无法连接到AWS VPC RDS实例(MySQL或Postgres的) [英] unable to connect to AWS VPC RDS instance (mysql or postgres)
问题描述
(我张贴在事后这个问题,因为花费的时间找到问题的根源和解决方案。还有一个很好的机会,其他人也碰到了同样的问题)
(I'm posting this question after the fact because of the time it took to find the root cause and solution. There's also a good chance other people will run into the same problem)
我有一个RDS实例(在VPC)我正在试图从一个典型的EC2实例中运行的应用程序,通过ClassicLink连接连接到。安全组和DNS是不是一个问题。
I have an RDS instance (in a VPC) that I'm trying to connect to from an application running on a classic EC2 instance, connected via ClassicLink. Security groups and DNS aren't an issue.
我能够建立套接字连接的RDS实例,但不能用命令行工具(PSQL中,MySQL等)或DB GUI工具,如蟾蜍或MySQL工作台连接。
I am able to establish socket connections to the RDS instance, but cannot connect with CLI tools (psql, mysql, etc.) or DB GUI tools like toad or mysql workbench.
通过telnet或NC导致TCP连接在建立状态(从netstat中输出)直接套接字连接。
Direct socket connections with telnet or nc result in TCP connections in the "ESTABLISHED" state (output from netstat).
从数据库命令行,图形用户界面工具或应用程序的连接造成超时和那些停留在SYN状态的TCP连接。
Connections from DB CLI, GUI tools, or applications result in timeouts and TCP connections that are stuck in the "SYN" state.
更新:在我的情况的根本原因是与MTU尺寸和EC2 ClassicLink一个问题。我下面贴一些一般故障诊断信息,在应答的情况下其他人碰到类似的RDS连接问题。
UPDATE: The root cause in my case was a problem with MTU size and EC2 ClassicLink. I've posted some general troubleshooting information below in an answer in case other people run into similar RDS connectivity issues.
推荐答案
更多信息谁可能会遇到尝试连接到RDS或红移类似问题的人:
Additional information for people who might run into similar issues trying to connect to RDS or RedShift:
1)检查安全组
验证安全组的RDS实例允许从安全组访问源服务器属于(或它的IP直接,如果外部加入到AWS)。你应该寻找安全组是从RDS控制台UI(名为安全组)在RDS实例指定的属性之一。
Verify the security group for the RDS instance allows access from the security group your source server belongs to (or its IP added directly if external to AWS). The security group you should be looking at is the one specified in the RDS instance attributes from the RDS console UI (named "security group").
注意:数据库安全组可能是从AWS EC2安全组的不同。如果你的RDS实例经典/公共EC2,您应检查RDS UI的数据库安全组部分。对于VPC用户,安全组将是一个正常的VPC安全组(名称SG-XXX将被列在RDS实例的属性)。
NOTE: Database security groups might be different from AWS EC2 security groups. If your RDS instance is in classic/public EC2, you should check in the "database security group" section of the RDS UI. For VPC users, the security group will be a normal VPC security group (the name sg-xxx will be listed in the RDS instance's attributes).
2)确认DNS是不是一个问题。
亚马逊使用拆分DNS,所以外部DNS查找,以AWS将返回公共IP而查找内部到AWS将返回一个专用IP。如果你怀疑是DNS的问题,你有没有确定不同的IP是从不同的可用性区域返回?如果不同的AZS得到不同的IP地址,您需要联系AWS支持。
Amazon uses split DNS, so a DNS lookup external to AWS will return the public IP while a lookup internal to AWS will return a private IP. If you suspect it is a DNS issue, have you confirmed different IPs are returned from different availability zones? If different AZs get different IPs, you will need to contact AWS support.
3)通过建立一个套接字连接确认网络连接。
像tracepath的和traceroute工具可能不会帮助,因为RDS目前丢弃ICMP流量。
Tools like tracepath and traceroute likely won't help since RDS currently drops ICMP traffic.
测试端口,试图建立(Postgres的MySQL的,或5432)的套接字连接的RDS实例上的端口3306连接。首先找到RDS实例的IP,并使用telnet或NC(一定要使用内部/私有IP,如果无法连接内AWS):
Test port connectivity by trying to establish a socket connection to the RDS instance on port 3306 (mysql, or 5432 for postgres). Start by finding the IP of the RDS instance and using either telnet or nc (be sure to use the internal/private IP if connecting from within AWS):
telnet x.x.x.x 3306
nc -vz x.x.x.x 3306
)如果您的连接尝试不成功,并立即失败,该端口很可能阻止或远程主机没有运行在该端口上的服务。您可能需要聘请AWS支持,以进一步解决。如果从AWS的外部进行连接,试图从里面AWS另一个实例第一次连接(如您的防火墙可能阻止这些连接)。
a) If your connection attempt isn't successful and immediately fails, the port is likely blocked or the remote host isn't running a service on that port. you may need to engage AWS support to troubleshoot further. If connecting from outside of AWS, try to connect from another instance inside AWS first (as your firewall might be blocking those connections).
B)如果您的连接不成功,你会得到一个超时,数据包可能被丢弃/通过防火墙忽视或数据包返回在不同的网络路径。您可以通过运行确认此的netstat -an | grep的SYN (从不同的SSH会话在等待的telnet / NC指令超时)。
b) If your connection isn't successful and you get a timeout, packets are probably being dropped/ignored by a firewall or packets are returning on a different network path. You can confirm this by running netstat -an | grep SYN (from a different ssh session while waiting for the telnet/nc command to timeout).
在SYN状态的连接意味着你已经发送连接请求,但没有收到任何东西(SYN_ACK或拒绝/块)。通常这意味着防火墙或安全组被忽视或丢弃数据包。
Connections in the SYN state mean that you've sent a connection request, but haven't received anything back (SYN_ACK or reject/block). Usually this means a firewall or security group is ignoring or dropping packets.
有,也可与NAT路由或从多个接口的多条路径中的问题。检查以确保你没有使用iptables或您的主机和RDS实例之间的NAT网关。如果你在一个VPC,还要确保你允许出口/出站流量从源主机。
It can also be a problem with NAT routing or multiple paths from multiple interfaces. Check to make sure you're not using iptables or a NAT gateway between your host and the RDS instance. If you're in a VPC, also make sure you allow egress/outbound traffic from the source host.
C)如果您的套接字连接测试成功,但你不能用MySQL客户端(CLI,工作台,应用程序等)连接,看一看的netstat的输出看到连接在(XXXX替换的RDS实例的实际IP地址)是什么状态:
c) If your socket connection test was successful, but you can't connect with a mysql client (CLI, workbench, app, etc.), take a look at the output of netstat to see what state the connection is in (replace x.x.x.x with the actual IP address of the RDS instance):
的netstat -an | grep的x.x.x.x
如果你得到使用telnet或NC当连接建立,但你使用mysql客户端,当看到SYN的状态,你可能运行到一个MTU的问题。
If you were getting a connection established when using telnet or NC, but you see the 'SYN' state when using a mysql client, you might be running into an MTU issue.
RDS,在当时,这是写的,可能不支持用于PMTUD的ICMP报文(的https: //en.wikipedia.org/wiki/Path_MTU_Discovery#Problems_with_PMTUD )。这可能是一个问题,如果你想通过ClassicLink访问RDS或红移这是一个VPC从经典的EC2实例。尝试降低MTU与以下内容,然后再次测试:
RDS, at the time this is written, may not support ICMP packets used for PMTUD (https://en.wikipedia.org/wiki/Path_MTU_Discovery#Problems_with_PMTUD). This can be a problem if you're trying to access RDS or RedShift that's in a VPC from a classic ec2 instance via ClassicLink. Try lowering the MTU with the following, then testing again:
sudo ip link show
# take note of the current MTU (likely 1500 or 9001)
sudo ip link set dev eth0 mtu 1400
如果较低的MTU的工作,一定要跟进的帮助AWS客户的支持与提到你看到的MTU问题,同时试图连接到您的RDS实例。如果TCP数据包包裹封装的隧道,在一个较低的可用MTU的分组数据/有效载荷就会发生这种情况。降低MTU的源服务器上允许的数据包包裹下的MTU限制仍然适合在通过隧道网关。
If the lower MTU worked, be sure to follow up with AWS customer support for help and mention that you are seeing an MTU issue while trying to connect to your RDS instance. This can happen if TCP packets are wrapped with encapsulation for tunneling, resulting in a lower usable MTU for packet data / payload. Lowering the MTU on the source server allows the wrapped packets to still fit under the MTU limit while passing through the tunneling gateway.
如果它不工作,设置MTU回到它的默认值,并从事进一步的疑难解答AWS支持。
If it didn't work, set your MTU back to it's default and engage AWS support for further troubleshooting.
这篇关于无法连接到AWS VPC RDS实例(MySQL或Postgres的)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
