How can I troubleshoot connectivity to an RDS instance that uses a public/private subnet of a VPC?

Aug 16, 2023

How can I troubleshoot connectivity to an RDS instance that uses a public/private subnet of a VPC?

Find more details in the AWS Knowledge Center: https://repost.aws/knowledge-center/r…
Arnab, an AWS Cloud Support Engineer, shows you how to troubleshoot connectivity to an Amazon RDS instance that uses a public or private subnet of a VPC.

Content

0.202 -> (upbeat music)

12.04 -> - Hi, I am Arnab,

13.85 -> a Cloud Support engineer

15.01 -> here at the AWS office in Seattle.

17.35 -> Sometimes, customers tell me

19.31 -> that they are having issues

20.44 -> when connecting to the Amazon RDS instances.

23.15 -> Let's start with the basics about the Amazon RDS instances.

26.22 -> When customers spin up an instance or cluster

28.39 -> in an Amazon VPC.

30.51 -> Let's set up the Amazon VPC

31.99 -> with two subnets:

33.26 -> One public, and one private.

35.53 -> The Amazon RDS instances in the public subnet

38.04 -> can send outbound traffic directly to the Internet.

41.29 -> We can control the access to the Amazon RDS instance

44.17 -> using security groups.

46.07 -> A security group rule enables

47.89 -> a specific source to access

49.63 -> an Amazon RDS instance in an Amazon VPC that's associated

53.52 -> with that security group.

55.07 -> You can add rules to the security group

57.1 -> associated with the Amazon VPC

59.2 -> to allow traffic that is related to the source to travel

62.19 -> in and out of the DB instance.

64.47 -> When you set up the rule, you can specify an IP address,

67.76 -> a range of IP address,

69.3 -> or another security group in the VPC.

72.2 -> Let's also talk about the network access

74.04 -> control lists.

75.01 -> The ACLs,

76 -> network ACLs act as a firewall for resources

79.12 -> in a specific subnet in an Amazon VPC.

82 -> If you use ACLs in your Amazon VPC,

84.48 -> be sure that they have rules

85.9 -> to allow inbound and outbound traffic

88.01 -> traveling to and from

89.35 -> the DB instance.

90.89 -> Now, about network or the local firewalls.

93.65 -> Be sure to check with your network administration

96.13 -> to be sure that your network allows traffic

98.76 -> to and from the DB instance.

100.89 -> Note,

101.723 -> Amazon RDS does not accept Internet control message

104.47 -> protocol, ICMP, traffic, including ping.

107.87 -> Let me walk you through a few scenarios.

109.86 -> The RDS is in public subnet inside the VPC,

112.91 -> but the customer cannot connect

114.37 -> to the instance from a local desktop or workstation.

117.54 -> That is, the RDS can't be reached

119.55 -> or connected to over the Internet,

121.2 -> even though the RDS instance is in the public subnet.

123.8 -> To troubleshoot the situation,

125.26 -> let's check whether the RDS public accessibility

127.81 -> is set to yes.

129.16 -> If not, let's go through the steps to set

131.38 -> the public accessibility to yes.

133.85 -> After signing into the AWS management console,

136.76 -> navigate to the RDS console.

140.68 -> Let's click on the DB instances.

143.06 -> Select the RDS DB instance

144.62 -> that you want to change.

145.95 -> In this case, I'll be using

147.275 -> labmysql instance.

149.52 -> Choose modify.

152.64 -> On the modify page,

154.04 -> under network and security,

155.76 -> select the public accessibility option as yes.

159.57 -> When you have selected the option on the configuration,

161.81 -> choose apply immediately,

164.26 -> then choose modify.

167.77 -> Now let us wait for some time

169.12 -> while the instance becomes publicly accessible.

171.37 -> And then currently I can see the instances

172.8 -> in a modifying state.

174.27 -> Please note, when you select apply immediately,

177.19 -> any pending modifications

178.63 -> are also applied immediately,

180.36 -> instead of during the next maintenance window.

182.96 -> Thus, it may cause unexpected downtime.

185.35 -> It is recommended to check if there are any

187.33 -> pending maintenance actions

188.78 -> from AWS RDS console,

190.66 -> before proceeding.

192.69 -> As we can see now,

193.85 -> the RDS instances have a level at this time.

196.29 -> I'm clicking on the RDS instance

197.71 -> to see if the public accessibility

199.53 -> is set as yes.

201.41 -> So this is currently I can see it's set as yes,

204.19 -> so I will move over to the terminal window

206.04 -> to see if I'm able to connect with this RDS instance.

209.56 -> Yeah, I'm just using Telnet to connect to this

211.75 -> RDS instance over the port 3306.

216.71 -> Oops.

217.543 -> This is not connecting,

218.376 -> so let us see what our other options we have

220.39 -> in this scenario to connect with the RDS instance.

222.83 -> I'm moving over to the AWS RDS console.

225.07 -> Now let's check if the subnet route table

227.05 -> has an Internet gateway attached to it.

229.21 -> If it does not,

230.043 -> we need to attach the Internet gateway

231.68 -> and then check to see

232.98 -> whether your subnet route table

234.22 -> points to the Internet gateway.

236.39 -> Select the Amazon RDS DB instance that you want.

239.81 -> Choose connectivity and security.

241.95 -> And then choose Amazon VPC.

245.11 -> Here, my VPC is Demo1PUB only.

247.97 -> On the Amazon VPC console,

249.6 -> select the VPC

251.21 -> and then scroll down to the option below

253.2 -> and the route table attached to it.

256.35 -> On the route table page,

257.86 -> select the second tab routes,

259.89 -> and choose edit.

261.22 -> Select add route,

262.5 -> and add 0.0.0.0/0 sider range

266.04 -> to the destination,

267.27 -> and IGW to the target.

269.65 -> And choose save.

274.96 -> Now let us go back to the terminal window

276.65 -> and see if we are able to connect

277.98 -> to the this RDS instance

279.34 -> from the desktop.

280.92 -> I'll be using the same Telnet command

282.5 -> to connect to this RDS instance

283.82 -> on 3306.

287.44 -> Oops.

288.273 -> We see there are issues in the connectivity as well,

290.56 -> so let us see the security groups

292.57 -> for this particular RDS instance.

294.45 -> So I'll go back to the Amazon RDS console first,

297.6 -> I'll click on the DB instances.

300.88 -> So from the Amazon RDS console,

302.51 -> select the Amazon RDS DB instance

304.49 -> that you want to change.

306 -> Go to the connectivity and the security tab,

308.5 -> and then choose the VPC security group.

311.17 -> This takes you to the security group page

312.96 -> in the Amazon EC2 console.

315.42 -> Select the correct security group,

317.09 -> and then choose the inbound tab to edit the rules.

322.55 -> In the type,

323.49 -> select the correct protocol and port,

325.75 -> and then select my IP from the source list.

328.9 -> You can add an optional description as well

330.95 -> and this populates the local desktop IP.

333.31 -> Choose save.

334.42 -> And then try to connect from the desktop.

336.74 -> So I'll go back to the terminal page one more time

338.77 -> to see if I can connect to the RDS instance.

341.72 -> I'll be using the same Telnet command

343.29 -> to see if the traffic is reaching

345.04 -> from my desktop to the RDS instance.

347.54 -> Wow, it's connecting,

348.62 -> so we can see the RDS instance is reachable

350.57 -> from my local desktop

351.72 -> and we did change the public accessibility to yes.

354.84 -> We saved the route table with the proper Internet gateway,

357.96 -> and we allowed the permission from the local desktop IP

360.56 -> to the security groups.

362.9 -> And let me try to connect to this instance

364.5 -> using mysql.

365.74 -> As you can see here,

366.62 -> I'm using the mysql utility

368.13 -> to connect to this RDS instance.

369.92 -> On the port 3306, my username is aws_demo.

375.33 -> Yes, I'm able to connect to this RDS instance.

378.33 -> Please note, often when we change the network,

380.73 -> whether we're using a VPN,

382.27 -> our office network, or our home network,

384.67 -> the work station, the laptop IP address also changed.

388.13 -> When this happens,

389.18 -> it is of best practice to add the correct

391.14 -> IP address in the security group

392.81 -> in the same way as described above.

395.02 -> Let's go back to the second scenario.

396.86 -> The Amazon RDS is in a private subnet and you cannot connect

400.22 -> to it from your local desktop.

401.87 -> This happens when RDS is run in a private subnet,

404.79 -> usually for the security reasons.

406.88 -> Sometimes, this means that there can be difficulties

410.07 -> when connecting from the local desktop.

411.94 -> But the reason that Amazon RDS is located within

414.7 -> a private subnet is so that it can be accessed only within

418.1 -> the VPC network or through the VPN connection

420.56 -> from the local network.

422.48 -> In this scenario, it is a best practice

424.69 -> to use an Amazon EC2 instance

426.73 -> inside the same VPC.

428.44 -> Then try to connect to the RDS instance

430.53 -> or set up a VPN network connection

432.55 -> between your Amazon VPC and your local network.

435.77 -> Add the Amazon EC2 instance IP

437.76 -> or the security group of the EC2 instance,

440.14 -> or your local network CIDR range

442.4 -> for VPN connections

443.68 -> to the Amazon RDS security group.

446.41 -> From the Amazon RDS console,

448.2 -> select the Amazon RDS DB instance

450.18 -> that you want to change.

451.74 -> In this case, I'll be using

453.15 -> demomysqlpriv.

456.41 -> Go to the connectivity and security tab

458.77 -> and choose the security group.

460.92 -> This will take you to the security group page

462.69 -> in the Amazon EC2 console.

464.5 -> Select the correct security group

466.51 -> and choose the inbound tab to edit the rules.

469.65 -> In type,

470.65 -> select the right protocol, port,

472.7 -> and select the security group of the Amazon EC2 instance,

476.37 -> or the IP address of the Amazon EC2 instance.

479.11 -> For this test case,

480.75 -> I have one EC2 instance in the same region

483.15 -> and the security group of the EC2 instance

485.13 -> is pub SG.

486.75 -> I'll be using the same EC2 instance

488.44 -> to connect to the RDS instance,

490.14 -> hosted in the private subnet.

494.1 -> I'm selecting all traffic

496.85 -> from the security group, pub SG,

498.57 -> in which the EC2 instance is hosted.

501.95 -> You can also add optional description if you like.

504.44 -> Choose save,

505.53 -> and then try to connect to the RDS instance

507.46 -> from the Amazon EC2 instance.

509.6 -> Let us go back to the terminal

510.88 -> from where we will connect to the EC2 instance

512.98 -> and we will try to connect with the RDS instance,

515.04 -> hosted in the private subnet.

517.89 -> I'm connecting to the EC2 instance

519.16 -> from the terminal.

521.8 -> I'll be using Telnet

522.87 -> to connect to the RDS instance over the port 3306.

526.23 -> It worked, so we are able to reach to the RDS instance

529.24 -> hosted in the private subnet from the EC2 instance.

531.98 -> Let us try to connect using the mysql utility as well.

536.56 -> Yes, we are able to connect from the mysql utility as well.

540.56 -> Now, let's discuss about one more scenario

542.42 -> where the Amazon RDS is in the different

544.69 -> Amazon VPC than the Amazon EC2 instance

547.69 -> and customer cannot connect.

549.49 -> In this scenario, Amazon RDS

551.38 -> is accessed from an Amazon EC2 instance,

553.66 -> and they exist in different Amazon VPCs.

556.4 -> The customer needs to enable a connection

558.51 -> between two Amazon VPCs that enables traffic to be routed

561.68 -> between them.

562.68 -> Please note,

563.513 -> when you have an Amazon VPC peering connection

565.23 -> between VPC A and VPC B,

567.15 -> which can belong to the same or different

568.967 -> AWS account, you should not be having

570.68 -> overlapping CIDR blocks.

572.56 -> For this test scenario,

573.89 -> I'll be using two VPC,

575.42 -> one in the Mumbai region,

576.7 -> and the one in the central region.

579.05 -> My RDS will be hosted in the Mumbai region,

581.42 -> and the EC2 instance is hosted in the central region.

584.14 -> For that,

584.973 -> I will try to establish a VPC peering connection at first.

588.17 -> Let's get started.

589.16 -> From the Amazon VPC console,

590.98 -> select peering connection from the menu

593.13 -> on the left-hand side.

594.68 -> Choose create peering connection

597.69 -> and give a name tag,

600.2 -> give the VPC of the Amazon RDS instance,

602.92 -> and you will need to select

603.95 -> another VPC to peer with.

605.95 -> Then choose the account.

607.33 -> Here, I'll be choosing my account.

609.58 -> I'll choose the region.

611.58 -> In this case, it will be another region,

613.31 -> and I'll be selecting the region which is hosted in central.

617.22 -> And I have to give the VPC ID of the accepter VPC.

620.66 -> And choose create peering connection.

623.91 -> Go to the route table

624.77 -> of the Amazon VPC console.

626.6 -> Once you have created the peering connections,

628.91 -> we can see the status is in a pending state,

631.46 -> so we have to go to the different VPC in the central region.

634.62 -> Click on peering connection,

636.33 -> and we can see this is also pending state.

638.87 -> We have to accept this peering connection.

641.11 -> I'm clicking on actions,

642.62 -> and accept request.

644.57 -> Accept the VPC peering connection request.

647.59 -> Yes, accept.

648.95 -> So this message gives us

650.09 -> the VPC peering connection has been established

652.04 -> between the two VPC hosted one in Mumbai region,

654.61 -> and the other one in central region.

657.7 -> We can see the VPC peering connection status

659.69 -> is active right now in central.

662.38 -> Let's go back to the VPC section

664 -> in Mumbai region.

666.82 -> Let us refresh this page.

669.25 -> And we can see the status is currently active.

671.87 -> Go to the route tables on the Amazon VPC console

674.54 -> and then change the route tables to access

676.47 -> the entire CIDR block of another VPC.

679.5 -> Now I will add the destination

680.99 -> to the Amazon EC2 VPC main route table.

683.27 -> Select the route table on the Amazon VPC dashboard.

686.53 -> Search for the EC2 VPC ID,

688.98 -> and choose edit but under the routes tab.

692.13 -> Choose add another route.

694.17 -> Enter the CIDR range of the Amazon RDS VPC

697.24 -> for the destination,

698.69 -> and enter the ID of the peering connection

700.57 -> for the target,

702.96 -> and click on save routes.

707.39 -> Now we will add the destination

708.78 -> to the instance or the class for VPC main route table.

711.63 -> Go back to the VPC,

712.62 -> where the RDS instance is hosted.

714.52 -> I will select the route tables

715.93 -> in the Amazon VPC dashboard.

718.71 -> I'll select for the VPC ID,

720.67 -> and I will click edit but under the routes tab.

724.23 -> I will choose add another route

725.96 -> and I will enter the entire CIDR range for the VPC

728.7 -> for the destination.

730.54 -> I need to enter the ID of the peering connection

732.45 -> for the target.

734.95 -> And click on save routes.

739.63 -> You can update the inbound or the outbound rules

741.88 -> for your VPC security groups

743.64 -> to reference the security groups in the peered VPC.

746.6 -> Doing so allows the traffic to flow

748.72 -> to and from the instances

750.18 -> that are associated with the referenced security group

752.62 -> in the peered VPC.

754.12 -> I'll go to the RDS AWS console.

756.52 -> I've clicked on the DB instance,

758.67 -> and I will see the security group

760.21 -> for the DB instance is default.

762.56 -> And to update the security group rules,

764.39 -> using the console,

765.36 -> we will open the Amazon VPC console.

769.45 -> In the navigation pin,

770.71 -> we will choose security groups.

773.3 -> Select the security group and choose the inbound rules

776.51 -> to modify the inbound rules or the outbound rules.

779.64 -> Choose edit

780.63 -> and add another rule.

782.35 -> Specify the type, the protocol,

784.22 -> the port range as required.

786.21 -> For source, our destination for an outbound rule,

789.4 -> type the ID of the security group in the peered VPC

792.14 -> if it is in the same region

793.84 -> or the CIDR block of the peered VPC if it's in

796.08 -> a different region.

797.28 -> So I'll quickly go back to the EC2 instance,

799.27 -> which is hosted in central region,

800.93 -> and I will try to find the IP of this instance.

803.76 -> I see the private IP of the instance is 172.0.1.4.

808.21 -> I come back to the security groups

810.92 -> and I will add this private IP in the inbound rules.

816.26 -> We can add a short description as well

818.15 -> for this particular rule.

819.84 -> Now click choose save rules.

822.03 -> Now we will go back and we will try to connect

823.463 -> with the EC2 instance from the terminal.

825.77 -> The EC2 instance is hosted

827 -> in the central region,

828.64 -> and from the EC2 instance,

829.84 -> we will try to connect

831.05 -> to the RDS instance

832.28 -> hosted in the Mumbai region.

834.39 -> I'm trying to connect with the EC2 instance,

836.02 -> which is hosted in the central region.

838.06 -> Now let's try to connect with the RDS instance,

840.33 -> which is hosted in the Mumbai region.

842.62 -> Yes, we can see it is connecting,

844.27 -> so by this weekend, establish the connectivity

846.33 -> from the EC2 instance, which is hosted

847.873 -> in a VPC in central region,

850.35 -> to an RDS instance,

851.41 -> which is hosted in the Mumbai region.

853.5 -> Two VPC peering.

855.8 -> So I will try to connect to this RDS instance

857.82 -> using the mysql utility.

860.7 -> Yes, we are able to establish the connection

862.47 -> using the mysql utility as well.

864.88 -> Thanks for watching,

865.713 -> and happy cloud computing

866.84 -> from all of us here at AWS.

868.722 -> (upbeat music)

Source: https://www.youtube.com/watch?v=PxFZt8MG2ss