Can’t connect to Amazon RDS DB using RDS Proxy? We can help you with this!

Here, at Bobcares, our AWS customers often report similar issues as a part of our AWS Support Services.

Today, let’s see how our Support Engineers resolve the issue of ‘unable to connect to AWS RDS DB using RDS Proxy’.

 

Can’t connect to Amazon RDS DB using RDS Proxy

 
Amazon RDS Proxy is a fully managed database proxy for Amazon RDS. It makes the applications more scalable as well as more secure.

If we are facing any connectivity issues with the RDS proxy while connecting to Amazon RDS DB, there are several reasons for this connection failure as follows:

1. The security group settings(RDS proxy/RDS DB instance) prevent the connection.
2.  No connections from the outside private network will be allowed as the RDS proxy works only within a VPC.
3. The DB instance will not accept the connection if it is in an unavailable or modified state.
4. The connection may also be due to the wrong authentication details like username or password.
5. Also, the IAM role related to the client is not allowed to connect with RDS Proxy.

Now, let see the steps to troubleshoot the connectivity issue.
 

Check the connection to the RDS Proxy in a VPC private network

 
The connections from the outside private network will not be allowed as the RDS proxy works only within a VPC. The connection times out if we try to connect from outside the private network.

• If our client is from another VPC, we should create a VPC peering connection. It allows two VPCs to communicate with each other using private IP addresses.
• We must allow the connections from the client in the security group settings if our client is on the same VPC.
• If the client wants to connect through public internet, we can use SSH Tunneling to connect into the RDS Proxy in the same VPC.
• We need to use Direct Connect or Site-to-Site VPN to connect to the VPC if the client is from a corporate network,

Check the connection of the RDS proxy with the Amazon DB instance

 
RDS proxy performs connection pooling for the RDS/ Aurora DB instance. Connection pooling is used to reduces the issues related to opening and closing connections or keeping many connections at a time.

To establish a connection, it uses the username and password stored in the Secret Manager.

There are some points to be noted to make sure the proper connection of DB instances using the RDS proxy:

• Always make sure the authentication credentials in the Secret Manager are correct.
• Check the security group settings of the DB instance that allows the connections from the RDS proxy.
• The outbound traffic must be allowed to connect to the DB instance as the RDS Proxy initiates the connection for managing the pool. Therefore, in the security group settings, add an outbound rule to allow the connection.

Destination: Security group of the DB instance.

Protocol: TCP

Port range: Port on which the DB engine is running.

• We need to check if there is proper access to fetch and use the authentication credentials for connection for the IAM role related to the RDS proxy.
• We have to make sure that the IAM role has the trust policy for rds.amazonaws.com and has access to call secretsmanager:GetSecretValue action on the secret.
• Also, make sure that the IAM policy has access to call kms:Decrypt action on the AWS KMS. The following shows an example policy.

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": [
"arn:aws:secretsmanager:region:account_id:secret:secret_name"
]
},
{
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:region:account_id:key/key_id",
"Condition": {
"StringEquals": {
"kms:ViaService": "secretsmanager.region.amazonaws.com"
}
}
}
]
}

• If we still facing connectivity issues, we can check the TargetHealth structure in the output from the describe-db-proxy-targets command.

aws rds describe-db-proxy-targets --db-proxy-name $DB_PROXY_NAME

Check the permission of IAM role

 
Here, the client should generate a token to authorize the connection request. To generate it, the IAM user and IAM role related to the client must have the rds-db:connect IAM policy.

"Resource": "arn:aws:rds-db:us-west-2:0987654321:dbuser:prx-XYZK43210/db_user"

Also, be sure to use RDS Proxy ID in the ‘ARN’ for the resources attribute in the policy.

The permission check of the IAM role requires only if we have enabled IAM DB Authentication on RDS Proxy.
 

Check that the DB instance is currently accepting connection

 
We can check that the DB instance is currently accepting connections by reviewing the current status of the DB instance. We should confirm that it is in the AVAILABLE state.
 

Check the RDS Proxy logs

 
We can allow logging by enabling the Enhanced Logging feature of the RDS Proxy. It gives detailed information about the SQL statements. It will also help to figure out authentication issues.

[Need help with more AWS queries? We’d be happy to assist]
 

Conclusion

 
To conclude, today we saw the steps followed by our Support Engineers to resolve the issue of ‘can’t connect to Amazon RDS DB using RDS Proxy’.