How can I use the AWSSupport-TroubleshootConnectivityToRDS Systems Manager automation runbook to configure TroubleshootConnectivityToRDS between a source Amazon RDS database and an Amazon EC2 target?

4 minute read

I want to test connectivity between my Amazon Relational Database Service (Amazon RDS) database and a target Amazon Elastic Compute Cloud (Amazon EC2) client. I want to do this with a source and target that are in my AWS account, across accounts, or across AWS Regions.

Short description

AWSSupport-TroubleshootConnectivityToRDS uses the Systems Manager automation workflow to diagnose connectivity issues between a client EC2 machine and Amazon RDS. The runbook diagnoses network access control lists (network ACLs) based on the primary IP address of the EC2 instance. The workflow checks the instance status and properties, subnet CIDRs, network ACLs, security groups, and route tables. It completes these checks for both Amazon RDS and your EC2 instance, and then compares the configurations. You can also use this runbook for source Amazon Aurora and Amazon DocumentDB (with MongoDB compatibility) databases.

Note: The workflow doesn't verify ephemeral ports. The automation checks security groups based on the primary IP address of the EC2 instance, but doesn't check specific ports.

You can choose from the following workflow settings:

Simple execution (Default): Runs the automation workflow on targets.
Rate control: Runs on multiple targets and defines concurrency and error thresholds.
Multi-account and Region: Runs in multiple accounts and Regions.
Manual execution: Runs a step-by-step runbook mode.

Resolution

Prerequisites:

(Optional) An Amazon CloudWatch alarm that alerts you when a failure occurs during a workflow.
An RDS, Aurora or Amazon DocumentDB instance.
A minimum of one EC2 instance to test the connection. Note the instance ID from the Amazon EC2 console.
An AWS Identity and Access Management (IAM) role with the following trusted entities and policy attached. Note the ARN and name of the IAM role for later use.

IAM role trusted entities:

{  
    "Version": "2012-10-17",  
    "Statement": [  
        {  
            "Sid": "",  
            "Effect": "Allow",  
            "Principal": {  
                "Service": [  
                    "ssm.amazonaws.com"  
                ]  
            },  
            "Action": "sts:AssumeRole"  
        }  
    ]  
}

IAM policy for the role:

{  
 "Version": "2012-10-17",  
 "Statement": [  
 {  
 "Sid": "VisualEditor0",  
 "Effect": "Allow",  
 "Action": [  
 "ec2:DescribeInstances",  
 "rds:DescribeDBInstances",  
 "ec2:DescribeSubnets",  
 "ec2:DescribeNetworkAcls",  
 "ec2:DescribeRouteTables",  
 "ec2:DescribeSecurityGroups"  
 ],  
 "Resource": "*"  
 }  
 ]  
}

Run the automation workflow

Open the Systems Manager console, and then choose your Region.
Open the AWSSupport-TroubleshootConnectivityToRDS automation workflow.
Choose Simple execution, Rate control, Multi-account and Region, or Manual execution based on your use case. This example uses Simple execution.
Enter the details of your IAM role, RDS Instance identifier, and the EC2 instance ID.
Choose Execute to start the workflow.

After the workflow starts, you can review the status of the workflow. Check if the workflow established a connection from the RDS DB instance to the EC2 instance. Then, review the list of steps that the workflow runs to check if the workflow failed or timed out at a specific step. You can also review the workflow to see if permissions issues occurred.

After the workflow is complete, the output shows the steps that the workflow ran and a Success or Failed status.

Run the workflow with the Rate control option

If you choose to use the Rate control option, then you can run the workflow on multiple targets and define concurrency and error thresholds. To do this, choose the DBinstance Identifier and Source Instance parameters of the corresponding targets. Then, test all the target EC2 instances that can access the RDS DB instance.

For each client and error threshold, use the concurrency to configure the number of workflows that you want to run at the same time.

Example:

Concurrency - one target
Error threshold - one error

Run the workflow with the cross-account and cross-Region option

When you choose the cross-account and cross-Region option, provide the AWS account details or organizational unit (OU). Also, to correctly run the automation workflow, make sure to provide the IAM role name that's in the cross-Region account.

Topics

Migration & Modernization Analytics Database End User Computing

Relevant content

Automate EC2 into System Manager
rePost-User-4136916
asked 3 months ago
How to automate copying an RDS table to another RDS database
hanmari
asked 10 months ago
Can Systems Manager Target Only Instances That Are Running
Accepted Answer
AWS-User-7841548
asked 2 years ago
How can I encrypt an existing RDS PostgreSQL database provisioned and managed using the CDK?
Rob Elliot
asked 2 months ago
EventBridge target System Manager Automation pass in Execution Role
pg-infra-dev
asked a year ago
How can I use the AWSPremiumSupport-ResizeNitroInstance runbook to resize Amazon EC2 instances that are built on the Nitro System?
AWS OFFICIALUpdated 7 months ago
How can I use the AWSSupport-ManageRDPSettings runbook to manage the RDP settings on my Amazon EC2 Windows instance?
AWS OFFICIALUpdated 8 months ago
How do I use the AWSSupport-TroubleshootRDSIAMAuthentication runbook to diagnose Amazon RDS DB authentication issues?
AWS OFFICIALUpdated 6 months ago
How do I use AWSSupport-ManageRDPSettings Systems Manager Automation runbook to manage RDP settings on a managed EC2Windows instance?
AWS OFFICIALUpdated 8 months ago
Support Automation Workflow (SAW) Runbook: Troubleshoot AWS Systems Manager Session Manager
EXPERT
Maya Karalic
published a year ago