It is pretty straight forward to create a new database in AWS RDS. But when you want to have an instance that is meant to be publicly accessible and you have mentioned in the Create Database wizard to make it accessible publicly, you are still not able to connect to it via let’s say, your client code or a tool such as MySql Workbench.
This post is going to address the details that AWS RDS expects you to fill in even after you specify an instance to be publicly accessible.
How to connect to public RDS and EC2 instances
To enable internet access, the following 4 requirements must be met according to AWS Docs and I quote them here:
- Attach an internet gateway to your VPC.
- Add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway. If a subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet. If a subnet is associated with a route table that does not have a route to an internet gateway, it’s known as a private subnet.
- Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
- Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance.
As of 2020, when you create a new RDS instance and select to make it public, the first 3 requirements are automatically met.
It’s the 4th requirement – allowing public access in Security Groups that was the problem for me.
So we are going to create a new security group that allows all sorts of public inbound connections.
Create a new Security Group
- Open AWS VPC console.
- In the left side panel, select Security > Security Groups.
- Click Create Security Group.
- Provide a name, description and associate it with your intended VPC, most probably your default VPC.
- After the group is created, select it’s checkbox and click the Inbound Rules tab. Click Edit Rules.
- Click Add Rule and enter the following details in the respective columns:
- Type: All Traffic
- Protocol: All
- Port Range: All
- Source: Custom
Click Save Rules.
Assign public Security Group to instance
Existing RDS instance
For an existing AWS RDS instance, you can assign public security group like this:
- Open AWS RDS Console.
- Under Databases, click your database. Then click Modify.
- Under Network & Security > Security Group, select the newly created public Security Group.
- Public Accessibility > Yes.
- Click Continue.
Note: You will be notified that if you want the changes to take effect immediately, there will be some down time. It is up to you to decide.
New RDS Instance
If you are creating a new AWS RDS instance now, in the Create Database wizard you can select the Security Group under Connectivity > Additional connectivity configuration.
Also, select Yes for Publicly Accessible.
Test your remote connection to RDS
Now open up a database tool. I am going to use MySql Workbench to test the connection.
You are going to need your host name, master username, password and port of your RDS instance. These details can be found on the RDS instance’s details page.
Enter the details and try to connect. You should be able to connect now.
If you still cannot connect, you must have one or more problems as specified earlier in the 4 points quoted above from the AWS RDS docs:
- Is your VPC attached to an internet gateway? If not, attach it.
- Does your subnet’s route table contain a route that allows public access? If not, add a pubic route to it.
- Ensure your instance have a public IP address.
- Ensure your Network ACLs and Security groups allow public access. If adding Security groups as mentioned in this post doesn’t fix this problem, you might have to check Network ACLs.
But as I mentioned earlier, creating a Security Group that allows public access and attaching it to an instance is what was the problem in my case.
This post shows how to connect to an AWS RDS database from outside the VPC, i.e., from the internet and AWS has to authorise this request using the RDS instance credentials. But in this case, only providing the credentials is not enough, we have to set some security group rules in the VPC as well. After the said configuration is done, any entity can connect to RDS including MySql Workbench.