43
votes

I was trying to use AWS Aurora Serverless for MySQL in my project, but I am impossible to connect to it, though I have the endpoint, username, password.

What I have done:

  1. From AWS console managment, I select RDS > Instances > Aurora > Serverless
  2. Leave the default settings
  3. Create database
  4. AWS will only create an AWS Cluster enter image description here
  5. I open MySQL Workbench, and use endpoint, username, password to connect the database

Ressult:

Your connection attempt failed for user 'admin' from your host to server at xxxxx.cluster-abcdefg1234.eu-west-1.rds.amazonaws.com:3306: Can't connect to MySQL server on 'xxxxx.cluster-abcdefg1234.eu-west-1.rds.amazonaws.com' (60)

Did I make any wrong steps ? Please advice me.

****EDIT****

I tried to create another Aurora database with capacity type: Provisioned. I can connect to the endpoint seamlessly with username and password by MySql workbench. It means that the port 3306 is opened for workbench.

About the security group: enter image description here

11
What security groups do you have in place to open up access to port 3306 from wherever you are running MySql Workbench? General info about seucirty groups on RDS: docs.aws.amazon.com/AmazonRDS/latest/UserGuide/…Jorg Roper
I edited the question. I think the port is not the issue because I created another Aurora MySql database with type: provisioned and it works smoothly. But with type serverless, it doesn't workPhong Vu
Can you telnet to xxxxx.cluster-abcdefg1234.eu-west-1.rds.amazonaws.com on port 3306? If you can - you know its a config/auth problem, if not, you have a network issue. Depending on your Operating system, you may need to install Telnet and then issue a command like telnet xxxxx.cluster-abcdefg1234.eu-west-1.rds.amazonaws.com 3306Jorg Roper
Hi Jorg, seems that I cannot telnet that endpoint. Do you have any idea where to check the config/auth issue? During creating the database, I only set the master username and password and I used them to connect by workbench.Phong Vu
Aurora Serverless appears to use Privatelink interface VPC endpoints (VPCEs) to actually provide the endpoint inside your VPC, so they aren't accessible from elsewhere. Where are you running workbench?Michael - sqlbot

11 Answers

38
votes

From https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/aurora-serverless.html :

  • You can't give an Aurora Serverless DB cluster a public IP address.
  • You can access an Aurora Serverless DB cluster only from within a virtual private cloud (VPC) based on the Amazon VPC service.
  • You can't access an Aurora Serverless DB cluster's endpoint through an AWS VPN connection or an inter-region VPC peering connection. There are limitations in accessing a cluster's endpoint through an intra-region VPC peering connection; for more information, see Interface VPC Endpoints (AWS PrivateLink) in the Amazon VPC User Guide. However, you can access an Aurora Serverless cluster's endpoint through an AWS Direct Connect connection.

So, aside from SSH-ing through an EC2 instance, you can also access your serverless cluster with mySQL Workbench with AWS Direct Connect.

12
votes

One way to connect to an Aurora Serverless DB cluster is by using an Amazon EC2 instance. You cannot create publicly accessible Aurora Serverless DB clusters in the Preview. This task walks you through creating a publicly accessible Amazon EC2 instance in your VPC. You can use this Amazon EC2 instance to connect to an Aurora Serverless DB cluster.

This is directly from the docs provided upon preview signup. Please try creating an EC2 instance and using SSH Tunnel method in your MYSQL Workbench or SQL UI of choice. During the preview the Aurora Serverless is not allowed to be set to publicly accessible.

8
votes

A common pattern used by customers for connecting to VPC only services (like Aurora Serverless, Amazon Neptune, Amazon DocDB etc) is to have a middle layer (EC2 instance, or ALB etc) and making the middle layer accessible from outside the VPC. If your use case is just trying out some queries or connecting a workbench, then the easiest thing to do is:

  1. Resolve the DNS of the serverless db and obtain its IP
  2. Create an ALB in your VPC, with a target group to the IP that you found in #1
  3. Create a new security group and attach that to your ALB
  4. Update the SG to allow inbound from where ever you want. If you want public internet access, then allow inbound from all IPs, enable an internet gateway in your VPC, and use a public subnet for your ALB.

Once all of this is done, you would end up with a new DNS - that points to your ALB. Make sure that your ALB is set up correctly by:

  1. Using telnet to connect to your ALB endpoint. telnet alb-endpoint alb-port. If it succeeds, then you have a full end to end connection (not jsut to your ALB, but all the way through).
  2. Verify ALB metrics to make sure that all health checks are passing.

Once this is done, use the ALB endpoint in workbench, and you are good to go.

This pattern is recommended only for non production systems. The concerning step is the one where you resolve the DNS to an IP - that IP is ephemeral, it can change when scale compute or failover happens in the background.

Hope this helps, let me know if you need more details on any step. Here is a related answer for Neptune:

Connect to Neptune on AWS from local machine

3
votes
  • We can't connect Aurora Serverless directly from MySQL Workbench as only private IPs assigned to Aurora Serverless, not public IP ones.

  • We can connect Aurora Serverless from EC2 but can't connect Aurora Serverless through the Mysql Workbench SSH tunnel.

  • We can't connect Aurora Serverless through ALB as ALB allow only HTTP and HTTPS traffic. you can telnet ALB-RDS-DNS from local but can't connect to MySQL Workbench

Then what is a solution here;

  • We can connect Aurora Serverless through NLB as NLB allow traffic over TCP protocol;

Steps 1: Create NLB and add listener Load Balancer Protocol: TCP, and Load Balancer Port :3306

Step 2: Select the VPC (It should be the same VPC of Aurora Serverless Cluster), and add subnets (public)

Step 3: Navigate to Configure Routing, select Target type: IP, and Protocol: TCP,Port:3306

Step 4: Use DNS Checker to get private IP of Aurora Serverless Cluster, and add those IPs with port 3306

Step 5: Create NLB

Now modify the Security group of Aurora Serverless Cluster, allow traffic from either 0.0.0.0 (not recommended) or VPC CIDR

Now, go to Mysql Workbench and use the NLB DNS name, and try to connect using the correct username and password of Aurora Serverless Cluster.

3
votes

To connect to Aurora serverless or any database in private subnet you will need a 'jump host' which can be any EC2 instance in a public subnet.

Follow Below Steps:

  1. Open the security group attached to the database, and add new rule as below:-

Type:MYSQL/Aurora, Protocol:TCP, PortRange:3306,
Source:securitygroupofEC2 (you can all security group by entering 'sg-')

  1. Open the security group attached to the EC2, and make port 22 is open. If not, add a new rule as below:-

Type:SSH, Protocol:TCP, PortRange:22, Source:MY IP

  1. Open Workbench, Click New connection
- Standard TCP/IP over SSH
 - SSH Hostname : < your EC2 Public IP >  #34.3.3.1
 - SSH Username : < your username > #common ones are : ubuntu, ec2-user, admin
 - SSH KeyFile: < attach your EC2 .pem file>

 - MYSQL Hostname: <database endpoint name> #mydb.tbgvsblc6.eu-west-1.rds.amazonaws.com

 - MYSQL Port: 3306
 - Username : <database username>
 - Password: <database password>

Click 'test connection' and boom done!!

1
votes

Data API and Query Editor for connecting to Aurora Serverless are now available in some more regions.

https://aws.amazon.com/about-aws/whats-new/2020/05/amazon-rds-data-api-and-query-editor-available-additional-regions/

1
votes

You should be using an EC2 instance that has access to your dbinstance.
This EC2 instance should have port 22 opened for ssh.
Now use port forwarding from local to EC2 to db instance.
Now in your work bench give hostname 127.0.0.1 and port <forwarded port>.

1
votes

Aurora serverless does not have public endpoint to connect from any of the ide like MYSQL workbench,Sequel pro etc. But we can connect through cli by launching an instance in same vpc in which aurora serverless resides.

Besides you can checkout cloud9 an aws cloud ide. This is in turn ec2 only but will have UI also and can be shared with teams and bunch of other features.

0
votes

Initially, I was got stuck in the same scenario Points to be noted while connecting AWS RDS Aurora

  • Cant connect Public, you need an EC2 instance with the same region where Aurora is been created.

  • Aurora Public access should be checked No(it worked for me).

  • You need to create the security group, where you should add Inbound and Outbound rules(IpAddress of EC2 instances).

Ex: Type = MYSQL/AURORA, Protocol=TCP, PortRange=3306,Source=Custom and your IP Address Range,

  • modify instance and security group to the instance and apply the changes immediately.

  • While creating Aurora, u will create MasterName, Pwd, and default schema to connect.

  • After creating, go to cluster and take the cluster endpoint and log in with your EC2 Instance and with MySQL Workbench, Hostname as your cluster endpoint, username and pwd entered while creating aurora database.

0
votes

This can be achieved using haproxy

Install Haproxy on Centos-> yum install haproxy

delete existing configuration in this file /etc/haproxy/haproxy.cfg and add the below lines(make sure you replace your RDS endpoint url in below configuration)

global user haproxy group haproxy

defaults retries 2 timeout connect 3000 timeout server 5000 timeout client 5000

listen mysql-cluster bind 0.0.0.0:3307 mode tcp server mysql-1 test.cluster-crkxsds.us-west-2.rds.amazonaws.com:3306

After modifying the file,start the haproxy -> service haproxy start

You can connect Aurora RDS in MYSQL Workbench using Public IP with port no 3307

-6
votes

My guess is your security group is not correctly setup for access. You need to explicitly allow remote access on that port to that instance.

From the official docs:

Two common causes of connection failures to a new DB instance are:

  • The DB instance was created using a security group that does not authorize connections from the device or Amazon EC2 instance where the MySQL application or utility is running. If the DB instance was created in a VPC, it must have a VPC security group that authorizes the connections. If the DB instance was created outside of a VPC, it must have a DB security group that authorizes the connections.

  • The DB instance was created using the default port of 3306, and your company has firewall rules blocking connections to that port from devices in your company network. To fix this failure, recreate the instance with a different port.

See here for more information:

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToInstance.html