RDS console.

3.    Choose Databases from the navigation pane, and then select the DB instance.

4.    Choose Modify.

5.    Under Connectivity, extend the Additional configuration section, and then choose Publicly accessible.

6.    Choose Continue.

7.    Choose Modify DB Instance.

Note: You don't need to choose Apply Immediately. For more information about how Apply Immediately can affect downtime, see Using the Apply Immediately setting.

My DB instance is in a private subnet, and I can't connect to it from my local computer

You can resolve this issue by using a public subnet. When you use a public subnet, all the resources on the subnet are accessible from the internet. If this solution doesn't meet your security requirements, then use AWS Site-to-Site VPN. With Site-to-Site VPN, you configure a customer gateway that allows you to connect your VPC to your remote network.

Another method to resolve this issue is using an Amazon EC2 instance as a bastion (jump) host. For more information, see How can I connect to a private Amazon RDS DB instance from a local machine using an Amazon EC2 instance as a bastion host?

To switch to a public subnet:

1.    Open the Amazon RDS console.

2.    Choose Databases from the navigation pane, and then choose the DB instance.

3.    From the Connectivity & Security section, copy the endpoint of the DB instance.

4.    Perform an nslookup to the DB instance endpoint from an EC2 instance within the VPC. See the following example output:

nslookup myexampledb.xxxx.us-east-1.rds.amazonaws.com
Server: xx.xx.xx.xx
Address: xx.xx.xx.xx#53

Non-authoritative answer:
Name: myexampledb.xxxx.us-east-1.rds.amazonaws.com
Address: 172.31.xx.x

5.    After you have the private IP address of your RDS DB instance, you can relate the private IP address to a particular subnet in the VPC. The VPC subnet is based on the subnet CIDR range and private IP address.

6.    Open the Amazon VPC console, and then choose Subnets from the navigation pane.

7.    Choose the subnet that is associated to the DB instance that you found in step 5.

8.    From the Description pane, choose the Route Table.

9.    Choose Actions, and then choose Edit routes.

10.    Choose Add route. For IPv4 and IPv6 traffic, in the Destination box, enter the routes for your external or on-premises network. Then, select the internet gateway ID in the Target list.
Note: Be sure that the Inbound security group rule for your instance restricts traffic to the addresses of your external or on-premises network. 

11.    Choose Save.

Important: If you change a subnet to public, then other DB instances in the subnet also become accessible from the internet. The DB instances are accessible from the internet if they have an associated public address.

If the DB instance still isn't accessible after following these steps, check to see if the DB instance is Publicly Accessible. To do this, follow the steps in My DB instance is in a private subnet, and I can't connect to it from my local computer.

My DB instance can't be accessed by an Amazon Elastic Compute Cloud (Amazon EC2) instance from a different VPC

Create a VPC peering connection between the VPCs. A VPC peering connection allows two VPCs to communicate with each other using private IP addresses.

1.    Create and accept a VPC peering connection.

Important: If the VPCs are in the same AWS account, be sure that the IPv4 CIDR blocks don't overlap. For more information, see Unsupported VPC peering configurations.

2.    Update both route tables.

3.    Update your security groups to reference peer VPC groups.

4.    Enable DNS resolution support for your VPC peering connection.

5.    On the EC2 instance, test the VPC peering connection by using a networking utility. See the following example:

nc -zv <hostname> <port>

If the connection is working, then the output looks similar to the following:

$ nc -zv myexampledb.xxxx.us-east-1.rds.amazonaws.com 5439
found 0 associations
found 1 connections:
     1:    flags=82<CONNECTED,PREFERRED>
    outif en0
    src xx.xxx.xxx.xx port 53396
    dst xx.xxx.xxx.xxx port 5439
    rank info not available
    TCP aux info available

Connection to myexampledb.xxxx.us-east-1.rds.amazonaws.com port 5439 [tcp/*] succeeded!