skip to Main Content

I have a free account on AWS. I’ve set up an Amazon RDS MySQL database and an EC2 instance. I would like to connect to the database from a shell in the EC2. When I try to do so with this command:

 mysql -h database-1.clyum4kwu2lg.us-west-2.rds.amazonaws.com -u {username} -p

I get

Can't connect to MySQL server on 'database-1.clyum4kwu2lg.us-west-2.rds.amazonaws.com:3306' (110)

Theyr’e both in the same security group. I have the following inbound rules on the group:
sgr-039fbbc8ad9003041 IPv4 SSH TCP 22 71.38.46.66/32 –

sgr-0eff695cc6b9c637c   IPv4    MYSQL/Aurora    TCP 3306    71.38.46.66/32  –
–
sgr-04d152a98c8ec2356   IPv4    Custom TCP  TCP 8080    0.0.0.0/0

and the following outbound rules:

–
sgr-0a1b7e4aebd28bedd   IPv4    All traffic All All 0.0.0.0/0

How do I enable connection from the EC2 to the database?

2

Answers


  1. From the details you shared, especially seeing that you have the following inbound rules on the group: sgr-039fbbc8ad9003041 IPv4 SSH TCP 22 71.38.46.66/32 – –, I believe that 71.38.46.66/32 is your public IP address.

    What I’m driving at is that it’s your public IP address that has access to port 3306(MySQL) in your specified security group inbound rule.

    You need to change this from your public IP to your EC2 instance’s private IP.

    I believe this should fix the issue.

    Of course other things to consider would be your RDS instance and EC2 instance being in the same VPC or peered VPCs.

    Login or Signup to reply.
  2. Please note that resources "in the same security group" cannot communicate by default. This is because security group rules are applied to each resource individually. There actually is no concept of being "in a security group".

    The typical security group configuration for this situation would be to use two security groups:

    • A security group on the EC2 instance (App-SG) that permits the required inbound connections (80, 443) and all outbound connections
    • A security group on the Amazon RDS database (DB-SG) that permits inbound connections on port 3306 (MySQL) from the App-SG

    That is, DB-SG should specifically reference App-SG. This way, any EC2 instance that is associated with App-SG will automatically be able to communicate with the RDS database.

    (Alternatively, you could use a single security group with a Inbound rule that says the security group can communicate with itself, but this can lead to misconceptions in future.)

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search