How do I resolve problems when I'm connecting to my Amazon RDS DB instance?

6 minute read
2

I can't connect to my Amazon Relational Database Service (Amazon RDS) DB instance.

Short description

The following are the most common reasons that block your connection to your Amazon RDS DB instance:

  • The Amazon RDS DB instance is in a state other than available, so it can't accept connections.
  • Your source to connect to the DB instance doesn't have authorization access in your security group, network access control lists (ACLs), or local firewalls.
  • You're using the wrong DNS name or endpoint to connect to the DB instance.
  • The Multi-AZ DB instance failed over, and the secondary DB instance uses a subnet or route table that doesn't allow inbound connections.
  • The user authentication is incorrect.

Resolution

Use one or more of the following methods to troubleshoot your connection problem.

Use an automation runbook

Use the AWSSupport-TroubleshootConnectivityToRDS AWS Systems Manager Automation document to help diagnose the issue.

This automation document can diagnose network ACLs based on the primary IP address of the Amazon Elastic Compute Cloud (Amazon EC2) instance. However, ephemeral ports aren't verified. The automation document also checks security groups based on the primary IP address of the Amazon EC2 instance, but that automation doesn't check specific ports. For more information, see Run an automated operation powered by Systems Manager Automation.

For instructions on how to run the runbook and details about what it checks, see AWSSupport-TroubleshootConnectivityToRDS.

When the automation is complete, review the Outputs section for the detailed results. If the runbook can't identify the issue, then continue to the following manual steps.

Confirm that your DB instance is in the available state

If you recently launched or rebooted your DB instance, then confirm that the DB instance is in the available state in the Amazon RDS console. Depending on the size of your DB instance, up to 20 minutes might elapse before the DB instance is available for network connections. If your DB instance is in the failed state, then see Why is my Amazon RDS DB instance in a failed state?

Confirm that your DB instance allows connections

Be sure that traffic from the source that connects to your DB instance isn't gated by one or more of the following configuration requirements:

  • Any Amazon Virtual Private Cloud (Amazon VPC) security groups associated with the DB instance. Add rules to the security group associated with the VPC that allow traffic related to the source into and out from the DB instance. You can specify an IP address, a range of IP addresses, or another VPC security group. For general information about VPC and DB instances, see Scenarios for accessing a DB instance in a VPC.
  • Any DB security group associated with the DB instance. If the DB instance isn't in a VPC, then the instance might use a DB security group to gate traffic. Update your DB security group to allow traffic from the IP address range or Amazon EC2 security group that you use to connect.
  • Connections outside a VPC. Be sure that the DB instance is publicly accessible and associated with a public subnet. For example, the route table allows access from an internet gateway. For more information, see Scenarios for accessing a DB instance in a VPC.
    For DB instances in a private subnet, use VPC peering or AWS Site-to-Site VPN to securely connect to your instance. With Site-to-Site VPN, you configure a customer gateway that allows you to connect your VPC to your remote network. Use VPC peering to create a peering connection between your source VPC and your instance's VPC to access the instance from outside its VPC. You can also use an Amazon EC2 instance as a bastion (jump) host.
  • Network ACLs. Network ACLs act as a firewall for resources in a specific subnet in a VPC. For ACLs in your VPC, be sure that the ACLs have rules that allow inbound and outbound traffic to and from the DB instance.
  • Network or local firewalls. Ask your network administrator if your network allows traffic into and out from the ports that the DB instance uses for inbound and outbound communication.
    Note: Amazon RDS doesn't accept internet control message protocol (ICMP) traffic, including ping.

Potential DNS name or endpoint issues

When you connect to your DB instance, you use a DNS name (endpoint) that's provided by the Amazon RDS console. Be sure to use the correct endpoint. Also, provide the endpoint in the correct format for the client that you use to connect to the DB instance. For more information on DB engine connections and how to use an endpoint in various client applications, see Getting started with Amazon RDS.

For example, use nslookup to view the DB instance endpoint from an Amazon EC2 instance within the VPC.

nslookup myexampledb.xxxx.us-east-1.rds.amazonaws.com 
Server: xx.xx.xx.xx 
Address: xx.xx.xx.xx#53

Example of a non-authoritative answer:

Name: myexampledb.xxxx.us-east-1.rds.amazonaws.com
Address: 172.31.xx.x

Database level issues

Check that the following database level settings are configured correctly:

  • You have the correct username and password to access the instance from your DB client.
  • The user has the database permissions to connect to the DB instance.
  • There is no resource throttling in Amazon RDS, such as CPU or memory contention. Memory contention might lead to issues when you establish newer connections to the instance.
  • The instance hasn't reached the max_connections limit.

Check the route tables associated with your instance

Be sure that the subnets associated with each DB instance are associated with the same or similar route tables. If your primary DB instance fails over to a standby replica that's associated with a different route table, then traffic might not be routed correctly. Even if that traffic was previously routed without an issue, it still might no longer be routed correctly.

For more information, see Configure route tables. For more information, see Configuring and managing a Multi-AZ deployment for Amazon RDS.

Note: If you connect to your DB instance but you get errors, then see How do I reset the master user password for my Amazon RDS DB instance?

Verify your connectivity

To verify your connection, run one of the following commands:

telnet <RDS endpoint> <port number>
nc -zv <RDS endpoint> <port number>

The telnet and nc commands test the connection between the client and the server. If either the telnet or nc commands succeed, then a network connection was established. This means that the issue is caused by the user authentication to the database, such as username or password.

Related information

Can't connect to Amazon RDS DB instance

How can I troubleshoot connectivity to an Amazon RDS DB instance that uses a public or private subnet of a VPC?

Security in Amazon RDS

Using SSL/TLS to encrypt a connection to a DB instance or cluster