Mysql – Connecting to an RDS from an EC2 on the same VPC

amazon ec2amazon-rdsamazon-vpcamazon-web-servicesMySQL

I have an RDS instance running on one subnet without NAT, and an EC2 instance running on another subnet with an Internet Gateway configured, both located in the same VPC. I have configured the RDS instance to not be publicly accessible.

I am using the following command in my remote EC2 (running on the second subnet) to connect to the RDS instance:

mysql -h xxxx.eu-central-1.rds.amazonaws.com -P 3306 -u root -p

I have entered the correct password which I have set when configuring the RDS, but I get the following error:

ERROR 2003 (HY000): Can't connect to MySQL server on 'XXX.eu-central-1.rds.amazonaws.com' (110)

I've checked, it's not a name resolution problem. The ec2 converts the endpoint to the correct internal ip.

Here are my settings:

RDS

VPC: the same as the EC2

AVAILABILITY ZONE: eu-central-1b

SUBNET: in the RDS panel I can see all the subnets, yet I can see that there is one less available ip in the private subnet of zone b

SECURITY GROUP: private security group (no outbound rules, and in the inbound, single rule with the mysql port and the public security group as the source)

PUBLICLY ACCESSIBLE: no

MULTI AZ: no

EC2

VPC: the same as the RDS

AVAILABILITY ZONE: eu-central-1b

SUBNET: public subnet of zone b

SECURITY GROUP: public security group (all ports from any source as the inbound rule, and ssh, http and https ports from any source as the outbound rule)

I can access the EC2 instance using http and ssh. It works as expected.

VPC

VPC: both RDS and EC2 uses the same

SUBNETS: one public and one private for each AZ, 4 in total

DHCP: the default one (domain-name = eu-central-1.compute.internal domain-name-servers = AmazonProvidedDNS)

ROUTE TABLES: for the public subnets, route to local (automatically) and to the internet getaway, for the private, only the local (automatically)

ACLs: public: allow all both in the inbound and in the outbound. private: allow all on the inbound only. There is also a line with the id * with deny all, on both ACLs, both on inbound and on outbound, but I'm pretty sure that is suppose to be there, I can't delete it.

What am I doing wrong? Am I missing something?

Best Answer

Check your security groups, that is the likely culprit. Hosts inside a VPC using DNS names will always use the private-IP of the remote resource, so the NAT / IG portion isn't important.

Related Topic