Home / AWS / Fix AWS RDS Proxy Connection Pooling Not Working

AWS

Fix AWS RDS Proxy Connection Pooling Not Working

Resolve RDS Proxy issues by checking IAM authentication, security groups, proxy target configuration, and connection string format.

Published: Apr 2, 20267 min readBy FixWikiHub Editorial Team

Abstract illustration for a troubleshooting knowledge base category.

Introduction

RDS Proxy maintains a pool of database connections that applications can reuse. When connection pooling fails, applications create new connections for each request, exhausting database connection limits and causing connection failures.

Symptoms

Connection refused to proxy:

```bash $ psql -h my-proxy.proxy-xyz.region.rds.amazonaws.com -U admin -d mydb

psql: could not connect to server: Connection refused ```

IAM authentication failed:

```bash $ aws rds-data execute-statement ...

An error occurred (AccessDenied) when calling the ExecuteStatement operation: Unable to execute statement ```

Proxy target unhealthy:

```bash $ aws rds describe-db-proxies --db-proxy-name my-proxy \ --query 'DBProxies[*].Status'

"insufficient_capacity" # Or other error status ```

Connection limit exceeded on database:

bash

FATAL: remaining connection slots are reserved for non-replication superuser connections

Common Causes

1.Security group blocking - Proxy security group doesn't allow client traffic
2.IAM auth misconfigured - Incorrect IAM policy or token
3.Proxy target group issues - Wrong RDS instance targeted
4.Secrets Manager issues - Invalid or missing database credentials
5.Connection string format wrong - Using wrong proxy endpoint
6.Proxy not associated with DB - Missing target group association
7.Subnet configuration - Proxy in wrong subnets

Step-by-Step Fix

1.Check logs for specific error messages
2.Verify configuration settings
3.Test network connectivity
4.Review recent changes
5.Apply corrective action
6.Verify the fix

Step 1: Check Proxy Status

```bash # Get proxy details aws rds describe-db-proxies --db-proxy-name my-proxy \ --query 'DBProxies[*].[DBProxyName,Status,EngineFamily,VpcId]'

# Status values: # - available: Normal operation # - creating: Still being created # - deleting: Being deleted # - insufficient_capacity: Not enough resources # - modifying: Configuration update

# Get proxy endpoints aws rds describe-db-proxy-endpoints --db-proxy-name my-proxy ```

Step 2: Verify Security Groups

```bash # Get proxy security groups aws rds describe-db-proxies --db-proxy-name my-proxy \ --query 'DBProxies[*].VpcSubnetIds'

aws rds describe-db-proxies --db-proxy-name my-proxy \ --query 'DBProxies[*].VpcSecurityGroupIds'

# Check security group rules aws ec2 describe-security-groups --group-ids sg-proxy \ --query 'SecurityGroups[*].IpPermissions'

# Must allow inbound from application on DB port # Add rule if missing aws ec2 authorize-security-group-ingress \ --group-id sg-proxy \ --protocol tcp \ --port 5432 \ --cidr 10.0.0.0/16 # Or application security group ```

Step 3: Check Target Group Configuration

```bash # Get target groups aws rds describe-db-proxy-target-groups --db-proxy-name my-proxy \ --query 'DBProxyTargetGroups[*].[TargetGroupName,TargetArn,RoleArn]'

# Get targets aws rds describe-db-proxy-targets --db-proxy-name my-proxy

# Should show your RDS instance as target # Health check status: # - available: Healthy # - registering: Being registered # - unavailable: Health check failed ```

Step 4: Verify Secrets Manager Configuration

```bash # Get secret ARN used by proxy aws rds describe-db-proxies --db-proxy-name my-proxy \ --query 'DBProxies[*].Auth[*].SecretArn'

# Check secret exists and has correct format aws secretsmanager get-secret-value --secret-id my-db-secret \ --query 'SecretString' --output text | jq

# Secret should contain: { "username": "admin", "password": "password123" }

# Verify secret has required permissions aws secretsmanager get-resource-policy --secret-id my-db-secret ```

Step 5: Configure IAM Authentication

```bash # For IAM auth, proxy needs IAM policy # Check proxy IAM role aws rds describe-db-proxies --db-proxy-name my-proxy \ --query 'DBProxies[*].RoleArn'

# Role needs permissions for: # - secretsmanager:GetSecretValue # - rds-db:connect

# Create policy for IAM auth cat > proxy-policy.json << 'EOF' { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "rds-db:connect", "Resource": "arn:aws:rds-db:region:account:dbuser:my-proxy/admin" } ] } EOF

# Generate IAM auth token TOKEN=$(aws rds generate-db-auth-token \ --hostname my-proxy.proxy-xyz.region.rds.amazonaws.com \ --port 5432 \ --username admin)

# Connect with token PGPASSWORD=$TOKEN psql -h my-proxy.proxy-xyz.region.rds.amazonaws.com -U admin -d mydb ```

Step 6: Verify Correct Proxy Endpoint

```bash # Get proxy endpoint aws rds describe-db-proxies --db-proxy-name my-proxy \ --query 'DBProxies[*].Endpoint'

# Endpoint format: # my-proxy.proxy-xyz.region.rds.amazonaws.com

# NOT the DB instance endpoint: # my-db.xyz.region.rds.amazonaws.com # Wrong!

# Test connectivity to proxy nc -zv my-proxy.proxy-xyz.region.rds.amazonaws.com 5432 ```

Step 7: Check Connection String Format

```bash # Correct connection string for proxy # PostgreSQL: psql "host=my-proxy.proxy-xyz.region.rds.amazonaws.com user=admin dbname=mydb"

# MySQL: mysql -h my-proxy.proxy-xyz.region.rds.amazonaws.com -u admin -p

# In application code (Python): import psycopg2 conn = psycopg2.connect( host='my-proxy.proxy-xyz.region.rds.amazonaws.com', user='admin', password='password', database='mydb' )

# For IAM auth: import boto3 rds = boto3.client('rds') token = rds.generate_db_auth_token( DBHostname='my-proxy.proxy-xyz.region.rds.amazonaws.com', Port=5432, DBUsername='admin' ) conn = psycopg2.connect( host='my-proxy.proxy-xyz.region.rds.amazonaws.com', user='admin', password=token, database='mydb' ) ```

Step 8: Check Proxy CloudWatch Metrics

```bash # Check proxy metrics aws cloudwatch get-metric-statistics \ --namespace AWS/RDS/Proxy \ --metric-name ClientConnections \ --dimensions Name=ProxyName,Value=my-proxy \ --statistics Sum \ --period 300

# Key metrics: # - ClientConnections: Active client connections # - DatabaseConnections: Connections to DB # - ClientConnectionsBorrowed: Connections borrowed from pool

# If ClientConnectionsBorrowed == ClientConnections, pooling working # If ClientConnections >> ClientConnectionsBorrowed, issue with pooling ```

Step 9: Review Proxy Settings

```bash # Get connection pool settings aws rds describe-db-proxies --db-proxy-name my-proxy \ --query 'DBProxies[*].[RequireTLS,IdleClientTimeout,SessionPinningFilters]'

# Common issues: # - RequireTLS=true but client not using TLS # - SessionPinningFilters causing connections to not be reused

# Update settings if needed aws rds modify-db-proxy \ --db-proxy-name my-proxy \ --idle-client-timeout 1800 ```

Step 10: Test Proxy Connection

```bash # Test with psql psql -h my-proxy.proxy-xyz.region.rds.amazonaws.com \ -U admin \ -d mydb \ -c "SELECT 1"

# Check connection is through proxy psql -h my-proxy.proxy-xyz.region.rds.amazonaws.com \ -U admin \ -d mydb \ -c "SELECT inet_server_addr(), inet_server_port()"

# Should return proxy IP, not direct DB IP ```

RDS Proxy Connection String Checklist

[ ] Using proxy endpoint (not DB endpoint)
[ ] Correct port (5432 PostgreSQL, 3306 MySQL)
[ ] Security group allows client traffic
[ ] Proxy in same VPC/subnets as application
[ ] Secret contains correct credentials
[ ] IAM role has required permissions

Verification

```bash # Test connection through proxy psql -h my-proxy.proxy-xyz.region.rds.amazonaws.com -U admin -d mydb

# Should connect successfully

# Check metrics for connection reuse aws cloudwatch get-metric-statistics \ --namespace AWS/RDS/Proxy \ --metric-name DatabaseConnections \ --dimensions Name=ProxyName,Value=my-proxy \ --statistics Average \ --period 60

# Should show fewer DB connections than client connections (pooling working) ```

[Fix AWS RDS Connection Limit Exceeded](/articles/fix-aws-rds-connection-limit-exceeded)
[Fix AWS RDS Instance Unavailable](/articles/fix-aws-rds-instance-unavailable)
[Fix AWS RDS Read Replica Lag High](/articles/fix-aws-rds-read-replica-lag-high)

[AWS troubleshooting: Fix IAM Permission Denied - Complete Tro](fix-iam-permission-denied)
[AWS cloud troubleshooting: AWS ACM Certificate Pending Validation Because the](aws-acm-certificate-pending-validation-wrong-route53-zone)
[AWS cloud troubleshooting: AWS ALB Returns 502 Because the Target Closed the ](aws-alb-502-target-closed-connection-keepalive-timeout-mismatch)
[AWS cloud troubleshooting: Fix AWS ALB CreateListener TargetGroupNotFound Err](aws-alb-createlistener-targetgroupnotfound)
[AWS cloud troubleshooting: Fix Aws Alb Lambda 502 Bad Gateway Issue in AWS](aws-alb-lambda-502-bad-gateway)

Was this guide helpful?

Related search paths

People also search for

If the symptom is close but not identical, these search paths usually surface the right neighboring fixes faster than scrolling the full archive.

AWS RDS Proxy Connection Pooling Not Working AWS RDS Proxy Connection Pooling Not Working AWS AWS RDS Proxy Connection Pooling Not Working troubleshooting AWS RDS Proxy Connection Pooling Not Working fix Resolve RDS Proxy issues by checking IAM authentication, security groups, proxy target configuration, and connection string format AWS Resolve RDS Proxy issues by checking IAM authentication, security groups, proxy target configuration, and connection string format

Explore Related Topics

Browse Guides from Other Categories

Discover troubleshooting guides from related categories to expand your knowledge.

FAQ

AWS Troubleshooting FAQs

Common questions about troubleshooting and preventing similar issues

How do I know if this aws-errors troubleshooting guide applies to my situation?

This guide is designed for aws-errors issues. If you're experiencing similar symptoms described in the article, follow the step-by-step instructions. Start with the most common causes and work through the diagnostic process.

Is it safe to follow these aws-errors troubleshooting steps?

Yes, all steps are designed to be safe and non-destructive. We recommend creating backups before making significant changes and testing each step before proceeding to the next.

How long does it typically take to resolve this type of aws-errors issue?

Most aws-errors issues can be resolved within 30 minutes to 2 hours, depending on the complexity and root cause. Follow the troubleshooting flow to identify and fix the problem efficiently.

How can I prevent this aws-errors issue from happening again?

Regular maintenance, monitoring, and following best practices for aws-errors configuration can help prevent recurrence. Consider implementing automated checks and alerts for early detection.

Written by

FixWikiHub Editorial Team

Our editorial team consists of experienced DevOps engineers, systems administrators, and cloud architects with hands-on experience in production environments across AWS, Azure, GCP, and on-premises infrastructure.

Every guide undergoes technical review for accuracy and is updated when software versions, commands, or best practices change.

Last updated: Apr 2, 2026

About our team

Important Notice

Disclaimer & Safety Guidelines

The troubleshooting steps in this guide are provided for educational and informational purposes. Before applying any changes to production systems:

Test in a staging environment first — Always verify commands and configurations in a non-production environment before deploying to live systems.
Create backups — Ensure you have current backups of databases, configurations, and critical files before making changes.
Understand the impact — Review how each step may affect your specific environment, dependencies, and users.
Consult official documentation — This guide supplements, but does not replace, official vendor documentation and best practices.

FixWikiHub is not responsible for any damages arising from the use of this content. See our Terms of Use for more information.

Resources

Official Documentation & Further Reading

For authoritative information, consult the official documentation for the technologies discussed in this guide. Our troubleshooting content supplements, but does not replace, vendor documentation.

AWS Documentation — Official Amazon Web Services guides and API references
Kubernetes Documentation — Official Kubernetes documentation
Nginx Documentation — Official Nginx web server documentation
Apache Documentation — Official Apache HTTP Server documentation
Docker Documentation — Official Docker container documentation

Fix AWS RDS Proxy Connection Pooling Not Working

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Step 1: Check Proxy Status

Step 2: Verify Security Groups

Step 3: Check Target Group Configuration

Step 4: Verify Secrets Manager Configuration

Step 5: Configure IAM Authentication

Step 6: Verify Correct Proxy Endpoint

Step 7: Check Connection String Format

Step 8: Check Proxy CloudWatch Metrics

Step 9: Review Proxy Settings

Step 10: Test Proxy Connection

RDS Proxy Connection String Checklist

Verification

People also search for

Browse Guides from Other Categories

WordPress

SSL

DNS

AWS Troubleshooting FAQs

FixWikiHub Editorial Team

Disclaimer & Safety Guidelines

Official Documentation & Further Reading

Fix AWS RDS Proxy Connection Pooling Not Working

Introduction

Symptoms

Common Causes

Step-by-Step Fix

Step 1: Check Proxy Status

Step 2: Verify Security Groups

Step 3: Check Target Group Configuration

Step 4: Verify Secrets Manager Configuration

Step 5: Configure IAM Authentication

Step 6: Verify Correct Proxy Endpoint

Step 7: Check Connection String Format

Step 8: Check Proxy CloudWatch Metrics

Step 9: Review Proxy Settings

Step 10: Test Proxy Connection

RDS Proxy Connection String Checklist

Verification

Related Issues

Related Articles

People also search for

Share this guide

More AWS Troubleshooting Guides

Browse Guides from Other Categories

AWS Troubleshooting FAQs

FixWikiHub Editorial Team

Disclaimer & Safety Guidelines

Official Documentation & Further Reading