RDS Guide - not connecting

I’m following the RDS access instructions (here). I confirm my EC2 node is showing up in Tailscale. I confirm that, even after removing 22 inbound, I’m able to connect to my EC2 when logged in to Tailscale via its private IP. :confetti_ball:

However, I’m unable to connect to my single RDS instance. After configuring split DNS (172.3.0.2 us-west-2.compute.internal) I attempt mysqlsh --uri=admin@database-1.XYZ.us-west-2.rds.compute.internal:3306. The client prompts for a password, but then it immediately returns Unknown MySQL server host.

I’ve confirmed that my RDS security group allows inbound from my EC2. They’re in the same VPC. They are in different AZs (RDS is in us-west-2d and EC2 is in us-west-2c) and I’ve even successfully connected to RDS directly from my EC2. I know they can talk to one another.

My hunch is it’s related to split DNS. I believe us-west-2c|d would use the same DNS server, but the fact that it can’t seem to find the host tells me it’s DNS related. I’d expect if it were network related once I’m within AWS, it would at least hang and time out.

Help! Thank you

1 Like

Having similar issues. I can SSH to the EC2 (AWS Linux, with Tailscale installed) subnet router but can’t connect to RDS via tailnet.

The EC2 box can connect to the RDS directly. so the AWS networking side appears to be good.

What’s next?

Tailscale let me know it’s due to DNS changes in AWS and the directions may no longer work. There’s no solution at this time. Scary to think a database connection could suddenly be dropped indefinitely.

1 Like

Thanks for that. Did they give any indication of a timeframe for some form of resolution one way or another?

They did not unfortunately.

Think I figured out a possible solution.

What worked for me was to use split DNS to override the public search domain for my database (i.e. us-west-1.rds.amazonaws.com) and set it to the private subnet IP as described in the tutorial (i.e. 172.31.0.2)

My ingress node in AWS advertises 172.31.0.0/16 as a route

Now my other devices on the Tailnet (provided that they’re accepting routes), properly resolve the private IP of the database.

I was excited to try this but it isn’t working for me. :thinking: