Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Can I traceroute to the RDS endpoints?
I'm attempting a traceroute to my RDS Postgres instance the using the command below from my linux instance, but it's not working.
> ssm-user@X:~$ traceroute database-1.abccababc.us-east-1.rds.amazonaws.com traceroute to database-1.abccababc.us-east-1.rds.amazonaws.com (172.31.10.141), 30 hops max, 60 byte packets 1 * * * 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * ssm-user@X:~$
- Language
- English
- Newest
- Most votes
- Most comments
In this case, we need to use a TCP-based (Transmission Control Protocol) traceroute approach, specifying the port used by the RDS endpoint. The default port for PostgreSQL databases hosted on Amazon RDS is 5432. The command to perform a TCP-based traceroute to the RDS endpoint would be:
sudo traceroute -T -p 5432 <rds-endpoint-address>
Let's break down the key elements of this command[1]:
-T: This flag instructs the traceroute command to use TCP packets instead of the default UDP (User Datagram Protocol) packets.
-p 5432: This flag specifies the destination port to be used for the traceroute. In the case of a PostgreSQL RDS instance, the default port is 5432.
<rds-endpoint-address>: This is the hostname or IP address of the RDS endpoint you want to trace the network path to.
By using this modified traceroute command, you can effectively trace the network path to the RDS endpointt.
The behavior you're experiencing with the traceroute command to your RDS Postgres instance is expected and does not indicate a problem with your RDS instance.
Amazon RDS endpoints are not designed to respond to ICMP requests, which are used by traceroute. This is a security measure implemented by AWS to protect the database instances. As a result, when you attempt to traceroute to an RDS endpoint, you'll typically see a series of asterisks (*) for each hop, indicating that no response was received.
Instead of using traceroute, you should verify connectivity to your RDS instance by attempting to connect to it using the appropriate database client or tool for Postgres. To do this, you'll need the following information:
- The endpoint (hostname) of your RDS instance
- The port number (typically 5432 for Postgres)
- The database name
- Valid database credentials (username and password)
You can find the endpoint and port information in the AWS Management Console under the RDS service, in the "Connectivity & security" tab of your database instance details.
If you're having connectivity issues, ensure that:
- Your security group rules allow inbound traffic on the database port from your client's IP address or security group.
- Your network ACLs (if you're using them) allow both inbound and outbound traffic for the database port.
- If you're connecting from outside the VPC, you have set up the necessary networking components (like VPN or Direct Connect) to reach your VPC.
Remember, the inability to traceroute to the RDS endpoint is normal and doesn't indicate a problem with your database instance or its connectivity.
Sources
Finding the connection information for an Amazon RDS DB instance - Amazon Relational Database Service
Using the Amazon RDS console to retrieve connection information - Amazon Relational Database Service
Amazon RDS doesn't accept internet control message protocol (ICMP) traffic, including ping.
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Troubleshooting.html
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated 10 months ago
