I have a free account on AWS. I’ve set up an Amazon RDS MySQL database and an EC2 instance. I would like to connect to the database from a shell in the EC2. When I try to do so with this command:
mysql -h database-1.clyum4kwu2lg.us-west-2.rds.amazonaws.com -u {username} -p
I get
Can't connect to MySQL server on 'database-1.clyum4kwu2lg.us-west-2.rds.amazonaws.com:3306' (110)
Theyr’e both in the same security group. I have the following inbound rules on the group:
sgr-039fbbc8ad9003041 IPv4 SSH TCP 22 71.38.46.66/32 –
–
sgr-0eff695cc6b9c637c IPv4 MYSQL/Aurora TCP 3306 71.38.46.66/32 –
–
sgr-04d152a98c8ec2356 IPv4 Custom TCP TCP 8080 0.0.0.0/0
and the following outbound rules:
–
sgr-0a1b7e4aebd28bedd IPv4 All traffic All All 0.0.0.0/0
How do I enable connection from the EC2 to the database?
2
Answers
From the details you shared, especially seeing that you have the following inbound rules on the group:
sgr-039fbbc8ad9003041 IPv4 SSH TCP 22 71.38.46.66/32 – –
, I believe that71.38.46.66/32
is your public IP address.What I’m driving at is that it’s your public IP address that has access to port 3306(MySQL) in your specified security group inbound rule.
You need to change this from your public IP to your EC2 instance’s private IP.
I believe this should fix the issue.
Of course other things to consider would be your RDS instance and EC2 instance being in the same VPC or peered VPCs.
Please note that resources "in the same security group" cannot communicate by default. This is because security group rules are applied to each resource individually. There actually is no concept of being "in a security group".
The typical security group configuration for this situation would be to use two security groups:
App-SG
) that permits the required inbound connections (80, 443) and all outbound connectionsDB-SG
) that permits inbound connections on port 3306 (MySQL) from theApp-SG
That is,
DB-SG
should specifically referenceApp-SG
. This way, any EC2 instance that is associated withApp-SG
will automatically be able to communicate with the RDS database.(Alternatively, you could use a single security group with a Inbound rule that says the security group can communicate with itself, but this can lead to misconceptions in future.)