Can't ping AWS RDS endpoint

R

8

28

I want to migrate my local mysql database to Amazon RDS. But first I want to test to see if it is receiving communication. So I try to ping it. But the attempt timeout.

ping -c 5 myfishdb.blackOut.us-west-2.rds.amazonaws.com
PING ec2-54-xxx-xxx-118.us-west-2.compute.amazonaws.com (54.xxx.xxx.118): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3

I suspect that I need to open the inbound settings, so I open up the settings to

SSH TCP 22 72.xxx.xxx.xxx/32

And it still does not work. What do you suppose I am doing wrong? Am I missing anything else?

Return answered 24/3, 2014 at 0:36 Comment(2)

Why do you need SSH access? The whole idea of RDS is that the underlying architecture is managed for you. – Buddhism 24/3, 2014 at 3:10

You will only be able to open port 3306 on an RDS security group. – Gadoid 24/3, 2014 at 3:57

N

37

So I try to ping it. But the attempt timeout.

Ping won't work because the security group blocks all communication by default. You'll have to "poke holes" in the security group firewall to get traffic to your instance.

SSH TCP 22 72.xxx.xxx.xxx/32 And it still does not work.

Yup. RDS does not allow you to log in to the box via SSH. Only the MySQL port (3306) is open.

I want to migrate my local mysql database to Amazon RDS.

Ok, but be careful. DO NOT open up 3306 to the entire Internet (i.e. 0.0.0.0). MySQL was not designed for that, and often has flaws where anyone can break into your database.

You can open 3306 to just your (home) IP address (or the server you'll be using it from.) It should look like "5.5.5.5/32 TCP port 3306". But beware that this isn't great security because other people could see your packets. (MySQL supports encrypted connections, but you have to set them up explicitly.)

The best way to test a port is open is to telnet to the port. You can test your setup with telnet my.mysql.ip.address 3306. If you get no message, the port is not open. If you get "connected to ..", then your MySQL port is working.

The most secure way to use RDS is from an EC2 instance. You can create trust between the EC2 instance and the RDS security group. Your packets won't travel over the Internet, but only on the AWS network. Other people won't be able to see your packets, because nothing in EC2 allows that.

Namangan answered 24/3, 2014 at 3:4 Comment(3)

Docs imply you can't ping RDS instances regardless of your security group rules. – Palimpsest 6/9, 2016 at 14:15

Adding ICMP to the security group won't allow you to ping in some cases. I've got a SQL Server instance running in RDS; after adding 0.0.0.0/0 to allow ICMP IPv4, I wasn't getting a ping response. It's a confusing issue and probably a waste of time. The telnet approach worked for me. – Diviner 17/7, 2018 at 19:45

You can ping RDS you need to allow ICMP. You may also need to check firewall rules on the machine issuing the ping. If using Windows Powershell Test-NetConnection [IP] -Port [Port#] is also helpful. – Lavoie 18/7, 2022 at 20:55

D

14

Amazon RDS is a managed service for relational databases. It does not give access to the low level infrastructure.

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html

There is no SSH, Telnet or Ping access authorised to an RDS instance

Seb

Durgy answered 24/3, 2014 at 11:18 Comment(1)

telnet is a generic tool to open a connect to any port. "telnet with port" means you're connecting to the database port. Telnet port (TCP 23) and SSH port (TCP 22) ARE NOT enabled on Amazon RDS instances. – Diabetic 26/5, 2020 at 7:56

A

13

"RDS Instances are not configured to accept and respond to an ICMP packet for pings. The only way you can establish connectivity to your RDS instance is through a standard SQL client application."

This means, that adding ICMP rule into particular RDS security group, doesn't make your RDS instance reachable over ICMP.

Alimentary answered 13/8, 2016 at 9:29 Comment(0)

C

2

Ping is blocked as others have said. To allow Amazon RDS to connect from your EC2 instance. Go to Security groups of your RDS instance. Edit "Inbound" settings. And Change "Custom" to "Anywhere". After that you will be able to connect to db.

Clear answered 29/6, 2019 at 9:40 Comment(1)

Thanks, changing it in the default security group worked for me. – Cervin 3/4, 2023 at 0:12

E

1

The solution that worked for me is open the IP:PORT in security group section

Ellata answered 19/6, 2019 at 17:26 Comment(0)

Y

0

Public access is supported from aurora serverless2.

https://aws.amazon.com/premiumsupport/knowledge-center/aurora-mysql-connect-outside-vpc/

Yongyoni answered 20/3, 2023 at 7:8 Comment(0)

K

-1

You can use host from Linux, which is also what AWS says.

host <db_instance_endpoint>

This worked for me even when ping timed out.

Karafuto answered 8/6, 2020 at 11:1 Comment(1)

That's not what AWS says. AWS says: "To find the IP address of the Amazon RDS DB instance, use the host command". Finding the IP address of the RDS DB instance is not the same as connecting to it (like telnetting to the port does) – Maui 28/1, 2021 at 15:49

F

-3

AWS security groups block ICMP - which includes pings - by default. You'd have to open up ICMP - blindly trying to open TCP/22 isn't going to do anything.

Farahfarand answered 24/3, 2014 at 2:12 Comment(1)

Docs imply that RDS servers do not respond to pings even if you configure the security groups. – Palimpsest 6/9, 2016 at 14:16

Recommended topics

Hot tags