AWS RDS Connection Refused: Security Group Debug Guide

The first ten minutes — establish facts before touching code.

• 1Run 'telnet <rds-endpoint> 3306' (or 5432 for PostgreSQL) from the client. If it hangs or says 'Connection refused', the TCP handshake is being blocked or the DB isn't listening.
• 2Check RDS console: ensure the instance is 'Available' and the endpoint/DNS is correct. Copy the endpoint and test from a different client in the same VPC if possible.
• 3Inspect the RDS security group inbound rules: look for a rule allowing traffic on the DB port from the client's IP or security group. Common mistake: source is set to 0.0.0.0/0 but the port is wrong, or source is a security group ID that doesn't match the client's security group.
• 4VPC Flow Logs: enable flow logs for the RDS ENI (or subnet). Look for 'REJECT' records for traffic from client IP to RDS IP on the DB port. If you see 'ACCEPT', the problem is likely at the application layer.
• 5Check NACL rules for the RDS subnet: NACLs are stateless, so both inbound and outbound rules must allow ephemeral ports (1024-65535) for return traffic. A missing outbound rule can cause 'Connection refused' even if inbound is open.

The specific files, logs, configs, and dashboards that usually own this bug.

• searchAWS Console → RDS → Databases → {instance} → Connectivity & security → Security groups (note the security group ID)
• searchAWS Console → VPC → Security Groups → {rds-sg} → Inbound rules (check source CIDR/group, port, protocol)
• searchAWS Console → VPC → Network ACLs → {subnet's NACL} → Inbound/Outbound rules
• searchVPC Flow Logs (CloudWatch Logs group) → query for 'REJECT' between client IP and RDS IP
• searchClient machine: /var/log/syslog or /var/log/messages (for local firewall blocks like iptables)
• searchRDS error logs: in RDS console under Logs & events → check for 'connection refused' or 'no incoming connections' messages
• searchApplication configuration: check the hostname/endpoint string, port number, and SSL mode (if using TLS, ensure RDS certificate is trusted)

Practical causes, not theory. These are the things you will actually find.

• warningSecurity group inbound rule missing or misconfigured: wrong port (e.g., 3306 vs 5432), wrong source (0.0.0.0/0 vs specific IP/group), or rule order (implicit deny after allow)
• warningNetwork ACL blocking inbound or outbound traffic: NACL inbound allows port 5432 but outbound denies ephemeral ports (return traffic), causing half-open connections
• warningClient not in the same VPC or no VPC peering/transit gateway route: RDS is in VPC-A, client in VPC-B, and routes don't point to the correct target
• warningRDS instance in 'inaccessible-encryption-credentials' state or stopped (but shows Available due to caching)
• warningClient's local firewall (iptables, firewalld, Windows Firewall) blocking outbound connections or inbound responses
• warningDNS resolution pointing to an outdated IP (e.g., after a failover or modification), especially if using a read replica endpoint

Concrete fix directions. Pick the one that matches your root cause.

• buildAdd the correct inbound rule to the RDS security group: source = client's security group ID (or /32 CIDR), port = DB port, protocol = TCP. Remove any overly permissive rules and rely on security group references.
• buildUpdate NACL rules: ensure inbound allows DB port from client subnet, and outbound allows ephemeral ports (1024-65535) to client subnet. Remember NACLs are stateless.
• buildIf client is in a peered VPC, verify VPC peering route tables: add routes in both VPCs pointing to the peering connection. Also check that the RDS security group allows traffic from the client's security group in the peer VPC (security group cross-reference works across peered VPCs if both are in the same region).
• buildRestart the client application or flush DNS cache after verifying the RDS endpoint resolves correctly: use 'nslookup <rds-endpoint>' to check.
• buildFor local firewall issues: run 'sudo iptables -L -n' and look for DROP/REJECT rules on outbound or input chains. Add a rule to allow traffic: 'sudo iptables -A OUTPUT -d <rds-ip> -p tcp --dport 5432 -j ACCEPT'.

A fix you cannot prove is a guess. Close the loop.

• verifiedRun 'telnet <rds-endpoint> 5432' from the client; it should return a blank screen or a banner (e.g., PostgreSQL's 'FATAL: no pg_hba.conf entry'). That means TCP connection succeeds.
• verifiedCheck VPC Flow Logs: after fix, you should see 'ACCEPT' records for the TCP handshake (SYN, SYN-ACK, ACK).
• verifiedTest from a different client in the same subnet: if it works, the issue is specific to the original client (local firewall, DNS, etc.).
• verifiedUse 'nc -zv <rds-endpoint> 5432' (netcat) to test connectivity; exit code 0 indicates success.
• verifiedFrom the RDS side, enable 'Enhanced Monitoring' and check 'RDS child processes' for any connection attempts being rejected by the DB engine itself (e.g., pg_hba.conf).

Things that make this bug worse or harder to find.

• warningDon't assume 'connection refused' means the DB is down; always check network first. Restarting RDS unnecessarily causes downtime.
• warningDon't use 0.0.0.0/0 as source in security groups unless absolutely necessary; it's a security risk and often masks the real issue. Prefer specific security group IDs.
• warningDon't forget that NACLs are stateless: if you add an inbound allow, you must add an outbound allow for return traffic. Many engineers miss this.
• warningDon't rely solely on ping: ICMP is not TCP; a ping success doesn't guarantee DB port connectivity.
• warningDon't ignore the RDS parameter group: if the DB is configured to listen only on localhost (e.g., PostgreSQL's listen_addresses), it will refuse remote connections even if security groups are correct.

Frequently asked questions