Bobcares

How to fix: can’t connect to Amazon RDS DB using RDS Proxy

by | Aug 10, 2021

Can’t connect to Amazon RDS DB using RDS Proxy? We can help you with this!

Here, at Bobcares, our AWS customers often report similar issues as a part of our AWS Support Services.

Today, let’s see how our Support Engineers resolve the issue of ‘unable to connect to AWS RDS DB using RDS Proxy’.

 

Can’t connect to Amazon RDS DB using RDS Proxy

 
Amazon RDS Proxy is a fully managed database proxy for Amazon RDS. It makes the applications more scalable as well as more secure.

If we are facing any connectivity issues with the RDS proxy while connecting to Amazon RDS DB, there are several reasons for this connection failure as follows:

  1. The security group settings(RDS proxy/RDS DB instance) prevent the connection.
  2.  No connections from the outside private network will be allowed as the RDS proxy works only within a VPC.
  3. The DB instance will not accept the connection if it is in an unavailable or modified state.
  4. The connection may also be due to the wrong authentication details like username or password.
  5. Also, the IAM role related to the client is not allowed to connect with RDS Proxy.

Now, let see the steps to troubleshoot the connectivity issue.
 

Check the connection to the RDS Proxy in a VPC private network

 
The connections from the outside private network will not be allowed as the RDS proxy works only within a VPC. The connection times out if we try to connect from outside the private network.

  • If our client is from another VPC, we should create a VPC peering connection. It allows two VPCs to communicate with each other using private IP addresses.
  • We must allow the connections from the client in the security group settings if our client is on the same VPC.
  • If the client wants to connect through public internet, we can use SSH Tunneling to connect into the RDS Proxy in the same VPC.
  • We need to use Direct Connect or Site-to-Site VPN to connect to the VPC if the client is from a corporate network,

 

Check the connection of the RDS proxy with the Amazon DB instance

 
RDS proxy performs connection pooling for the RDS/ Aurora DB instance. Connection pooling is used to reduces the issues related to opening and closing connections or keeping many connections at a time.

To establish a connection, it uses the username and password stored in the Secret Manager.

There are some points to be noted to make sure the proper connection of DB instances using the RDS proxy:

  • Always make sure the authentication credentials in the Secret Manager are correct.
  • Check the security group settings of the DB instance that allows the connections from the RDS proxy.
  • The outbound traffic must be allowed to connect to the DB instance as the RDS Proxy initiates the connection for managing the pool. Therefore, in the security group settings, add an outbound rule to allow the connection.
Destination: Security group of the DB instance.

Protocol: TCP

Port range: Port on which the DB engine is running.
  • We need to check if there is proper access to fetch and use the authentication credentials for connection for the IAM role related to the RDS proxy.
  • We have to make sure that the IAM role has the trust policy for rds.amazonaws.com and has access to call secretsmanager:GetSecretValue action on the secret.
  • Also, make sure that the IAM policy has access to call kms:Decrypt action on the AWS KMS. The following shows an example policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:region:account_id:secret:secret_name"
]
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:region:account_id:key/key_id",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.region.amazonaws.com"
}
}
}
]
}
  • If we still facing connectivity issues, we can check the TargetHealth structure in the output from the describe-db-proxy-targets command.
aws rds describe-db-proxy-targets --db-proxy-name $DB_PROXY_NAME

 

Check the permission of IAM role

 
Here, the client should generate a token to authorize the connection request. To generate it, the IAM user and IAM role related to the client must have the rds-db:connect IAM policy.

"Resource": "arn:aws:rds-db:us-west-2:0987654321:dbuser:prx-XYZK43210/db_user"

Also, be sure to use RDS Proxy ID in the ‘ARN’ for the resources attribute in the policy.

The permission check of the IAM role requires only if we have enabled IAM DB Authentication on RDS Proxy.
 

Check that the DB instance is currently accepting connection

 
We can check that the DB instance is currently accepting connections by reviewing the current status of the DB instance. We should confirm that it is in the AVAILABLE state.
 

Check the RDS Proxy logs

 
We can allow logging by enabling the Enhanced Logging feature of the RDS Proxy. It gives detailed information about the SQL statements. It will also help to figure out authentication issues.

[Need help with more AWS queries? We’d be happy to assist]
 

Conclusion

 
To conclude, today we saw the steps followed by our Support Engineers to resolve the issue of ‘can’t connect to Amazon RDS DB using RDS Proxy’.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF