Can't connect to AWS RDS unless using a VPN?

fortyfeet

12/26/23, 8:50 AM

I've been trying to connect to an AWS RDS (postgres) instance. It is setup to be publicly accessible, and I've checked the inbound and outbound security rules. The port is set to the default of 5432.

I have been trying to open a socket to the endpoint, using:

telnet ****.amazonaws.com 5432

this has been hanging, but when I use a personal VPN I've setup (through digitalocean), the connection succeeds.

I can't think why this would be the case. Can anyone explain?

I've been through the amazon troubleshooting page on connecting to an RDS instance, and also tried setting it up in a different region.

I've also tried running tcptraceroute, and the connection seems to get hang on IP's that are owned by 'Amazon EC2 Network Operations'.

image of added rule

212

1 + 6

vpn

amazon-web-services

rds

Tim

12/27/23, 7:34 AM

I've connected to RDS instances over the internet many times. You have to make it publicly accessible (which gives it a public IP address), set up internet gateway, routing, and security group. Maybe try with a psql client rather than telnet

fortyfeet

12/28/23, 8:56 AM

Thanks Tim, I have tried with psql. I believe that the rds instance is publicly accessible - certainly the page claims it is and the security group etc are open to all traffic. The port should be open and be accepting connections which when I have my VPN enabled, it does. However, when the VPN isn't enabled - then the socket is never able to connect. I'm wondering if it's anything to do with IP4/6?

Tim

12/28/23, 9:20 AM

You would have to post many screenshots from the AWS console for us to be sure.... RDS instance inc SG and showing public enabled, subnet list inc CIDR, route tables, internet gateway, SG details. Otherwise have someone knowledgeable look at your account. It's easy to make small mistakes, AWS is complex.

fortyfeet

12/29/23, 6:15 AM

Tim, many thanks for your help. I've tracked down what's blocking it, the security group was setup to allow all inbound traffic, but only with a source of the security group itself. Adding my ip address as a seperate rule has allowed my connection to succeed. What I don't understand is that connecting using private vpn that I've setup that routes traffic through the digital ocean servers appeared to bypass that source rule...?

fortyfeet

12/29/23, 6:17 AM

I've added a screenshot of the rule I added in case anyone else has similar issue.

Tim

12/29/23, 7:10 AM

Not enough information to say for sure, but my best guess is your VPN is terminated by something that shares that security group. I'll put the answer in so you can mark it solved.

Score:0

Server

Tim

12/29/23, 7:12 AM

You would have to post many screenshots from the AWS console for us to be sure:

RDS instance including security group and showing public enabled
Subnet list including CIDR ranges
Route tables
Internet gateway
Security group details including rules

Best guess is the security group is not set up correctly, as you confirmed in comments above.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Can't connect to AWS RDS unless using a VPN?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.