48

So, I just created the Amazon RDS account. And I started an instance of database.

The "endpoint" is:
abcw3n-prod.cbmbuiv8aakk.us-east-1.rds.amazonaws.com

Great! Now I try to connect to it from one of my other EC2 instances.

mysql -uUSER -pPASS -habcw3n-prod.cbmbuiv8aakk.us-east-1.rds.amazonaws.com

But nothing works and it just hangs.

I tried to ping it, and nothing works either. Nothing happens.

Do I need to change some settings?

Mark Henderson
  • 69,480
Alex
  • 8,839

8 Answers8

50

By default RDS does not allow any connection that is not specified within the Security Group (SG). You can allow based on CIDR addressing or by Amazon account number which would allow any EC2 under that account to access it.

Jeremy Bouse
  • 11,531
29

It is "just hanging" as you have not configured the firewall to accept mySQL connections from your other instance, as such the packet is being dropped at the firewall level, to resolve this you need to:

  1. head into your AWS console
  2. EC2 tab
  3. Note down the security group of your mySQL server (well call this SG-MYSQL for now)
  4. click security groups on the left of the console
  5. click your group in the center menu SG-MYSQL
  6. click inbound tab
  7. select mySQL from the list, add the details of your client server and save the rule

NOTE the source IP for the server will not be your elastic IP (in most cases anyway) you will have an internal ip on the device (ifconfig on linux will show you this).

Oneiroi
  • 2,103
11

A lot of talk here about security groups, but also check:

  • Do the associated Subnets seem properly configured?
  • Are the Subnets part of a Routing Group that seems properly configured (Internet Gateway specified, etc?)
  • Does the RDS say it's Publicly Accessible?
  • And of course check the RDS Security Group and EC2 Security Group
    • Don't forget your actual source IP may be an internal IP (if accessing internally via a VPC) or an external IP (which may be a router's IP, or an EC2 instance's Instance IP which is distinct from its Load Balancer / Elastic IP) -- to troubleshoot, you may try to allow access to all IPs and ports.

(The routing group was my problem; in creating a new subnet, I neglected to add it to a routing group with a gateway.)

willbradley
  • 338
4

Fixed.

Had to grant access to it in the security groups under the DB...

Alex
  • 8,839
1

I had the same issue ;

  1. Security Groups > rds-launch-wizard (or any name that was choosen for the db SG)
  2. select the Inbound tab > edit
  3. add new role
  4. MySQL
  5. Source -> insert the aws vm ip (for ex: 12.3.14.80/32)

worked for me ...

loudstil
  • 11
1

In an attempt to open up security completely for testing before locking down access, both my database instance and my EC2 instance used the same security group, and both inbound and outbound port 3306 were configured to allow connections from Anywhere. The problem -- I was able to connect to Aurora from my notebook but oddly enough not from my EC2 instance, as if the EC2 instance wasn't Anywhere. The solution was to add another inbound mysql/Aurora rule and specify that same security group id as the source for inbound connections. My security group has a rule that refers to itself, and I can connect from either my notebook or my EC2 instance.

John Dimm
  • 11
0

Make sure that your VPC and subnets are wide enought.

The following CIDR configuration works great for two subnets:

  • VPC 10.0.0.0/16 10.0.0.0 — 10.0.255.255 (65536 addresses)

  • Subnet 1 10.0.0.0/17 10.0.0.0 — 10.0.127.255 (32768 addresses, half)

  • Subnet 2 10.0.128.0/17 10.0.128.0 — 10.0.255.255 (32768 addresses, other half)

Adjust it if you need three subnets.

I wasn't being able to connect to my RDS database. I've manually reviewed any detail and everything was alright. There were no indications of any issues whatsoever and I couldn't find any suitable information in the documentation. My VPC was configured with narrow CIDR: 10.0.0.0/22 and each subnet had a 255 addresses. After I've changed CIDR to 10.0.0.0/16 and split it totally between two subnets my RDS connection started to working. It was a pure luck that I've managed to find a source of the problem, because it doesn't make any sense to me.

Slava Fomin II
  • 1,763
-3

mysql inbound rule should be like below

image this is the problem with security group.

Nirmal Dhara
  • 119