3

I have an RDS instance running on one subnet without NAT, and an EC2 instance running on another subnet with an Internet Gateway configured, both located in the same VPC. I have configured the RDS instance to not be publicly accessible.

I am using the following command in my remote EC2 (running on the second subnet) to connect to the RDS instance:

mysql -h xxxx.eu-central-1.rds.amazonaws.com -P 3306 -u root -p

I have entered the correct password which I have set when configuring the RDS, but I get the following error:

ERROR 2003 (HY000): Can't connect to MySQL server on 'XXX.eu-central-1.rds.amazonaws.com' (110)

I've checked, it's not a name resolution problem. The ec2 converts the endpoint to the correct internal ip.

Here are my settings:

RDS

VPC: the same as the EC2

AVAILABILITY ZONE: eu-central-1b

SUBNET: in the RDS panel I can see all the subnets, yet I can see that there is one less available ip in the private subnet of zone b

SECURITY GROUP: private security group (no outbound rules, and in the inbound, single rule with the mysql port and the public security group as the source)

PUBLICLY ACCESSIBLE: no

MULTI AZ: no

EC2

VPC: the same as the RDS

AVAILABILITY ZONE: eu-central-1b

SUBNET: public subnet of zone b

SECURITY GROUP: public security group (all ports from any source as the inbound rule, and ssh, http and https ports from any source as the outbound rule)

I can access the EC2 instance using http and ssh. It works as expected.

VPC

VPC: both RDS and EC2 uses the same

SUBNETS: one public and one private for each AZ, 4 in total

DHCP: the default one (domain-name = eu-central-1.compute.internal domain-name-servers = AmazonProvidedDNS)

ROUTE TABLES: for the public subnets, route to local (automatically) and to the internet getaway, for the private, only the local (automatically)

ACLs: public: allow all both in the inbound and in the outbound. private: allow all on the inbound only. There is also a line with the id * with deny all, on both ACLs, both on inbound and on outbound, but I'm pretty sure that is suppose to be there, I can't delete it.

What am I doing wrong? Am I missing something?

Vlad Gincher
  • 105
  • 2
Theodore
  • 133
  • 1
  • 1
  • 5
  • Are both subnets in the same VPC? Is your security group for the RDS instance configured to allow connections to that host or subnet? – jordanm Feb 02 '17 at 20:14
  • @Tim he did mentioned the RDS security group (`SECURITY GROUP: private security group (no outbound rules, and in the inbound, single rule with the mysql port and the public security group as the source)`). Is there any difference between DB security groups and RDS security groups? – Vlad Gincher Feb 02 '17 at 23:44
  • I did a bit more reading and checked my account. I think database security groups are from the old EC2 classic, so my earlier advice is likely incorrect. I'll edit my answer and delete previous invalid comments. – Tim Feb 03 '17 at 00:03
  • Suggest instead of describing the rules you think you have in place that you take screenshots of the console to demonstrate them. You would have to show what subnet the EC2 instance is in, the security group associated with the EC2 instance, and the same for the RDS instance. You should also try pinging the RDS endpoint and check you're getting a private IP - ie one within your VPC range, in particular within the correct subnet. – Tim Feb 03 '17 at 00:09
  • The code at the end of the error `(110)` means `Connection timed out`. That is allmost certainly security group related, assuming these two machines are in the same VPC. – Michael - sqlbot Feb 03 '17 at 01:11

2 Answers2

3

Check your security groups, that is the likely culprit. Hosts inside a VPC using DNS names will always use the private-IP of the remote resource, so the NAT / IG portion isn't important.

Jason Martin
  • 5,023
  • 17
  • 24
  • Hi, I have created a security group and enabled it. I have edited my original message with some more info about the case, hope that helps! – Theodore Feb 02 '17 at 20:23
  • 2
    The problem at the end was related to the security groups, just as you said. I accidentally blocked the inbound traffic for all ports. – Theodore Feb 03 '17 at 12:18
0

You need to ensure your VPC/EC2 security group and NACLs allow appropriate access.

I have a tutorial which covers EC2/RDS security group setup you may find useful.

You should also check with this answer on SO.

Community
  • 1
Tim
  • 31,888
  • 7
  • 52
  • 78
  • Hi, I have created and enabled a security group but the problem still exists. I have added some more info to my original question, maybe that will help! – Theodore Feb 02 '17 at 20:24