How can I troubleshoot connectivity to an Amazon RDS DB instance that uses a public or private subnet of a VPC?

6 minute read

I can't connect to my Amazon Relational Database Service (Amazon RDS) DB instance. How can I troubleshoot connectivity issues in a public or private subnet of an Amazon Virtual Private Cloud (Amazon VPC)?

Short description

You can launch Amazon RDS databases in the public or private subnet of a VPC. However, incorrect VPC configuration on the RDS instance side can cause connection problems. Or, configuration or connectivity issues on the client that you are connecting from might also cause connection problems.

To resolve these issues, see the following resolutions depending on your environment.


Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

My DB instance is in a public subnet, and I can't connect to it over the internet from my local computer

This issue can occur when the Publicly Accessible property of the DB instance is set to No. To check whether a DB instance is publicly accessible:

Open the Amazon RDS console, select Databases from the navigation pane, and select your DB instance. Then, review the Connectivity & Security section of your instance.


Use the describe-db-instances command in the AWS CLI.

To change the Publicly Accessible property of the Amazon RDS instance to Yes:

1.    Open the Amazon RDS console.

2.    Choose Databases from the navigation pane, and then select the DB instance.

3.    Choose Modify.

4.    Under Connectivity, extend the Additional configuration section, and then choose Publicly accessible.

5.    Choose Continue.

6.    Choose Modify DB Instance.

Note: This change is applied immediately, even if you don't select the Apply Immediately option. Downtime occurs only if you have pending maintenance action set up with this modification, which requires downtime, and you choose Apply Immediately.

If you set the Publicly Accessible property to Yes and you're still unable to connect to your RDS instance, then check these details:

My DB instance is in a private subnet, and I can't connect to it from my local computer

You can resolve this issue by using a public subnet. When you use a public subnet, all the resources on the subnet are accessible from the internet. If this solution doesn't meet your security requirements, then use AWS Site-to-Site VPN. With Site-to-Site VPN, you configure a customer gateway that allows you to connect your VPC to your remote network.

Another method to resolve this issue is using an Amazon EC2 instance as a bastion (jump) host. For more information, see How can I connect to a private Amazon RDS DB instance from a local machine using an Amazon EC2 instance as a bastion host?

To switch to a public subnet:

1.    Open the Amazon RDS console.

2.    Choose Databases from the navigation pane, and then choose the DB instance.

3.    From the Connectivity & Security section, copy the endpoint of the DB instance.

4.    Perform an nslookup to the DB instance endpoint from an EC2 instance within the VPC. See the following example output:

Server: xx.xx.xx.xx
Address: xx.xx.xx.xx#53

Non-authoritative answer:
Address: 172.31.xx.x

5.    After you have the private IP address of your RDS DB instance, you can relate the private IP address to a particular subnet in the VPC. The VPC subnet is based on the subnet CIDR range and private IP address.

6.    Open the Amazon VPC console, and then choose Subnets from the navigation pane.

7.    Choose the subnet that is associated to the DB instance that you found in step 5.

8.    From the Description pane, choose the Route Table.

9.    Choose Actions, and then choose Edit routes.

10.    Choose Add route. For IPv4 and IPv6 traffic, in the Destination box, enter the routes for your external or on-premises network. Then, select the internet gateway ID in the Target list.

Note: Be sure that the Inbound security group rule for your instance restricts traffic to the addresses of your external or on-premises network.    

11.    Choose Save.

Important: If you change a subnet to public, then other DB instances in the subnet also become accessible from the internet. The DB instances are accessible from the internet if they have an associated public address.

If the DB instance still isn't accessible after following these steps, check to see if the DB instance is Publicly Accessible. To do this, follow the steps in My DB instance is in a private subnet, and I can't connect to it from my local computer.

My DB instance can't be accessed by an Amazon EC2 instance from a different VPC

Create a VPC peering connection between the VPCs. A VPC peering connection allows two VPCs to communicate with each other using private IP addresses.

1.    Create and accept a VPC peering connection.

Important: If the VPCs are in the same AWS account, be sure that the IPv4 CIDR blocks don't overlap. For more information, see VPC peering limitations.

2.    Update both route tables.

3.    Update your security groups to reference peer VPC groups.

4.    Activate DNS resolution support for your VPC peering connection.

5.    On the Amazon Elastic Compute Cloud (Amazon EC2) instance, test the VPC peering connection by using a networking utility. See the following example:

nc -zv <hostname> <port>

If the connection is working, then the output looks similar to the following:

$ nc -zv 5439
found 0 associations
found 1 connections:
     1:    flags=82<CONNECTED,PREFERRED>
    outif en0
    src port 53396
    dst port 5439
    rank info not available
    TCP aux info available

Connection to port 5439 [tcp/*] succeeded!

Related information

Scenarios for accessing a DB instance in a VPC

Working with a DB instance in a VPC