GOAL: I'm developing a Docker microservice that uses an MSSQL database.
CURRENT STATUS: I've created a "public" SQL Server Express in RDS. I'm able to successfully connect to MSSQL with SSMS and through my Docker app from external hosts (e.g. my workstation). Connectivity is OK from any client *OUTSIDE *of AWS.
PROBLEM: I'm NOT able to connect to RDS/MSSQL from my EC2 instance:
"nc -zv 54.177.aaa.yyy 1433" from WSL/Ubuntu on my Windows workstation => SUCCESS
"nc -zv 54.177.aaa.yyy 1433" from my EC2/Amazon Linux instance => TIMEOUT
NETWORK CONFIG:
-
RDS:
Subnets:
subnet-0ffd256dfc0e96d51 172.31.aa.bb/20 (us-west-1c)
subnet-07f63aa3154b5858a 172.31.cc.dd/20 (us-west-1b)
Security group:
Security group rule ID IP Type Proto Port Source Description
---------------------- -- ---- ----- ---- ------ ------------
Inbound:
sgr-01632e05c19d1ab5c IPv4 MSSQL TCP 1433 76.aa.bb.cc/32
Outbound:
sgr-0ac14e8a107747ce3 IPv4 All All All 0.0.0.0/0
-
EC2:
Subnets:
subnet-07f63aa3154b5858a 172.31.aa.bb/20 (usw1-az3)
Security group:
Security group rule ID IP Type Proto Port Source Description
---------------------- -- ---- ----- ---- ------ ------------
Inbound:
sgr-0af81ef7c3f05734d IPv4 MSSQL TCP 1433 172.31.aa.bb/20 database-1
sgr-0d678da47ff48b9c4 IPv4 SSH TCP 22 0.0.0.0/0
Outbound:
sgr-0bf195271e185b07b IPv4 All All All 0.0.0.0/0
Q: What am I missing? What do I need to do to allow my EC2 instance (and presumably Docker containers running on that instance) to access my "public" RDS/MSSQL database?
Additional information:
Most of the links I've found (on Serverfault.com, re:Post, etc) suggest adding inbound rule)(s) to the EC2 security group. I've tried "just about everything", including "source" to the RDS security group, and "all protocols/all ports/0.0.0.0/0" (definitely not advised for production use!). None of them worked.
"nc" and "sqlcmd" ALWAYS work from external hosts (e.g. Windows/WSL), and NEVER work from EC2/Amazon Linux.
nc -zv <<public IP of RDS>> 1433 => TIMEOUT
nc -zv << private IP of RDS>> 1433 => TIMEOUT
nc -zv <<endpoint hostname of RDS>> 1433 => TIMEOUT
sqlcmd -S << public IP of RDS>> -U admin -P *** -d RDox -C -Q "select ID,SOWID, Q2, Q3 From BoT_Answers;"
wsl => OK
putty/EC2 =>
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : Login timeout expired.
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : TCP Provider: Error code 0x102.
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : A network-related or instance-specific error has occurred while establishing a connection to << public IP of RDS >>. Server is not found or not accessible.
Perfect. My RDS instance is "public". Accessible to ANYBODY. Anybody EXCEPT my Amazon EC2. I was adding Inbound rules to my EC2 security group. WRONG! Per your advice, I added an Inbound rule to my RDS security group instead: Type=MSSQL, Source=my EC2 Security Group ID. It worked like a charm! Thank you!