How do I connect to an Amazon RDS DB instance that uses a public or private subnet of an Amazon VPC?

Short description

When you launch RDS DB instances in the public or private subnet of a VPC, you might experience connection issues for the following reasons:

• Incorrect VPC configuration on the DB instance
• Incorrect configuration or connectivity issues on the client that you connect from

To resolve these issues, complete the resolution for your environment.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Troubleshoot connection issues to a DB instance in a public subnet over the internet from your local computer

If the Publicly Accessible property of your DB instance is set to No, then connection issues might occur. To check whether your DB instance is publicly accessible, complete the following steps:

1. Open the Amazon RDS console.
2. In the navigation pane, choose Databases.
3. Select your DB instance.
4. Review the Connectivity & Security section of your instance.
   -or-
   Run the describe-db-instances AWS CLI command:

   aws rds describe-db-instances --db-instance-id example_instance_id

   Note: Replace example_instance_id with your DB instance ID.

To update the Publicly Accessible property of your DB instance, complete the following steps:

1. Open the Amazon RDS console.
2. In the navigation pane, choose Databases, and then select your DB instance.
3. Choose Modify.
4. Under Connectivity, expand the Additional configuration section, and then choose Publicly accessible.
5. Choose Continue.
6. Choose Modify DB Instance.
   Note: Amazon RDS immediately applies the change, even if you don't choose the Apply immediately option. Downtime only occurs if you have a pending maintenance action that requires downtime and you choose Apply immediately.

If you turned on the Publicly Accessible property but still can't connect to your instance, then check the following details:

• Verify that you attached an internet gateway to your VPC.
• Make sure that the inbound rules for the security group of your DB instance allow connections from your source IP address.

Troubleshoot connection issues to a DB instance in a private subnet from your local computer

To resolve this issue, use one of the following methods that best fits your use case:

• Use a public subnet. When you use a public subnet, all the resources on the subnet are accessible from the internet.
• Use AWS Site-to-Site VPN. With Site-to-Site VPN, you configure a customer gateway that allows you to connect your VPC to your remote network.
• Use an Amazon Elastic Compute Cloud (Amazon EC2) instance as a bastion (jump) host.

To switch to a public subnet, complete the following steps:

1. Open the Amazon RDS console.

2. In the navigation pane, choose Databases, and then select your DB instance.

3. From the Connectivity & Security section, copy the endpoint of the DB instance.

4. Run an nslookup to the DB instance endpoint from an EC2 instance within the VPC similar to the following example:

   nslookup myexampledb.xxxx.us-east-1.rds.amazonaws.com
   Server: xx.xx.xx.xx
   Address: xx.xx.xx.xx#53

   Example output:

   Non-authoritative answer:
   Name: myexampledb.xxxx.us-east-1.rds.amazonaws.com
   Address: 172.31.xx.x

5. After you have the private IP address of your DB instance, relate the private IP address to a particular subnet in the VPC. The VPC subnet is based on the subnet CIDR range and private IP address.

6. Open the Amazon VPC console.

7. In the navigation pane, choose Subnets.

8. Select the subnet that's associated to the DB instance that you found in step 5.

9. From the Description pane, choose the Route Table.

10. Choose Actions, and then choose Edit routes.

11. Choose Add route. For IPv4 and IPv6 traffic, in the Destination box, enter the routes for your external or on-premises network. Then, select the internet gateway ID in the Target list.
    Note: Make sure that the inbound security group rule for your instance restricts traffic to the addresses of your external or on-premises network.

12. Choose Save.

If the DB instance still isn't accessible, then confirm that the DB instance is Publicly Accessible. For more information, see the previous section Troubleshoot connection issues to a DB instance in a public subnet over the internet from your local computer.

Troubleshoot DB instance access issues by an EC2 instance from a different VPC

If you can't access your DB instance from an EC2 instance in a different VPC, then create a VPC peering connection. A VPC peering connection uses private IP addresses to allow the VPCs to communicate.

Complete the following steps:

1. Create a VPC peering connection.
   Note: If the VPCs are in the same AWS account, then make sure that the IPv4 CIDR blocks don't overlap. For more information, see VPC peering limitations.
2. Accept the connection.
3. Update both route tables.
4. Update your security groups to reference peer VPC groups.
5. Activate DNS resolution support for your VPC peering connection.
6. On the EC2 instance, use a networking utility to test the VPC peering connection similar to the following example:

   nc -zv hostname port

   Note: Replace hostname with your hostname and port with your port.
   If the connection is working, then the output looks similar to the following:

   nc -zv myexampledb.xxxx.us-east-1.rds.amazonaws.com 5439  
   found 0 associations
   found 1 connections:
        1:    flags=82<CONNECTED,PREFERRED>
       outif en0
       src xx.xxx.xxx.xx port 53396
       dst xx.xxx.xxx.xxx port 5439
       rank info not available
       TCP aux info available
   
   Connection to myexampledb.xxxx.us-east-1.rds.amazonaws.com port 5439 [tcp/*] succeeded!
   
   

Related information

Scenarios for accessing a DB instance in a VPC

Working with a DB instance in a VPC