# Fix AWS EC2 to RDS Connection Issues

Your EC2 instance can't connect to your RDS database. You see errors like "Connection timed out", "Could not connect to server", or "Network is unreachable". Both resources are in AWS, but they can't communicate.

This is typically a networking or security group configuration issue. Let's diagnose and fix it.

Introduction

This article covers troubleshooting steps and solutions for Fix AWS EC2 RDS Connection Issues. The error typically occurs in production environments and can cause service disruptions if not addressed promptly.

Symptoms

Common error messages include:

bash
aws ec2 describe-instances \
  --instance-ids i-1234567890abcdef0 \
  --query 'Reservations[*].Instances[*].[InstanceId,VpcId,SubnetId,SecurityGroups[*].GroupId]' \
  --output table
bash
aws rds describe-db-instances \
  --db-instance-identifier my-database \
  --query 'DBInstances[*].[DBInstanceIdentifier,VpcSecurityGroups[*].VpcSecurityGroupId,DBSubnetGroup.VpcId,Endpoint.Address,Endpoint.Port]' \
  --output table

```bash # SSH into EC2 and test ssh -i key.pem ec2-user@ec2-public-ip

# Test port connectivity nc -zv my-database.xxxxx.us-east-1.rds.amazonaws.com 5432

# Or use telnet telnet my-database.xxxxx.us-east-1.rds.amazonaws.com 5432

# Check DNS resolution nslookup my-database.xxxxx.us-east-1.rds.amazonaws.com ```

Common Causes

  • Configuration misconfiguration
  • Missing or incorrect credentials
  • Network connectivity issues
  • Version compatibility problems
  • Resource exhaustion or limits
  • Permission or access denied

Step-by-Step Fix

Check EC2 instance details:

bash
aws ec2 describe-instances \
  --instance-ids i-1234567890abcdef0 \
  --query 'Reservations[*].Instances[*].[InstanceId,VpcId,SubnetId,SecurityGroups[*].GroupId]' \
  --output table

Check RDS instance details:

bash
aws rds describe-db-instances \
  --db-instance-identifier my-database \
  --query 'DBInstances[*].[DBInstanceIdentifier,VpcSecurityGroups[*].VpcSecurityGroupId,DBSubnetGroup.VpcId,Endpoint.Address,Endpoint.Port]' \
  --output table

Test connectivity from EC2:

```bash # SSH into EC2 and test ssh -i key.pem ec2-user@ec2-public-ip

# Test port connectivity nc -zv my-database.xxxxx.us-east-1.rds.amazonaws.com 5432

# Or use telnet telnet my-database.xxxxx.us-east-1.rds.amazonaws.com 5432

# Check DNS resolution nslookup my-database.xxxxx.us-east-1.rds.amazonaws.com ```

Common Causes and Solutions

Cause 1: Different VPCs

EC2 and RDS must be in the same VPC or connected via VPC peering.

bash
# Check VPC IDs
aws ec2 describe-instances --instance-ids i-1234567890abcdef0 --query 'Reservations[*].Instances[*].VpcId'
aws rds describe-db-instances --db-instance-identifier my-database --query 'DBInstances[*].DBSubnetGroup.VpcId'

Solution: If VPCs differ, create VPC peering:

```bash # Create peering connection aws ec2 create-vpc-peering-connection \ --vpc-id vpc-ec2-12345 \ --peer-vpc-id vpc-rds-67890

# Accept peering (in the other VPC's account if cross-account) aws ec2 accept-vpc-peering-connection \ --vpc-peering-connection-id pcx-12345678

# Add route in EC2 VPC to reach RDS VPC aws ec2 describe-route-tables --filters "Name=vpc-id,Values=vpc-ec2-12345" --query 'RouteTables[*].RouteTableId'

aws ec2 create-route \ --route-table-id rtb-ec2 \ --destination-cidr-block 10.0.2.0/24 \ --vpc-peering-connection-id pcx-12345678

# Add route in RDS VPC to reach EC2 VPC aws ec2 create-route \ --route-table-id rtb-rds \ --destination-cidr-block 10.0.1.0/24 \ --vpc-peering-connection-id pcx-12345678 ```

Cause 2: Security Group Blocking Access

The RDS security group must allow traffic from the EC2 security group or IP.

```bash # Get EC2 security group aws ec2 describe-instances \ --instance-ids i-1234567890abcdef0 \ --query 'Reservations[*].Instances[*].SecurityGroups[*].GroupId'

# Get RDS security group aws rds describe-db-instances \ --db-instance-identifier my-database \ --query 'DBInstances[*].VpcSecurityGroups[*].VpcSecurityGroupId'

# Check RDS security group rules aws ec2 describe-security-groups \ --group-ids sg-rds-12345 \ --query 'SecurityGroups[*].IpPermissions[*]' ```

Solution: Add inbound rule to RDS security group:

```bash # Option 1: Allow from EC2 security group (recommended) aws ec2 authorize-security-group-ingress \ --group-id sg-rds-12345 \ --protocol tcp \ --port 5432 \ --source-group sg-ec2-67890

# Option 2: Allow from EC2 private IP aws ec2 authorize-security-group-ingress \ --group-id sg-rds-12345 \ --protocol tcp \ --port 5432 \ --cidr 10.0.1.50/32

# Option 3: Allow from EC2 subnet CIDR aws ec2 authorize-security-group-ingress \ --group-id sg-rds-12345 \ --protocol tcp \ --port 5432 \ --cidr 10.0.1.0/24 ```

Cause 3: Wrong Subnet Group

RDS must be in a subnet that can route to the EC2 subnet.

```bash # Check RDS subnet group aws rds describe-db-subnet-groups \ --db-subnet-group-name my-subnet-group \ --query 'DBSubnetGroups[*].Subnets[*].[SubnetIdentifier,SubnetAvailabilityZone.Name]'

# Check EC2 subnet aws ec2 describe-instances \ --instance-ids i-1234567890abcdef0 \ --query 'Reservations[*].Instances[*].[SubnetId,AvailabilityZone]' ```

Solution: Ensure both are in subnets with proper routing:

```bash # Check route tables aws ec2 describe-route-tables \ --filters "Name=association.subnet-id,Values=subnet-ec2" \ --query 'RouteTables[*].Routes[*]'

# Ensure route to RDS subnet exists # For same VPC, local route handles it automatically # For different VPCs, need peering route ```

Cause 4: RDS Not Publicly Accessible

If connecting from outside the VPC, RDS must be publicly accessible.

bash
# Check public accessibility
aws rds describe-db-instances \
  --db-instance-identifier my-database \
  --query 'DBInstances[*].PubliclyAccessible'

Solution: For EC2 in same VPC, this doesn't matter. For external access:

bash
# Enable public access (not recommended for production)
aws rds modify-db-instance \
  --db-instance-identifier my-database \
  --publicly-accessible \
  --apply-immediately

Better approach - use bastion host:

```bash # SSH tunnel through bastion ssh -i bastion-key.pem -L 5432:my-database.xxxxx.us-east-1.rds.amazonaws.com:5432 ec2-user@bastion-public-ip

# Then connect to localhost:5432 psql -h localhost -p 5432 -U admin -d postgres ```

Cause 5: Network ACL Blocking

Network ACLs might block traffic at the subnet level.

```bash # Check NACL for EC2 subnet aws ec2 describe-network-acls \ --filters "Name=association.subnet-id,Values=subnet-ec2-12345" \ --query 'NetworkAcls[*].Entries[*]'

# Check NACL for RDS subnet aws ec2 describe-network-acls \ --filters "Name=association.subnet-id,Values=subnet-rds-67890" ```

Solution: Ensure NACLs allow database port:

```bash # Add inbound rule (if needed) aws ec2 create-network-acl-entry \ --network-acl-id acl-rds \ --rule-number 100 \ --protocol tcp \ --port-range From=5432,To=5432 \ --rule-action allow \ --cidr-block 10.0.1.0/24 \ --traffic-type ingress

# Add outbound rule (for response) aws ec2 create-network-acl-entry \ --network-acl-id acl-rds \ --rule-number 100 \ --protocol tcp \ --port-range From=1024,To=65535 \ --rule-action allow \ --cidr-block 10.0.1.0/24 \ --traffic-type egress ```

Cause 6: DNS Resolution Issues

VPC DNS might not be resolving RDS endpoint.

bash
# Check VPC DNS settings
aws ec2 describe-vpcs \
  --vpc-ids vpc-12345 \
  --query 'Vpcs[*].[EnableDnsSupport,EnableDnsHostnames]'

Solution: Enable VPC DNS:

```bash aws ec2 modify-vpc-attribute \ --vpc-id vpc-12345 \ --enable-dns-support

aws ec2 modify-vpc-attribute \ --vpc-id vpc-12345 \ --enable-dns-hostnames ```

Cause 7: Wrong Database Port

Different database engines use different ports.

bash
# Check RDS port
aws rds describe-db-instances \
  --db-instance-identifier my-database \
  --query 'DBInstances[*].Endpoint.Port'

Solution: Use correct port: - PostgreSQL: 5432 - MySQL/MariaDB: 3306 - SQL Server: 1433 - Oracle: 1521 - Aurora PostgreSQL: 5432 - Aurora MySQL: 3306

Cause 8: RDS in Maintenance or Rebooting

bash
# Check RDS status
aws rds describe-db-instances \
  --db-instance-identifier my-database \
  --query 'DBInstances[*].DBInstanceStatus'

Wait for status to be "available":

bash
# Watch status
aws rds wait db-instance-available --db-instance-identifier my-database

Verification

After fixing configuration:

```bash # Test from EC2 ssh -i key.pem ec2-user@ec2-public-ip

# Test port nc -zv my-database.xxxxx.us-east-1.rds.amazonaws.com 5432

# Test database connection psql -h my-database.xxxxx.us-east-1.rds.amazonaws.com -U admin -d postgres -c "SELECT 1;"

# Or for MySQL mysql -h my-database.xxxxx.us-east-1.rds.amazonaws.com -u admin -p -e "SELECT 1;" ```

Create test script:

```python import psycopg2

try: conn = psycopg2.connect( host='my-database.xxxxx.us-east-1.rds.amazonaws.com', port=5432, database='postgres', user='admin', password='your-password' ) print("Connection successful!") conn.close() except Exception as e: print(f"Connection failed: {e}") ```

Complete Configuration Example

Security Groups

```bash # Create EC2 security group aws ec2 create-security-group \ --group-name ec2-app \ --description "Security group for EC2 application"

# Create RDS security group aws ec2 create-security-group \ --group-name rds-db \ --description "Security group for RDS database"

# Allow EC2 to access RDS aws ec2 authorize-security-group-ingress \ --group-id sg-rds \ --protocol tcp \ --port 5432 \ --source-group sg-ec2 ```

Terraform Configuration

```hcl # EC2 instance resource "aws_instance" "app" { ami = "ami-12345678" instance_type = "t3.micro" subnet_id = aws_subnet.app.id vpc_security_group_ids = [aws_security_group.app.id] }

# RDS instance resource "aws_db_instance" "db" { identifier = "my-database" engine = "postgres" instance_class = "db.t3.micro" allocated_storage = 20

vpc_security_group_ids = [aws_security_group.db.id] db_subnet_group_name = aws_db_subnet_group.db.name }

# Security groups resource "aws_security_group" "db" { name = "rds-db" vpc_id = aws_vpc.main.id

ingress { from_port = 5432 to_port = 5432 protocol = "tcp" security_groups = [aws_security_group.app.id] } } ```

Prevention

  1. 1.[ ] EC2 and RDS are in same VPC or connected via peering
  2. 2.[ ] RDS security group allows traffic from EC2 security group
  3. 3.[ ] Route tables have proper routes between subnets
  4. 4.[ ] VPC DNS support is enabled
  5. 5.[ ] Network ACLs allow database port traffic
  6. 6.[ ] RDS instance is in "available" status
  7. 7.[ ] Using correct database port
  8. 8.[ ] Database credentials are correct
  9. 9.[ ] Test connectivity with nc/telnet first
  10. 10.[ ] Test actual database connection with client
  • [AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
  • [AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
  • [AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
  • [AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
  • [AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)

<script type="application/ld+json"> { "@context": "https://schema.org", "@type": "TechArticle", "headline": "Fix AWS EC2 RDS Connection Issues", "description": "Step-by-step guide to fix EC2 to RDS connection issues. Configure security groups, VPC settings, and establish database connectivity in AWS.", "url": "https://www.fixwikihub.com/fix-aws-ec2-rds-connection-issues", "publisher": { "@type": "Organization", "name": "FixWikiHub", "url": "https://www.fixwikihub.com" }, "author": { "@type": "Person", "name": "FixWikiHub Editorial Team" }, "datePublished": "2026-04-27T10:09:00.000Z", "dateModified": "2026-04-27T10:09:00.000Z" } </script>