Unable to connect with RDS which is in private subnet and its under nat gateway


Trying to connect MySQL RDS through VM machine by using mysql connectionstring. RDS is in private subnet and public accessible also set to false. Private Subnet routetable is mapped with Nat Gateway.

Enter image description here

when i m trying to connect with RDS, i m getting below error,

Can't connect to MySQL server on 'a-so.rds.amazonaws.com:3306' (10060)

I need to connect with RDS any suggest to connect with RDS?

2 Answers

Hi Subha,

your connection error likely stems from security group or NAT Gateway configuration. Here I will provide

Check Security Groups:

  1. Ensure the RDS security group allows inbound traffic on port 3306 from your VM's security group ID.
  2. Verify your VM's security group allows outbound traffic on port 3306 to the RDS endpoint (not the public DNS).

Verify NAT Gateway:

  1. Confirm the private subnet's route table is associated with the NAT Gateway.
  2. Make sure the NAT Gateway is launched in a public subnet with internet access.

Test Connectivity:

From your VM, try pinging the NAT Gateway's public IP to ensure network reachability.

refferal link: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html

profile picture
answered 2 months ago
  • Thanks for your update. I have tried the shared update but for me, while testing ping command in vm using nat gateway public ip address, it doesnt work, shows request timed out error. My natgateway has public subnet with internet gateway connected to that subnet.


It looks like that you need to make sure mysql 3306 port is opened.
I hope the below knowledge will help you.

How can I connect to a private Amazon RDS DB instance from a local machine using an Amazon EC2 instance as a bastion host? https://repost.aws/knowledge-center/rds-connect-ec2-bastion-host

Also please refer the AWS document.

Can't connect to Amazon RDS DB instance https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Troubleshooting.html#CHAP_Troubleshooting.Connecting

answered 2 months ago
  • Thanks for your update. My rds security group rule added, that is, it should allow port 3306 and also allow all traffic from anywhere Eventhough had rule facing problem on connecting..

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions