AWS RDS public access

Question

I am stumped with AWS configuration. My goal is to create a database that's accessible from inside and outside the network.

Here is what I have. RDS instance runs postgresql. Connections from inside the VPC work correctly.

The endpoint is set up to be publicly accessible - and when accessed from the outside, does in fact resolve. However, the connection hangs, indicating the traffic is blocked by somebody.

Security group is good:
Inbound: Port 5432 from 0.0.0.0/0 Outbound: all from 0.0.0.0/0

Subnets. I assume that's where something is wrong, right? At first I had two private and two public subnets in the subnet group. To simplify, I removed the private ones without changing the outcome.

So we have two public subnets:

Both have the same route table with an Internet Gateway

As far as I can tell, everything is in working order... So who is blocking my database connection?

Answer 1

The default security group AWS created did only allowed traffic originating from the same security group. I had to add a rule in security group to allow incoming traffic from any IP in order for it to work.

Answer 2

Unable to connect to my publicly accessible RDS as well following https://aws.amazon.com/premiumsupport/knowledge-center/rds-connectivity-instance-subnet-vpc/.

It turns out one of my subnet route table does not have route record to public 0.0.0.0/0, when added it works.

Answer 3

As of Oct 2021, RDS instances may have its own security groups. Hence you just need to create or edit security group to allow public access*.

In general RDS instance has a default security group. I would recommend to create a new security group to allow public access instead of editing default group though.

To add new security group.

• Go to RDS > Security groups
• Click on Create DB Security Group
• Enter name and description and click Create button to save
• Click new created security group name on the list of security groups
• Click on Add Rule located on top right corner of the box
• Check CIDR/IP radio button
• Enter 0.0.0.0/0 in CIDR/IP to Authorize text field
• Save by clicking Add Rule button

Once saved, Go back to the list of RDS instances, RDS > Databases

• Check the RDS instance and click Modify at top right
• Find and Select new created security group under Connectivity > Security group
• Make sure that Publicly accessible is checked under Connectivity > Additional Settings
• Save

Optionally, you may edit an existing security group. This could prevent the step of modifying RDS instance.

In order to edit security group.

• Go to RDS > Security groups
• Click on a security group to edit, for example default
• Click on Add Rule located on top right corner of the box
• Check CIDR/IP radio button
• Enter 0.0.0.0/0 in CIDR/IP to Authorize text field
• Save by clicking Add Rule button

[*] - You should consider adding an ip or range of ips if you have got ones.

Answer 4

By default, even you have set "Public accessibility" to "Yes" during the setup of RDS, the "Security Group" still not allowing the port 3306 yet.

Therefore you have to click on the Security Group of the RDS, then add a Rule to allow 3306 from anywhere IP.

Here is the reference setting. But here I have to warn you first, this public accessibility would expose your database to the internet. Please do at your own risk.

Answer 5

As per new AWS RDS UI. Follow Following steps.

1. Open the Amazon RDS console.
2. Choose Databases from the navigation pane, and then select the DB instance.
3. Choose Modify.
4. Connectivity

Additionally[important]: inbound and outbound policy update with PORT and IPs

Answer 6

Two things to check:

1. Ensure that the RDS instance has the publicly accessible attribute set so that it is assigned a public address

2. Also according to the AWS RDS docs, "If you want your DB instance in the VPC to be publicly accessible, you must enable the VPC attributes DNS hostnames and DNS resolution."

Also, check that the IP that your RDS instance hostname resolves to is a public IP address.