Can't ping AWS RDS endpoint

vt2424253 picture vt2424253 · Mar 24, 2014 · Viewed 28.6k times · Source

I want to migrate my local mysql database to Amazon RDS. But first I want to test to see if it is receiving communication. So I try to ping it. But the attempt timeout.

ping -c 5 myfishdb.blackOut.us-west-2.rds.amazonaws.com
PING ec2-54-xxx-xxx-118.us-west-2.compute.amazonaws.com (54.xxx.xxx.118): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3

I suspect that I need to open the inbound settings, so I open up the settings to

SSH TCP 22 72.xxx.xxx.xxx/32

And it still does not work. What do you suppose I am doing wrong? Am I missing anything else?

Answer

BraveNewCurrency picture BraveNewCurrency · Mar 24, 2014

So I try to ping it. But the attempt timeout.

Ping won't work because the security group blocks all communication by default. You'll have to "poke holes" in the security group firewall to get traffic to your instance.

SSH TCP 22 72.xxx.xxx.xxx/32 And it still does not work.

Yup. RDS does not allow you to log in to the box via SSH. Only the MySQL port (3306) is open.

I want to migrate my local mysql database to Amazon RDS.

Ok, but be careful. DO NOT open up 3306 to the entire Internet (i.e. 0.0.0.0). MySQL was not designed for that, and often has flaws where anyone can break into your database.

You can open 3306 to just your (home) IP address (or the server you'll be using it from.) It should look like "5.5.5.5/32 TCP port 3306". But beware that this isn't great security because other people could see your packets. (MySQL supports encrypted connections, but you have to set them up explicitly.)

You can test your setup with telnet my.mysql.ip.address 3306. If you get no message, the port is not open. If you get "connected to ..", then your MySQL port is working.

The most secure way to use RDS is from an EC2 instance. You can create trust between the EC2 instance and the RDS security group. Your packets won't travel over the Internet, but only on the AWS network. Other people won't be able to see your packets, because nothing in EC2 allows that.