By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Unable to Connect EC2 Instance to RDS Cluster Despite Being in Same VPC

0

Hello AWS Support,

I'm experiencing a connectivity issue between one of my EC2 instances and my RDS PostgreSQL cluster, even though both resources are in the same VPC.

Details: EC2 Instance ID: i-05***************

RDS Cluster ARN: arn:aws:rds:us-west-2:***:cluster:database--

VPC ID: vpc-0f18*****************

Issue: I have two EC2 instances in the same VPC and subnet range. One of them is successfully connecting to the RDS cluster, while the other one (i-05********************) is failing with a timeout error when trying to connect on port 5432.

From the EC2 instance, I get the following error:

telnet database-main-***.cluster-********.us-west-2.rds.amazonaws.com 5432 Trying 1.0.48.124... Connection timed out Troubleshooting Already Done: Verified DNS resolution works (resolves to correct internal IP)

RDS is in ‘Available’ state

Both EC2 and RDS are in same VPC

Compared security groups:

EC2 has:

sg-09*c5b748 (-main-**-db-local)

sg-02************277e90 (ec2-rds-3)

RDS has:

sg-0c05*************** (rds-ec2-3)

sg-011c2************** (rds-ec2-1)

✅ sg-02d2************* is allowed in sg-0c05f**********

⚠️ But sg-090************** is not allowed, which might be the cause

Checked NACLs and route tables — both look correct

No host-based firewall (iptables) blocking port 5432

Tried both psql and telnet commands — both time out

Topics
Networking & Content DeliveryMigration & ModernizationAnalyticsDatabaseCompute
Tags
Amazon VPCAmazon Relational Database ServiceAmazon EC2DatabaseSecurity Group
Language
English
asked 7 days ago40 views
3 Answers
0

Based on the information provided, it appears that the main issue preventing your EC2 instance from connecting to the RDS PostgreSQL cluster is likely related to the security group configuration. Here are the key points and recommendations:

  1. Security Group Mismatch: You've identified that the security group sg-090************** (associated with the EC2 instance) is not allowed in the RDS security group. This is likely the primary cause of the connection timeout.

  2. Security Group Configuration: To resolve this, you should add an inbound rule to the RDS security group (either sg-0c05*************** or sg-011c2**************) that allows traffic from the EC2 instance's security group (sg-090**************) on port 5432.

  3. Verify Other Security Group: Ensure that the other EC2 security group (sg-02************277e90) is also allowed in the RDS security groups if it's meant to have access.

  4. Outbound Rules: Double-check that the EC2 instance's security groups allow outbound traffic to the RDS cluster on port 5432. This is usually allowed by default but worth verifying.

  5. Network ACLs: Although you mentioned that NACLs look correct, it's worth double-checking that they allow both inbound and outbound traffic on port 5432 between the EC2 subnet and the RDS subnet.

  6. Route Tables: Confirm that the route tables for both the EC2 and RDS subnets have the necessary routes to allow traffic between them.

  7. RDS Endpoint: Ensure you're using the correct RDS endpoint for the cluster. The writer instance endpoint should be used for write operations, while reader endpoints can be used for read operations.

  8. Enhanced Monitoring: Consider enabling enhanced monitoring on your RDS instance to get more detailed metrics that might help identify any performance or connectivity issues.

After making these changes, especially adding the EC2 security group to the RDS security group's inbound rules, try connecting again using both telnet and psql. If the issue persists, you may need to review the VPC configuration in more detail or consider enabling RDS logs for more information on connection attempts.

Remember to always follow the principle of least privilege when configuring security groups, only allowing the necessary access required for your application to function.
Sources
Cannot connect to RDS(postgres) from EC2 via application code | AWS re:Post
Troubleshooting connection issues to your Amazon RDS DB instance - Amazon Relational Database Service
My application which is hosted on EC2 instance which is in private subnet is not connecting with RDS which is in private subnet | AWS re:Post
Why can't I access my RDS? | AWS re:Post

answered 7 days ago
0

You mentioned, EC2 and RDS are in same VPC, are these in same subnets as well? If so, the only issue is security group.

Let's say, EC2 security group is sg-ec2 and RDS security group is sg-rds. For sg-ec2, you need an outbound rule for port 5432 to sg-rds. For sg-rds, you need an inbound rule for port 5432 from sg-ec2.

Note, security groups, may have a default outbound rule that allows all traffic to 0.0.0.0/0. If that's the case, then you do not need define the outbound rule explicitly

In case, these are in different subnets, you need additionally check NACLs.

answered 6 days ago
0

To resolve the issue, you need to add an inbound rule to the RDS security group (sg-0c05***************) that allows connections on port 5432 from security group sg-09*c5b748 (or from the specific EC2 instance if you'd prefer to be restrictive). This can be done via the AWS Console or CLI. For example, using the CLI:

aws ec2 authorize-security-group-ingress \
  --group-id sg-0c05*************** \
  --protocol tcp \
  --port 5432 \
  --source-group sg-09*c5b748

Once this rule is in place, the EC2 instance should be able to establish a connection to the RDS endpoint on port 5432.

This kind of issue is relatively common when using multiple security groups or when launching instances from different templates. It’s always a good practice to periodically audit SG-to-SG communication paths when diagnosing connectivity issues within the same VPC.

answered 6 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content