Can't connect to Aurora cluster from AWS Bastion Host


I've successfully created an Aurora cluster, and it's running. I've successfully created a Bastion Host, using the template. It seems to be connected to the right VPC (same one as the Aurora cluster). I can't connect to the Aurora cluster. What I want to do is to use MySQL Workbench. It can connect to the Bastion Host, but it gets an error connecting to the database. I can SSH to the Bastion Host, but can't see the endpoint. Ping, SSH, nothing. I can resolve the endpoint to an IP address, but can't get that address to respond.

This is probably something fundamental and simple, like maybe I have to create some rule in the security group or something. I "think" the Bastion Host is on the VPC, so it shouldn't need a rule, and if it does., I don't know what it would be.

asked 5 years ago1034 views
5 Answers

For the Aurora database

1. click on Services->RDS
2. Click on Databases
3. Click on the DB identifier for the Aurora instance
4. Write down the following information:
    Endpoint :
    VPC security groups:
    Public accessibility
    subnet group:
5. Click on the link for the VPC security groups 
6. click on the Inbound tab and write down what protocols/Port Range/Sources are allowed. Note: 3306 should be one of the allowed ports. If NO, then Click the Edit button, Click Add Rule, 3306 for the Port range and for the source enter (for now... later, you can lock down the IP to the Bastion server's private IP address, but let's see if you can first connect).
7. See if you can now connect.

FYI: I verified that I was able to connect from my desktop through a Bastion server.
I will try to help you debug more, if after you follow the above steps, you are still having problems connecting.

answered 5 years ago

port: 3306
vpc: vpc-2f3ca355
vpc security group: AuroraForStripcallSG (sg-05c0596e84b978312)
( active )
default (sg-e5a25ebd)
There is no setting for "public availability"
Subnet group stripcallgroup

The default VPC security grouo inbound rules are:
All traffic All All sg-e5a25ebd (default)
MYSQL/Aurora TCP 3306
MYSQL/Aurora TCP 3306

I added an inbound rule for
That helped. "Test Connection" in Workbench worked.

However: Your connection attempt failed for user 'admin' to the MySQL server at
Lost connection to MySQL server during query

I waited an hour and tried again, and this time it succeeded, so I actually have Workbench connected and running to the database.

So at least part of the problem is that I need an inbound rule for the Bastion Host. How do I construct that correctly?

answered 5 years ago

Double check your Aurora database instance for "public availability". It should be in the right hand column side of the properties. It should hopefully be "no".

As you mentioned, you will need to add your Bastion server's private IP address to the Security Group. So you will first

1. Services->EC2
2. Click on Instances
3. Click on your Bastion Server instance
4. In the Description tab, on the right hand side column, there will be an Private IP address in the row, Private IPs. Copy this IP address.

Then follow the directions in my earlier message, and instead of, put the <IP address>/32.  For example, if your IP address was, then enter


answered 5 years ago

Okay, so that worked, and Workbench has access with the /32. Thank you very much.

I still don't see the public availabilty setting.

I go to RDS Services->Databases. Select my database. I have a summary, with no Public Availability
I have tabs for Connectivity & security
Logs & events
Maintenance & backups

I look in Connectivity and security and see a security heading on the right, but all it has is the security groups.
I look at Configuration and it has an Availability column, but the only things in that column are IAM db authentication, user name and password.

Dunno where else to look.

answered 5 years ago

I'm closing this. I did get it to work, but there are so many issues in setting up Aurora Serverless to work with Lambda, I've given up entirely and started all over with DynamoDB. This application is a much better fit with a small relational DB, but the complications in using Aurora Serverless with Lambda is way, way too daunting. Thanks again for your help.

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions