- Newest
- Most votes
- Most comments
To troubleshoot, can your EC2 do nslookup on the RDS DNS name? Does it resolve to a private IP from the RDS VPC CIDR? If so, you can enable VPC flow logs in the VPC where the RDS is, and check if you are seeing the flows getting through that VPC, then to the RDS ENI. If it doesn't resolve, check this condition in bold:
Private IP DNS name (IPv4 only)
You can use the Private IP DNS name (IPv4 only) hostname for communication between instances in the same VPC. You can resolve the Private IP DNS name (IPv4 only) hostnames of other instances in other VPCs as long as the instances are in the same AWS Region and the hostname of the other instance is in the private address space range defined by RFC 1918: 10.0.0.0 - 10.255.255.255 (10/8 prefix), 172.16.0.0 - 172.31.255.255 (172.16/12 prefix), and 192.168.0.0 - 192.168.255.255 (192.168/16 prefix).
You might be blocked that the DNS is not able to resolve the private DNS name because they are in different regions. Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html
Relevant content
- Accepted Answerasked a year ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 3 years ago
Thank you @AmerO, I've used nslookup/dig on the RDS Endpoint, it resolves to the private IP of the RDS in the RDC-VPC CIDR. However, when I used the nc command (nc -zv <rds-host-endpoint> <port>) to test the connection to the RDS, I get the response "failed: No route to host"
Hi Sunday, use Reachability Analyzer service in your console. One time add the source as the EC2 ENI, and destination is the IP address of the DNS. Then revalidate the reverse traffic path using reachability analyzer. It should be able to tell if anything blocking you within the EC2 VPN in term of routing to the right VPC peering or anything else blocking like SG or NACL. Again repeat the same in the account where you have the RDS VPC. In this scenario, use the RDS as a source and the EC2 IP address for destination.
Thank you @AmerO for the insightful suggestions. I used the reachability analyzer and it showed there was no route to established. So I had to review my network and discovered the that while I was using a 3-tier architecture, my database subnet route-table was not configured to use the VPC-peering connection. I updated my database subnet route table with the VPC peering connection and I was able to establish Connection. Once again, thank you very much for pointing in the right direction
Great! please accept the answer if you find this guidance is helpful for other users.