By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

I can connect to RDS/MSSQL DB from everywhere EXCEPT my EC2 instance?

0

GOAL: I'm developing a Docker microservice that uses an MSSQL database.

CURRENT STATUS: I've created a "public" SQL Server Express in RDS. I'm able to successfully connect to MSSQL with SSMS and through my Docker app from external hosts (e.g. my workstation). Connectivity is OK from any client *OUTSIDE *of AWS.

PROBLEM: I'm NOT able to connect to RDS/MSSQL from my EC2 instance:

"nc -zv 54.177.aaa.yyy 1433" from WSL/Ubuntu on my Windows workstation => SUCCESS
"nc -zv 54.177.aaa.yyy 1433" from my EC2/Amazon Linux instance => TIMEOUT

NETWORK CONFIG:

  • RDS:

       Subnets:
        subnet-0ffd256dfc0e96d51   172.31.aa.bb/20 (us-west-1c)
        subnet-07f63aa3154b5858a   172.31.cc.dd/20 (us-west-1b)
    Security group:
       Security group rule ID IP   Type  Proto Port Source            Description
       ---------------------- --   ----  ----- ---- ------            ------------
  Inbound:
       sgr-01632e05c19d1ab5c  IPv4 MSSQL TCP   1433 76.aa.bb.cc/32
  Outbound:
       sgr-0ac14e8a107747ce3  IPv4 All   All   All  0.0.0.0/0

  • EC2:

      Subnets:
       subnet-07f63aa3154b5858a 172.31.aa.bb/20 (usw1-az3)
  Security group:
       Security group rule ID IP   Type  Proto Port Source            Description
       ---------------------- --   ----  ----- ---- ------            ------------
  Inbound:
       sgr-0af81ef7c3f05734d  IPv4 MSSQL TCP   1433    172.31.aa.bb/20   database-1
       sgr-0d678da47ff48b9c4  IPv4 SSH   TCP   22      0.0.0.0/0
  Outbound:
       sgr-0bf195271e185b07b  IPv4 All   All   All     0.0.0.0/0

Q: What am I missing? What do I need to do to allow my EC2 instance (and presumably Docker containers running on that instance) to access my "public" RDS/MSSQL database?

Additional information:

Most of the links I've found (on Serverfault.com, re:Post, etc) suggest adding inbound rule)(s) to the EC2 security group. I've tried "just about everything", including "source" to the RDS security group, and "all protocols/all ports/0.0.0.0/0" (definitely not advised for production use!). None of them worked.

"nc" and "sqlcmd" ALWAYS work from external hosts (e.g. Windows/WSL), and NEVER work from EC2/Amazon Linux.

nc -zv <<public IP of RDS>> 1433 => TIMEOUT
nc -zv << private IP of RDS>> 1433 => TIMEOUT
nc -zv <<endpoint hostname of RDS>> 1433 => TIMEOUT

sqlcmd -S << public IP of RDS>> -U admin -P *** -d RDox -C -Q "select ID,SOWID, Q2, Q3 From BoT_Answers;"
    wsl => OK
    putty/EC2 =>
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : Login timeout expired.
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : TCP Provider: Error code 0x102.
Sqlcmd: Error: Microsoft ODBC Driver 18 for SQL Server : A network-related or instance-specific error has occurred while establishing a connection to << public IP of RDS >>. Server is not found or not accessible.
Topics
DatabaseComputeNetworking & Content Delivery
Tags
Microsoft SQL ServerAmazon EC2Security Group
Language
English
rePost-User-2729374
asked 8 months ago424 views
1 Answer
1

You must create an inbound rule in the RDS Security Group allowing Inbound traffic from your EC2 Private IP or from it's Security Group.

Your current RDS Instance SG only allows inbound traffic from (presumably) your IP. By the way, you should hide this IP to avoid exposure.

Arthur Lopes
answered 8 months ago
  • rePost-User-2729374
    8 months ago

    Perfect. My RDS instance is "public". Accessible to ANYBODY. Anybody EXCEPT my Amazon EC2. I was adding Inbound rules to my EC2 security group. WRONG! Per your advice, I added an Inbound rule to my RDS security group instead: Type=MSSQL, Source=my EC2 Security Group ID. It worked like a charm! Thank you!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content