AWS EC2 cannot connect to RDS - amazon-web-services

Guys
I had troubles with my EC2, I connected the EC2 through SSH successfully and used command line like “mysql -h **..rds.amazonaws.com (myRDS Endpoint) -p 3306 -u ** -p**” to connect to the RDS, unfortunately, I got this error after a while: "ERROR 2003 (HY000): Can't connect to MySql server on '**..rds.amazonaws.com' (110)'', there were several comments:
This EC2 and RDS are in same region and same available zone (Tokyo).
This EC2 is an classic one not VPC.
I can connect to to this Tokyo RDS through an EC2 located in other region (Singapore).
I get the same ERROR Info when using this Tokyo EC2 to connect to a RDS in Singapore and I'm sure Singapore RDS is available.
I tried "nc -zv 3306" using Tokyo EC2, but got a "time out" error while it succeed when using Signore EC2 to do this.
I checked the iptables of the Tokyo EC2, but there was no iptables there.
So, I doubt the problem is the EC2 not the RDS.
I google this and found the most similar questions are caused by SG, reason of this problem,
Very appreciated if any help, thanks in advance.
Best Regards
Beyond Wang

You need to make sure that the security group your EC2 instances are in is added to the security group for the RDS instance.

You need to add your server IP to the RDS whitelist.

Related

Unable to connect to server: timeout expired AWS aurora rds

I am trying to connect my AWS aurora database with pgAdmin 4 and it throws this error. I have tried all the previous solutions provided by the stack overflow answers like add inbound my IP and update pg_hab.conf. It still not working for me. Thank you in advance.
Error facing with pgAdmin
Aurora serverless can be only accessed from within VPC. It has no public Ip address. From docs:
You can't give an Aurora Serverless v1 DB cluster a public IP address. You can access an Aurora Serverless v1 DB cluster only from within a VPC.
This means you either have to connect to it from an EC2 instance running in the same VPC, or setup ssh tunneling or VPN connection between your local computer and the aurora. How to setup ssh tunnel is explained here and here.
Alternatively, use DATA API to interact with your database from outside of a VPC.

AWS RDS Aurora - How to connect using PgAdmin?

Yesterday AWS launched Aurora serverless for PostgreSQL, but it doesn't seem to have the same configuration options as other RDS databases, I can't set it to public facing for example, it forces me to have a VPC.
Now, I have no clue how to apply these VPC things to PgAdmin, I've tried setting the inbound for the security group to all ports and ips but it still won't connect (no server response).
How can I connect to a RDS Database inside a VPC using PgAdmin?
Opening the security group didn't work.
I realize this question is old, but I kept coming back to it as I worked this out.
This solution is similar to #genkilabs solution but simpler.
Steps:
Spin up an ec2 micro instance in the same vpc as the database. You will tunnel through this.
Add the security group for your ec2 to the inbound rules of the database's security group.
ssh into the ec2 instance and install psql (and postgress...) with:
sudo amazon-linux-extras install postgresql10
Verify that you can connect to your database with psql:
psql -h {server} -p 5432 -U {database username} -d {database name} -p
In PGAdmin create a new server connection
Enter the database host, username, and password as usual.
Go to the SSH Tunnel tab
turn on ssh tunneling
enter your ec2 hostname for the tunnel host
enter your ssh username
select the identity file and find the .pem or .cer file for your ec2 instance.
Save and done. You should now be able to connect to the serverless Aurora database from your local PGAdmin.
If you have trouble connecting to the database form the ec2, this guide may be helpful. The same steps apply connecting from ec2 as from cloud9.
EDIT Sept '22: With Serverless V2 you can now select "public access" during the initial create, and connect directly (provided your VPC and security groups allow it). However, it is still recommended for production / "enterprise" use to still connect only though a "bastion" or "jump-box".
Officially, you can't...
Per the docs:
You can't give an Aurora Serverless DB cluster a public IP address. You can access an Aurora Serverless DB cluster only from within a virtual private cloud (VPC) based on the Amazon VPC service.
However, connecting to a serverless DB from a non-Amazon product is just officially discouraged, it is not impossible.
The best solution I have found so far is to create an autoscaling cluster of bastion boxes within the same VPC. Then use them to tunnel through. The great part about this strategy is that it exposes a standard postgre format URL, so it can be used with pgAdmin, Navicat, ActiveRecord or any other ORM that uses typical connection urls.
...The bad part is that (so far) it seems to enforce a 30 sec timeout on connections. So you better get all your transactions wrapped up quick like.
If anyone can do better, I'd love to hear how as well.

problems connecting to AWS DocumentDB

I created a Cluster and an Instance of DocumentDB in amazon. When I try to connect to my Local SSH (MacOS) it displays the following message:
When I try for the MongoDB Compass Community:
mongodb://Mobify:<My-Password>#docdb-2019-04-07-23-28-45.cluster-cmffegva7sne.us-east-2.docdb.amazonaws.com:27017/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0
It loads many minutes and in the end it has this result:
After solving this problem, I would like to know if it is possible to connect a cluster of documentDB to an instance in another zone of availability ... I have my DocumentDB in Ohio and I have an EC2 in São Paulo ... is it possible?
Amazon DocumentDB clusters are deployed in a VPC to provide strong network isolation from the Internet. To connect to your cluster from outside of the VPC, please see the following: https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-from-outside-a-vpc.html
AWS document DB is hosted on a VPC (virtual private cloud) which has its own specific subnets and security groups; basically, anything that resides in a VPC is not publicly accessible.
Document DB is deployed in a VPC. In order to access it, you need to create an EC2 instance or AWS Could9.
Let's access it from the EC2 instance and access AWS document DB using SSH tunneling.
Create an EC2 instance (preferably ubuntu) of any configuration and select the same VPC in which your document DB cluster is hosted.
After the EC2 is completely initialized, start an SSH tunnel and bind the local port # 27017 with document DB cluster host # 27017.
ssh -i "<ec2-private-key>" -L 27017:docdb-2019-04-07-23-28-45.cluster-cmffegva7sne.us-east-2.docdb.amazonaws.com:27017 ubuntu#<ec2-host> -N
Now your localhost is tunneled to ec2 on port 27017. Connect from mongosh or mongo, enter your cluster password and you will be logged in and execute any queries.
mongosh --sslAllowInvalidHostnames --ssl --sslCAFile rds-combined-ca-bundle.pem --username Mobify --password
Note: SSL will be deprecated. Use tls, just replace SSL with tls in the above command.

Not able to connect to AWS DocumentDB from my ubuntu EC2 machine

I can't connect to my Amazon DocumentDB from my amazon EC2 ubuntu machine? I've checked the security of the Amazon DocumentDB and it's currently assigned to the default which has "all traffic".
I've tried the following command, straight out of the AWS instances page although I receive the error message included below.
I've followed this aws guide https://docs.aws.amazon.com/documentdb/latest/developerguide/getting-started.connect.html
Mongo shell command from the EC2 ubuntu machine
mongo --ssl --host mydatabasename.23scnncsd3.eu-west-1.docdb.amazonaws.com:27017 --sslCAFile rds-combined-ca-bundle.pem --username webuser --password mypassword
The error message I receive from within the ubuntu command prompt is below
Error message
MongoDB shell version v3.6.11
connecting to: mongodb://mydatabasename.23scnncsd3.eu-west-1.docdb.amazonaws.com:27017/?gssapiServiceName=mongodb
2019-03-11T21:39:37.587+0000 W NETWOK [thread1] Failed to connect to 172.31.45.184:27017 after 5000ms milliseconds, giving up.
2019-03-11T21:39:37.595+0000 E QUERY [thread1] Error: couldn't connect to server mydatabasename.23scnncsd3.eu-west-1.docdb.amazonaws.com:27017, connection attempt failed :
connect#src/mongo/shell/mongo.js:263:13
#(connect):1:6
exception: connect failed
Am I doing something wrong? Any help appreciated!
Many thanks,
Update
Amazon DocumentDB deploys clusters within a VPC, which act as a strong network boundary to other VPCs and the Internet. When you are connecting to your cluster, ensure that the client machine is in the same region and the same VPC as the cluster.
Alternatively, if your development environment is in a different Amazon VPC, you can also use VPC Peering and connect to your Amazon DocumentDB cluster from another Amazon VPC in the same region or a different region.
For more information on troubleshooting: https://docs.aws.amazon.com/documentdb/latest/developerguide/troubleshooting.html
Connecting to an Amazon DocumentDB cluster from outside a VPC: https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-from-outside-a-vpc.html
Had the same problem.
Availability Zone/VPC/Security Groups are the same for
EC2 instance and DocumentDB instance, but still failed to connect.
For some reason, the US documentation is missing one step that is present in CN documentation.
https://docs.amazonaws.cn/en_us/documentdb/latest/developerguide/connect-ec2.html
All you need to do is to add another inbound rule to the Secutity Group for TCP and 27017 port. This worked for me.
https://i.stack.imgur.com/lOqov.png

Cant connect redis-cli with amazon elastic cache

I have created a redis endpoint on amazon elastic cache and also setup vpc & NAT gateway. I need to connect created redis endpoint with redis-cli. i using command like this
redis-cli -h dev-redis.434dffsdsf.0094.ustyue1.cache.amazonaws.com
But i got error message like this
Could not connect to Redis at dev-redis.a35gy4.0001.use1.cache.amazonaws.com:6379: Connection timed out
I tried with several ways
tried to connect from my local ubuntu machine.
tried to connect from a ec2 instance.
My source code is running on aws lambda. Using aws lambda we can successfully connect to the same redis endpoint.
What is the actual issue with my redis client?
Please check SG of ElastiCache. Redis instance should be accessible to server where you're running Redis CLI.
Option 1 will not work, as ElastiCache instances are not accessible outside of their VPC. From the FAQs: "Amazon ElastiCache Nodes, deployed within a VPC, can never be accessed from the Internet or from EC2 Instances outside the VPC."
Option 2 should work, if the EC2 instance is within the same VPC as the ElastiCache instance.
Adding more details as none of the answers here gave me full clarity
What is security group - security group in AWS is like a firewall.
What should I check in the security group - Check in inbound rules of the security group attached to the Redis if port 6379 is open to IPs within the CIDR (e.g. 192.168.32.0/20) of the EC2 instance from which you tried to access the Redis/ElasticCache