My application runs a set of tasks launched by Amazon Elastic Container Service (Amazon ECS) on Amazon Elastic Compute Cloud (Amazon EC2) instances. My application can't communicate with the Amazon Relational Database Service (Amazon RDS) database.
Resolution
Verify your network configurations
To verify if a container instance can establish a connection to the database, complete the following steps for either Linux-based or Windows-based container instances:
For Linux-based container instances:
- Create key pair credentials to use SSH to connect to the container instance where your task is placed.
- To connect to your RDS database, run the following command:
$ telnet test.ab12cde3fg4.us-east-1.rds.amazonaws.com 3306
Note: Replace test.ab12cde3fg4.us-east-1.rds.amazonaws.com with your database endpoint. Replace 3306 with your database port.
The output looks similar to the following:
> Trying 172.31.122.28 > Connected to test.ab12cde3fg4.us-east-1.rds.amazonaws.com
> Escape character is '^]'.
Important: Telnet isn't pre-installed on Amazon ECS-optimized Amazon Machine Images (AMIs). To install Telnet, run the sudo yum install telnet -y command.
For Windows-based container instances:
Important: Telnet isn't pre-installed on Amazon ECS-optimized Windows AMIs. To install Telnet, use PowerShell as administrator to run the Install-WindowsFeature -Name Telnet-Client command.
- Use the Remote Desktop Protocol (RDP) to connect to the container instance where your task is placed.
- To connect to your RDS database, use either the Windows command prompt or Windows PowerShell to run the following command:
$ telnet test.ab12cde3fg4.us-east-1.rds.amazonaws.com 3306
Note: Replace test.ab12cde3fg4.us-east-1.rds.amazonaws.com with your database endpoint. Replace 3306 with your database port.
If the connection is established, a blank page appears. If the connection isn't established and you receive "Connection Timed Out" or "Connect failed' errors, then complete the following steps:
- Check if the attached security groups allow access to the RDS database. You can use either the DescribeInstances API call, or the Description tab for your selected instance ID in the Amazon EC2 console.
Note: In the bridge and host networking mode, security groups attached to the container instance govern access to the database. In the awsvpc network mode, the security groups associated during the launch of the service or task govern access. As a best practice, create a security group that allows incoming traffic from the database port. Then, attach the security group to the database and container instance, or associate the security group with tasks based on awsvpc.
- Check if the network access control list (network ACL) and route table associated with the subnet allow access to the database. For more information, see Why can't I connect to a service when the security group and network ACL allow inbound traffic?
Verify the database connection parameters
To verify the database connection parameters, complete the following steps:
- In the environment section of your container definition, pass your environment variables securely. To pass your environment variables securely, reference your environment variables from AWS Systems Manager Parameter Store or AWS Secrets Manager. For more information, see How can I pass secrets or sensitive information securely to containers in an Amazon ECS task?
Note: An application uses parameters (such as database endpoint, database port, and database access credentials) to establish a connection with the database. These parameters are usually passed as environment variables to the task.
- If your task's container can establish a connection with the database, but can't authenticate because of incorrect connection parameters, then reset your database password.
- Remove any leading or trailing character spaces from your connection parameters.
Note: Syntax errors can result in a failed connection between your container and the RDS database.