How do I troubleshoot and resolve connection issues to an RDS for SQL Server instance?

Resolution

Gather information about the connection failure

Take the following actions:

• Note the error message and the error codes, and then check whether the error is intermittent or consistent.
• Collect the logs from the SQL Server and client systems to identify system-wide issues on your SQL Server that runs on Amazon RDS. Logs include event logs and SQL Server error logs.
• If the connections fail from an application, then collect the connection strings from the application. For example, strings for ASP.NET applications are in Web.config files.
• After you note the logs, review them for additional error messages and exceptions.

Verify and test network connectivity

Complete the following steps:

1. Confirm that your client is in the same virtual private cloud (VPC) as the RDS DB instance and make sure that you set up VPC peering.
2. Check that your route tables are correctly configured to let traffic between your client and the DB instance. For more information, see Working with a DB instance in a VPC.
3. To test connectivity to your DB instance, run one of the following commands.
   Telnet:

   telnet RDS_endpoint 1433

   AWS Tools for PowerShell:

   $tcp = New-Object System.Net.Sockets.TcpClient
   try {
       $tcp.Connect("RDS_endpoint", 1433)
       Write-Host "Connection successful"
   } catch {
       Write-Host "Connection failed: $_"
   } finally {
       $tcp.Dispose()
   }

   Note: Replace RDS_endpoint with your RDS endpoint. If the output shows connection fails, then this means that the issue is related to your network configuration.

Verify security group and network ACL configuration

Verify that the DB instance's security group lets inbound traffic on port 1433 or your custom port. The traffic must come from your client's IP address or security group. Then, verify that network access control lists (network ACLs) let traffic between your client and the DB instance.

If the security group doesn't let inbound traffic, then modify the RDS security group. To modify the security group, complete the following steps:

1. Open the RDS console.
2. Select your DB instance's security group.
3. Choose Inbound rules.
4. Enter the following information to modify the rule:
   For Type, use MSSQL.
   For Source, enter your client's IP address or security group ID.
5. Choose Save rules.

Configure SSL/TLS for encrypted connections

Note: If your DB instance has the parameter group value rds.force_ssl to 1, then it allows only encrypted connections. You must configure SSL/TLS certificates to connect to your database. To configure your SSL/TLS certificate, you can use either SQL Server Management Studio (SSMS) or application code.

Download the root CA certificate for your AWS Region or choose the global bundle. Then, import the certificate in your client system.
Note: To download a certificate bundle, you must select the link for the Region that hosts your database.

If you use SSMS, then follow the instructions in Connect to a SQL Server instance on the Microsoft website. When you connect to your DB instance, configure SSMS to trust the server certificate in the connection properties.

If you use application code, then verify that your connection string includes TrustServerCertificate=true. For more information, see Use TrustServerCertificate on the Microsoft website.

Verify TLS version 1.2 compatibility

If you didn't correctly configure TLS, then you might receive the following error message:

"A connection was successfully established with the server, but then an error occurred during the pre-login handshake."

Verify that your client application or driver supports TLS 1.2.

Important: RDS for SQL Server requires TLS 1.2. You can't turn off TLS 1.2 on RDS SQL Server. You can optionally turn on TLS 1.0 or TLS 1.1 with parameter groups if your application only supports these older encryption protocols. However, if you turn on TLS 1.0 or TLS 1.1, then this might expose your environment to security vulnerabilities.

If connection issues persist, then temporarily turn off the rds.force_ssl parameter in your DB instance's parameter group to determine whether SSL causes the connection issue. After you complete the test, turn on the rds.force_ssl parameter.

Troubleshoot client-side issues

If you use SSMS version 20.x to connect to the DB instance, then downgrade to version 19.3. To install SSMS version 19.3, see 19.3 on the Microsoft website. For more information on the SSMS installation, see Install SQL Server Management Studio on the Microsoft website.

If you use an application to connect to your DB instance, then review that you correctly configured your connection string and parameters. Then, check whether your application uses connection pooling and efficiently manages connections.

If you use an Amazon Elastic Kubernetes Service (Amazon EKS) Pod Identity to connect to your DB instance, verify that your application correctly sets and retrieves the environmental variables for DB credentials. Then, verify that the correct network policies are in place to let traffic from the Amazon EKS cluster to the DB instance.

Identify resource-intensive processes

On the RDS console, check CPU utilization, available memory, and storage input/output operations per second (IOPS) to identify whether high resource utilization contributes to connection failures. If your DB instance consistently experiences CPU, memory, or IOPS saturation, then scale up to a larger DB instance class. To identify resources that reach capacity limits, use Performance Insights. For more information, see Troubleshoot high-CPU-usage issues in SQL Server on the Microsoft website.

Or, to identify resource-intensive processes, run the following script:

SELECT TOP 10 s.session_id,
r.status,
r.cpu_time,
r.logical_reads,
r.reads,
r.writes,
r.total_elapsed_time / (1000 * 60) 'Elaps M',
SUBSTRING(st.TEXT, (r.statement_start_offset / 2) + 1,
((CASE r.statement_end_offset
WHEN -1 THEN DATALENGTH(st.TEXT)
ELSE r.statement_end_offset
END - r.statement_start_offset) / 2) + 1) AS statement_text,
COALESCE(QUOTENAME(DB_NAME(st.dbid)) + N'.' + QUOTENAME(OBJECT_SCHEMA_NAME(st.objectid, st.dbid))
+ N'.' + QUOTENAME(OBJECT_NAME(st.objectid, st.dbid)), '') AS command_text,
r.command,
s.login_name,
s.host_name,
s.program_name,
s.last_request_end_time,
s.login_time,
r.open_transaction_count
FROM sys.dm_exec_sessions AS s
JOIN sys.dm_exec_requests AS r ON r.session_id = s.session_id CROSS APPLY sys.Dm_exec_sql_text(r.sql_handle) AS st
WHERE r.session_id != @@SPID
ORDER BY r.cpu_time DESC

After you run the script, check for long-running queries that might block new connections.

Resolve error messages

Troubleshoot the "Timeout expired messages when connecting to SQL Server" error message

If you receive the "Timeout expired messages when connecting to SQL Server" error message, then increase the connection timeout in your client application. Check for long-running queries or processes on the DB instance that might cause delays. For more information, see Timeout expired messages when connecting to SQL Server on the Microsoft website.

Troubleshoot the "Login failed for user" error message

If you receive the "Login failed for user" error message, then take the following actions based on your authentication method.

If you use SQL for authentication, then verify that you use the correct username and password. Then, confirm that the user has the required permissions on the SQL Server instance and the specific database.

If you use Windows for authentication, then take the following actions:

• Verify that your client machine and the RDS for SQL Server instance join the same domain.
• Confirm that the user has the required permissions to access the SQL Server instance and the specific database.
  Note: The minimum permission required to connect to a SQL Server instance or a specific database is the CONNECT permission. At the server level, the CONNECT permission takes the form of the CONNECT SQL permission. SQL Server automatically grants this permission when you create a login or user. However, if the SQL Server doesn't grant the permission during creation, then you must manually assign the CONNECT permission. For more information about permissions, see Get started with database engine permissions on the Microsoft website.
• Check whether the domain user login exists on the RDS for SQL Server instance. If the login doesn't exist, then use the following T-SQL statement to create the login:

  USE [master]
  GO;
  CREATE LOGIN DOMAIN\username FROM WINDOWS WITH DEFAULT_DATABASE='user_database'
  GO

  Note: Replace DOMAIN\USERNAME with your domain name and Windows login.

Troubleshoot the "Forcibly closed" error message

If you receive the "Forcibly closed" connection error message, then take the following actions:

• Check for network interruptions or latency issues between your application and the DB instance.
• Review your DB instance's CPU and memory utilization to confirm that it doesn't exceed capacity.
• Check that the firewall rules don't block the connection between your client and the DB instance, such as rules on transit gateways or private firewalls.
• Confirm that your security groups allow connection to your DB instance.
• If the issue persists, then increase the connection timeout in your application's connection string.
• Turn on Performance Insights. Then, check your metrics in Performance Insights for blocking and deadlocks. For more details refer to Monitoring DB load with Performance Insights on RDS.

Important: Performance Insights will reach its end of life on June 30, 2026. You can upgrade to the Advanced mode of Database insights before June 30, 2026. If you don't upgrade, then DB clusters that use Performance Insights will default to the Standard mode of Database Insights. Only the Advanced mode of Database Insights will support execution plans and on-demand analysis. If your clusters default to the Standard mode, then you might not be able to use these features on the console. To turn on the Advanced mode, see Turning on the Advanced mode of Database Insights for Amazon RDS and Turning on the Advanced mode of Database Insights for Amazon Aurora.

Related information

Analyzing RDS database workloads with Performance Insights

Troubleshooting for RDS

Using SSL with a Microsoft SQL Server DB instance

Recommended prerequisites and checklist for troubleshooting SQL Server connectivity issues on the Microsoft website