0

I'm new to database administration and trying to connect to an AWS RDS MariaDB 10.3.20 instance from my Macbook (10.14.6) on a home network -- having no luck. My understanding per other questions and documentation is that I need to make the RDS instance publicly available, but I think I've done that already.

Steps I've taken are:

  1. Created an AWS RDS MariaDB instance. It is in a VPC.
  2. Set it to Publicly Accessible -> Yes.
  3. Added a new Inbound rule in the default security group to accept connections on port 3306 from my laptop's IP address. I think with step #2 this is unnecessary (since it is accepting all ports, all traffic), but I've done it anyways.
  4. Looks like all 3 subnets on the VPC are connected to an Internet Gateway and should be accessible from the Internet, since they have a 0.0.0.0/0 route in their routing table that connects to an igw-XXXXX device.

Yet on my laptop on my home network (I work from home, no corporate network), I can't connect via the command line:

$ mysql -u <adminusername> -P 3306 -h <RDS endpoint> -p
Enter password:
ERROR 2002 (HY000): Can't connect to MySQL server on <RDS endpoint>

After inputting my password the connection appears to time out. Error 2002 looks like MySQL isn't running on the target??

I feel like I'm missing some critical step about the VPCs or security groups or routing -- can anyone point to more specific documentation or provide some more help / detail? Is it possibly something I have to do with my home router or cable modem (Comcast)? This question is very similar but looks like a corporate network configuration fix ... do home routers have similar restrictions built-in? I have a TP Link Archer A7 with vanilla settings connected to a cable modem. I have tried setting up a Virtual Server to forward ports to my laptop on port 3306, but that doesn't improve anything.

user
  • 103
  • 1
  • 5
  • RDS is difficult to diagnose. Can you connect from your PC to a Linux server in the VPC? Can the Linux server in the VPC connect to the RDS database? You do need the database to be set up as publicly accessible, as well has having security groups, NACLs, and route tables properly set. – Tim Mar 09 '20 at 01:11
  • Ah exciting....lots of moving parts. Launched an EC2 instance attached to the same security group / VPC. Cannot SSH to it (created an Inbound rule for my IP and port 22). Tried all the things mentioned in [this troubleshooting doc, for SSH connection timed out](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesConnectionTimeout). No luck with anything (NACLs, routing all look valid). So I take it the first step I need to figure out is how to SSH to an EC2 instance on the same VPC, from my laptop? – user Mar 09 '20 at 01:48
  • 1
    Security groups, having an internet gateway, and having a route to the internet gateway are probably the most common problems. NACLs aren't very widely used and the default is they allow all traffic. – Tim Mar 09 '20 at 01:55
  • @Tim, thanks for the tips and suggestions! I finally got in -- had to create brand new VPC / security group / internet gateway / routing / subnets from scratch ... I must have messed up the original, default ones through all of my futzing around. – user Mar 09 '20 at 18:09
  • Suggest you answer your own question then mark it answered after 24 hours. Put in any conclusions or tips you have for anyone in the same situation. Shame you couldn't work out what the problem was - maybe keep the infrastructure in place and you'll work it out one day. – Tim Mar 09 '20 at 18:45

2 Answers2

0

So I solved this by creating a brand new VPC with two subnets, some new security groups, and a new internet gateway. I configured a security group with port 3306 Inbound access to my local IP, set up the default routes in the subnets to the internet gateway, and created a new publicly accessible RDS MariaDB instance. Low and behold, it all worked!

Doing a little digging, I suspect I messed up my default VPC during all my futzing around. It looks like somehow two IPv4 CIDR ranges got assigned to my default VPC -- one in the private range (172.31....), and one with my home IP range. Those two must have confused the VPC and gotten it into a weird state. Deleting my home IP range from the list of CIDR blocks and leaving the private IP range got it to work, just like my new VPC!

user
  • 103
  • 1
  • 5
0

I had the same problem, took me hours to fix. I am pretty sure the following is what did it for me -

When following the advice to make a new DB and set it to a new VPC in case the old one got bangled beyond my skill level, I noticed the option for IPV4 was selected by default and it says "only IPV4 can connect".

I checked my inbound rules again, which I had acquired a bunch from all the futzing, and I noticed that in the combinations I did not have an All Traffic from IPV4. After setting that things worked.

Walter
  • 1
  • 2