Cannot connect Aurora MySql from VPC Endpoint for new create database user

Hi Jazz,

First of all, you should confirm if your VPC B has connectivity to VPC A, this can be done via either VPC Peering directly, or via a Transit Gateway.

After you have the network connectivity established between those 2 VPCs, you need to check both NACL and Security Group to see if the 3306 (MySQL) port is allowed.

For Security Group, its stateful, so your VPC A private subnet just need to allow inbound on 3306 from the VPC B IP address range, and VPC B should have outbound allowed to VPC A (by default this is allow all outbound traffic).

For NACL, its stateless by default this should be allow all inbound and outbound, but if you have configured rules, you need to make sure the following rules are in place:

• VPC A: allow 3306 inbound and ephemeral port (normally 1024-65535) outbound to and from VPC B
• VPC B: allow ephemeral port (normally 1024-65535) inbound and 3306 outbound to and from VPC A

Hope that helps.

To ensure that a new database user can connect to Aurora MySQL from another VPC using VPC endpoints:

1. Verify VPC Endpoint Configuration: Ensure the endpoint service and endpoint are correctly set up.
2. Adjust Security Groups: Update the Aurora security group and VPC endpoint security group to allow necessary traffic.
3. Check Network ACLs: Ensure NACLs do not block traffic between the VPCs.
4. Validate User Permissions: Confirm that the database user has permissions to connect from VPC B.
5. Verify Endpoint Policy: Ensure the VPC endpoint policy permits the necessary actions.
6. Test Connectivity: Confirm that the network path is open and working from VPC B.