Connecting RDS SQL Server from AWS EC2 SQL Server Management Studio

Question

I am unable to connect my RDS SQL Server instance from my AWS EC2 instance.

I have installed SQL Server Management Studio on my AWS EC2 Windows Server 2019 instance.

I am neither able to ping my RDS endpoint from that machine nor able to connect using SSMS. In the security group inbound rules for RDS I have entered IP of my EC2 instance under all traffic option, also tried using SQL Server option in security inbound rules.

Answer 1

What you need to do is:

The security group that you have attached to the RDS instance you need to add a rule for the inbound section of the security group to be SQL Server and have the source of that rule be the same name as the security group, this is called a self referencing security group rule. Then go to the EC2 instance and attach that same security group to the instance. This will solve the Security Group potential problem.

The other piece you need to check is if the EC2 instance is in a different subnet than the RDS SQL Server you need to make sure the Network Access Control List (NACL) will allow the inbound/outbound traffic of SQL between the subnets.

Answer 2

There's two key questions that are relevant here: 1) is the connectivity allowed in AWS, and 2) is the connectivity allowed by the host/applications on the individual instances.

For 1, you need visibility into the networking aspect of your cloud. I use Batfish's virtual traceroute in your environment. There's an free and open source project (https://batfish.org) or you can try a free trial of the enterprise offering (https://www.intentionet.com/trial).

After you validate that the traffic is allowed in AWS (no Network ACLs or security groups are misconfigured, vpc peerings / routing tables are correct, etc.) you should move on to verifying application config on the actual hosts.

(Disclaimer: I work on Batfish and Batfish Enterprise).