AWS: can't connect to RDS database from my machine

Question

The EC2 instance/live web can connect just fine to the RDS database. But when I want to debug the code in my local machine, I can't connect to the database and got this error:

OperationalError: (2003, "Can't connect to MySQL server on 'aa9jliuygesv4w.c03i1 ck3o0us.us-east-1.rds.amazonaws.com' (10060)")

I've added .pem and .ppk keys to .ssh and I already configure EB CLI. I don't know what should I do anymore.

Answer 1

I just resolved my issue with a few simple steps: Go to Inbound Rules, add a rule with 'All TCP'. Your IP will be detected automatically. Save the settings and try connecting again.

Answer 2

I had set up my RDS database with the default VPC and default subnet group, in a new region I hadn't used before. I selected to create a new security group with the RDS creation.

After the database was created, I went to check out the security group that was created, and it had one inbound rule -- all MySQL traffic allowed from my IP, which is what I wanted. It had no outbound rules set, so I created one that was completely open to all IPs and ports.

I was unable to connect to the database at this point, so I found this thread, and checked that my subnets all had an internet gateway assigned, and changed my database to publicly accessible. Nothing helped.

Out of curiosity, I decided to set my security group to allow inbound traffic from any IP, and I was instantly able to connect. So I set it back to only allow inbound traffic to my IP, and I was still able to connect. So it seems like opening the security group to all inbound traffic, then resetting it back to my IP only, is what fixed it. This may be similar to the answer from user @gorbak_blow above.

Answer 3

In my case I had security group inbound rules set and the DB was publicly accessible,

But my subnet was actually private (was missing internet gateway, target was local).

So to fix it:

1. Go to RDS > my DB > Connectivity & security

Do this for each subnet:

2. Click on Route Table tab

3. Click on Edit route table association button

4. Then under Route table ID select your MAIN ROUTE TABLE

Answer 4

I added the security group inbound rule and I followed this comment to make the rds publically accessible, https://stackoverflow.com/a/57504035/12130011 (both comments are up here)

Nothing worked for me until I figured that my subnet was actually private and unaccecible from the internet. So I added this to the rds private subnet route table : route 0.0.0.0/0 to the internet gateway that I am using. I did my import and then I deleted the route.

Answer 5

In my case, my RDS database's VPC contained four subnets, two of which were public and two of which were private. For some reason, after upgrading from t3.small to t3.large size for my RDS database, it would only use the private subnets, so I couldn't access my database from my local computer anymore--only from my EC2 server in the same VPC.

To fix it, I went into my subnets and modified the two private subnets, pointing them to the "public" route table and the "internet gateway".

Answer 6

It's also very IMPORTANT to CREATE YOUR OWN security group that allows inbound requests. Using the default security group will not work, despite it allowing every inbound request.

Answer 7

Make sure that your VPC and subnets are wide enough.

The following CIDR configuration works great for two subnets:

• VPC 10.0.0.0/16 10.0.0.0 — 10.0.255.255 (65536 addresses)

• Subnet 1 10.0.0.0/17 10.0.0.0 — 10.0.127.255 (32768 addresses, half)

• Subnet 2 10.0.128.0/17 10.0.128.0 — 10.0.255.255 (32768 addresses, other half)

Adjust it if you need three subnets.

---

I wasn't able to connect to my RDS database. I've manually reviewed any detail and everything was alright. There were no indications of any issues whatsoever and I couldn't find any suitable information in the documentation. My VPC was configured with narrow CIDR: 10.0.0.0/22 and each subnet had a 255 addresses. After I've changed CIDR to 10.0.0.0/16 and split it totally between two subnets my RDS connection started to working. It was a pure luck that I've managed to find a source of the problem, because it doesn't make any sense to me.

Answer 8

I went through all the obvious checks mentioned above but still couldn't connect to the instance. Turned out it was because of the name of the instance. I deleted an old instance and created a new one with the same name. Seems like somewhere in the AWS cache it still remembered the old database name and applied the old config to the new instance. The simple solution was to just use a new name for the database. Adding this here in case someone else has been banging their head on the desk like me for hours.

Answer 9

For me none of the above worked.

What did work was creating a peering connection between my default VPC and the VPC in which the database was created, as it appears that when connecting to resources in AWS, it automatically goes through the default VPC.

Then, set up routing using the peering connection between the 2 VPCs. Also, make sure that your security groups permits postgres ports from your default VPC CIDR block as well. And finally, make sure all the subnets are associated with your route table accessing this peering connection.

Answer 10

I'm sure it's not the proper answer but I added the internet gateway to all my private subnet route tables.. Even though the private subnets and the public subnets are in the subnetgroup.

Answer 11

The ideal debugging checklist is:

• Instance's "Publicly Accessible" property should be enabled
• The security group attached to the instance should have open inbound rules (as open as you'd want)
• The funny part is still if you're not able to access it - then the problem surely is with your instance lying in a private subnet of the respective VPC.

However, there're more secure ways to access your RDS instance. The best bet would be not make it publicly accessible, lock down security groups and have a P2P relay endpoint (think Tailscale).

Answer 12

In case you've tried all answers above try this... Recreate the database....

AWS on database creation provides an option to allow public/private access access

Answer 13

Do not forget to check if you have your VPN or firewall blocking connection.

Answer 14

Accept traffic from any IP address

After creating an RDS instance my security group inbound rule was set to a specific IP address. I had to edit inbound rules to allow access from any IP address.

• "Security group rules"
• Select a security group
• Click "Inbound Rules"
• Click "Edit Inbound Rules"
• Under "Source" Select the Dropdown and click "Anywhere"
• ::0 or 0.0.0.0/0 Should appear.
• Click "Save Rules"

Answer 15

I was also not able to connect even from inside an ec2 instance.

After digging AWS RDS options it turns out that ec2 instances are only able to connect to RDS in the same VPC they are in.

When creating an ec2 instance in the same VPC where the RDS was I could access it as expected.

Answer 16

Well almost everyone has pointed out the answers, i will put it in different perspective so that you can understand.

There are two ways to connect to you AWS RDS

1. You provision an instance in the same VPC & Subnet. You install the workbench you will be able to connect to the DB. You would not need to make it public accessible. Example: You can provision an windows instance in the same VPC group and install workbench and you can connect to the DB via endpoint.

2. The other way is to make the Db publically accessible to your IP only to prevent unwanted access. You can change the DB security group to allow the DB port traffic to your IP only. In this way your DB will be publically accessible but to you only. This is the way we do for various AWS services we add there security group in the source part of the SG.

If both the options doesn't work then the error is in the VPC routing table, you can check there if it associated with the subnet and also if the internet gateway is attached.

You can watch this video it will clear your doubts:

https://youtu.be/e18NqiWeCHw

Answer 17

In my case, when I upgrade the size. The private address of the rds instance fell into a private subnet of the VPC. You can use the article My instance is in a private subnet, and I can't connect to it from my local computer to find out your db instance address.

However, changing the route table didn't fix my issue. What I did finally solve my problem is to downgrade the size and then upgrade the size back. Once the private address falls back to the public subnet. Everything works like a charm.

Answer 18

Just burned two hours going through the great solutions on this page. Time for the stupid answer!

I redid my Security Groups, VPC's, Routing Tables, Subnets, Gateways... NOPE. I copy-pasted the URL from the AWS Console, which in some cases results in a hidden trailing space. The endpoint is in a <div> element, which the browser gives a \n when copying. Pasting this into the Intellij db connector coerces it to a space.

I only noticed the problem after pasting the URL into a quote string in my source code.

Answer 19

MAKE SURE PUBLIC ACCESSIBILITY IS SET TO YES

This is what I spent the last 3 days trying to solve...

Instructions to change Public Accessibility

Answer 20

It turns out it is not that hard. Do these steps:

1. Go to EC2 Dashboard
2. Go to Security Groups tab
3. Select and only select the RDS database security group. You'll see the security group detail at the bottom
4. Click Inbound tab
5. Click Edit button
6. Add Type:MYSQL/Aurora;Protocol:TCP;Range:3306;Source:0.0.0.0/0