Why can't I connect to my Amazon RDS for Oracle database instance?
I can't connect to my Amazon Relational Database Service (Amazon RDS) for Oracle DB instance.
The following are the most common reasons for connection issues to an RDS for Oracle DB instance:
- Your security group, network access control lists (network ACLs), or local firewalls are incorrectly configured. Incorrect configurations might block the traffic to the instance.
- Your instance isn't in the Available state.
- You used incorrect user credentials.
- You used the wrong endpoint to connect to the RDS DB instance.
- The connection from the client to the DB instance is incompatible.
- You don't have the required permissions.
Use TNSPING to check the connection
Note: You must install the Oracle client to use the TNSPING utility.
Use the TNSPING utility to check if the Oracle client can connect to the DB instance. If you added the database entry in the tnsnames.ora file, then run the following command to check if RDS for Oracle is reachable:
tnsping <Service Name>
If you didn't add the database entry to the tnsnames.ora file, then run a command similar to the following one:
tnsping "(DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = xxxxx-yyyyy.us-east-1.rds.amazonaws.com)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = ORCL)))" TNS Ping Utility for 64-bit Windows: Version 22.214.171.124.0 - Production on 23-JUL-2023 19:48:22 Copyright (c) 1997, 2019, Oracle. All rights reserved. Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = xxxxx-yyyyy.us-east-1.rds.amazonaws.com)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = ORCL))) OK (210 msec)
If TNSPING confirms that the Oracle client can’t connect to the DB instance, then check the following configurations.
Check VPC settings
If you connect to your DB instance from outside a virtual private cloud (VPC), then confirm that the Publicly Accessible property of your DB instance is set to Yes. If the property is set to No, then the DB instance isn't assigned a public IP address. Only Amazon Elastic Compute Cloud (Amazon EC2) instances and clients inside the VPC can connect to your database through the Amazon RDS private IP address.
For access from different VPCs or on-premises networks, you must configure additional configurations, such as VPC peering or AWS Direct Connect. If the Publicly Accessible property is set to Yes, then clients that are outside the VPC can connect to your DB instance through the internet with an internet gateway.
Check security group settings
Confirm that the security group for your DB instance allows the appropriate incoming traffic to your database. For more information, see Controlling access with security groups.
Check Network ACL settings
Network access control lists (network ACLs) act as a firewall for resources in a specific subnet of a VPC. If your VPC has network ACLs, then confirm that they have rules to allow inbound and outbound traffic to and from your instance. Network ACLs allow all inbound and outbound traffic by default. If your network ACL is more restrictive, then you must explicitly allow traffic to the ephemeral port range.
Check your network or local firewall
Your client connection might have originated from an on-premises network. Confirm that the network allows traffic to and from the ports that your instance uses for inbound and outbound communication. You might need to contact your network administrator for this information.
Check your route table settings
Check that your route table is correctly configured with the associated DB subnet.
To further troubleshoot connection issues, take the following actions:
Run the following command to verify the network connection. Replace the example-rds-endpoint and example-port-number values with the RDS endpoint and port number for your DB instance.
Note: Amazon RDS doesn't support internet control message protocol (ICMP) traffic, including ping.
telnet example-rds-endpoint example-port-number OR curl -v http://<example-rds-endpoint>:<PORT>
Run the nslookup command to confirm that the DNS server on the client side resolves the DB instance's DNS endpoint name to the correct IP address:
Confirm that your DB instance status is in the Available state. Database activities, such as version upgrade, instance class upgrade, or Multi-AZ failover might cause brief outages. Outages might change the DB instance state and cause connection issues.
The connection might reach the DB instance, but the connection still fails. Confirm that the user credentials that you use to connect to the DB instance are accurate. You can reset the primary user password, if required.
Confirm that you have the required permissions to connect to your DB instance.
Use Amazon EC2 to connect to your DB instance
To configure a connection between Amazon EC2 and your DB instance, use the automatic connection feature in the Amazon RDS console.
Note: To use the automatic connection feature, the EC2 instance and DB instance must be in the same VPC.
You can also use the EC2 instance connect endpoint without a bastion host to access resources, such as Amazon RDS, from the AWS Management Console. First, check that your user has the required AWS Identity and Access Management (IAM) permissions to connect to the EC2 connect endpoint. Also, check that the security group for your DB instance allows traffic from the VPC endpoint.
Run the aws ec2-instance-connect open-tunnel command to open a WebSocket tunnel:
aws ec2-instance-connect open-tunnel --instance-connect-endpoint-id "VPC Endpoint ID"--private-ip-address "Private IP"--local-port "random port number to use locally" --remote-port "rds port number"
TNSPING on the Oracle website