Why can't I connect directly to my MySQL RDS DB Instance? (I can only connect via SSHing into an EC2)

Question

I made a MySQL RDS DB Instance, and I made sure the Instance is inside a security group which should allow me to connect to it externally. The security group allows all types of traffic from all IP addresses. The RDS is in the same security group as an EC2 I made.

I'm able to connect to the DB Instance by connecting to the EC2 via SSH, then using the mysql CLI client I installed on that EC2 to connect to the RDS. However, I'm not able to connect directly to the RDS from a MySQL client on my personal computer. I use the same host and username and all for the RDS, but circumventing the EC2 doesn't work.

From googling around, it seem like the error I'm getting is usually caused by the RDS's security group not allowing traffic from my computer - but this can't be the case, because I triple checked that the security group is open to all public traffic. Heck, the RDS is in the same security group as the EC2, and I'm able to connect to the EC2.

So what's going on?

It's possible that your security group allows ports 22, 80 and 443 (ssh, http, https), whereas for mysql you need to open 3306. Also, the permissions are port based, so you need to explicitly allow your current IP for port 3306 (unless you want to allow it to everyone, which is a bad idea) — ffflabs, Jun 20 '14 at 16:28
@amenadiel The security group is completely open to all inbound traffid in all protocols from all IP addresses. I realize that this isn't secure, but this it just for dev purposes. I have it configured that way so that I know the security group shouldn't be getting in the way. — vijrox, Jun 20 '14 at 16:31
You said that your RDS security group was the same as your EC2 security group... but the sec group panels are different. Did you mean to say that you configured both to have the same rules? Can you post a screenshot of your RDS security group? Also: are you using VPC or just regular RDS + EC2 — ffflabs, Jun 20 '14 at 16:38
@amenadiel I'm using VPC, so the security group for the RDS is literally the exact same security group as the EC2. Here is a snapshot of the settings for the inbound traffic for the sec group: http://i.imgur.com/zuRihEA.png and the outbound traffic is the same except it doesnt have the second line. — vijrox, Jun 20 '14 at 17:00
possible duplicate of [Connecting to Amazon RDS instance through EC2 instance using MySQL Workbench](http://stackoverflow.com/questions/19129428/connecting-to-amazon-rds-instance-through-ec2-instance-using-mysql-workbench) — bummi, Jan 24 '15 at 11:14

score 4 · Answer 1 · answered Jan 24 '15 at 10:29

This is what solved the issue for me. On the RDS dashboard have a look at the security group for your instance. Click on this and it would take you to the security group page.

Although it would say "All traffic" for both Inbound and Outbound click edit and ensure the source says My IP. I would not recommend using all IP's as this would open it to any one on the internet. If you do not have a static IP then ensure that you refresh this field once the connection stops working.

After this I was able to connect to the AWS RDS T2 instances.

score 0 · Answer 2 · answered Jun 20 '14 at 19:32

0

Sometimes when I am trying to connect to things inside a VPC stuff gets weird with the DNS. But because you are inside a VPC you only will have a private IP address. If you want a direct connection between your computer and RDS I would not use a VPC, this just adds issues. If it does need to be inside a VPC, I launch an ec2 instance in my vpc like you already have. Then I tunnel the RDS instance to the ec2 instance by running this command

screen
ssh -L ec2-instanceDNS.com:3308:rds-dns.com:3308

to detach screen

Ctrl+A
D

answered Jun 20 '14 at 19:32

Dan Ciborowski - MSFT

6,807
10
53
88

thanks, but the point is that I'm trying to connect to an RDS inside a VPC without needing to tunnel into an ec2 – vijrox Jun 20 '14 at 19:42
Have you followed the VPC wizard? In step 1: did you pick VPC with A single Public subnet? Or something else – Dan Ciborowski - MSFT Jun 20 '14 at 19:45
I didn't make the VPC -- I chose the default one. The VPC's default security group, which I'm using on the EC2 and the RDS, has been configured to allow all traffic. – vijrox Jun 20 '14 at 19:51
i figured it out! see the answer I posted if you're interested. – vijrox Jun 26 '14 at 15:26

score 0 · Accepted Answer · answered Jun 26 '14 at 15:25

Check what outgoing ports are open in the firewall on the network your personal computer is on. Even though the the RDS Instance allows for all traffic, your firewall may be blocking you from making the connection. You can use http://portquiz.net/ to test whether your network allows for traffic on the port you're connecting to your DB with. With MySQL, the port is most likely 3306; if the port you're using with your DB isn't accessible via your network, find a port that works using the Port Quiz tool I just linked, and then remake your DB Instance using that port. (RDS doesn't let you change the port on an already existing Instance).

Sorry this answer may have worked for you but not me. – Fraggle Nov 25 '14 at 16:19 — Fraggle, Nov 25 '14 at 16:19

Why can't I connect directly to my MySQL RDS DB Instance? (I can only connect via SSHing into an EC2)

3 Answers3

Linked