Cannot connect to rds from ec2

0
votes

I cannot connect to my rds instance from ec2 instance, the error I am getting is connect: connection timed out. However, I am able to connect from mysql workbench running on my local machine.

  1. RDS instance set to publicly available
  2. RDS instance and ec2 instance are in the same security group
  3. Security group when configured to allow connections from anywhere still produces same error
  4. traceroute outputs *** for all when run from ec2 to rds, however provides normal output when run from local machine provides output showing that it's not blocked by firewall
  5. RDS instance and ec2 instance are in same availability zone, not multi-zone rds
  6. Opening the connection using the following golang:

conn, err = sql.Open("mysql", fmt.Sprintf("%s:%s@tcp(%s:%s)/%s", os.Getenv("db_user"), os.Getenv("db_pass"), os.Getenv("db_endpoint"), os.Getenv("db_port"), os.Getenv("db_name")) + "?parseTime=true")

It seems like a firewall issue but changing security group permissions is not helping.

1
amazon-web-servicesgoamazon-ec2amazon-rds
It is quite unusual to make an RDS instance publicly available. Do you have a particular reason for wanting to do this?John Rotenstein
Wanted to test if I could connect to rds instance from places other than ec2 instancebillybob123

1 Answers

0
votes

Putting resources in the same security group does not grant access between those resources. This is because the security group rules are applied to each resource individually. Therefore, the security group would need to "allow access from itself" to permit the connection. However, since your RDS database is configured for public access, this won't actually work because the RDS database will have a public IP address.

Given that your database is publicly accessible, its DNS name will resolve to a public IP address. Therefore, your configuration should be:

  • Create a security group for the Amazon EC2 instance (App-SG) that permits appropriate Inbound permissions (eg HTTP, SSH) and has default Outbound rules (Allow All)
  • Create a security group for the Amazon RDS database (DB-SG) that permits inbound access from the EC2 instance's public IP address
  • If, however, the RDS database was not configured for public access, you would configure the security group to permit inbound access from App-SG. That is, the DG-SG would specifically refer to App-SG.