What do I do if I cannot or fail to connect to an ApsaraDB RDS instance that runs MySQL, PostgreSQL, SQL Server, or MariaDB? - ApsaraDB RDS

This topic describes how to resolve various issues that cause failures to connect to an ApsaraDB RDS instance.

Common connection errors

The following table describes common connection errors and the solutions to the errors.

ApsaraDB RDS for MySQL and ApsaraDB RDS for MariaDB

Error message	Cause	Solution
ERROR 2003 (HY000): Can't connect to MySQL server on 'XXX'(10038, 10060, or 110) Cannot connect to a database: XXX	Network communication is abnormal.	Make sure that the Elastic Compute Service (ECS) instance and the RDS instance reside in the same region. Make sure that the ECS instance and the RDS instance use the same network type. Make sure that the ECS instance and the RDS instance reside in the same virtual private cloud (VPC). Make sure that the private IP address of the ECS instance is added to an IP address whitelist of the RDS instance. For more information, see Solutions.
ERROR 1045 (HY000): #28000ip not in whitelist ERROR 2801 (HY000): #RDS00ip not in whitelist, client ip is XXX ERROR 2013 (HY000): Lost connection to MySQL server at 'reading authorization packet', system error:110	The IP address whitelist is not correctly configured.	Check the IP address whitelist of the RDS instance
ERROR 1045 (28000): Access denied for user 'XXX'@'XXX' (using password: YES or NO) ERROR 1045 (28000): Authentication Failed For RDS maybe username or password is incorrect	The username or password is invalid.	Check the username and password in the connection information. ApsaraDB RDS does not provide root accounts. If you need an account, you can create one. For more information, see Create an account. If the password contains special characters, the special characters must be enclosed in single quotation marks (''). For example, use `-p 'XXX'` in a command. If you forget the password of the account that is used to connect to the RDS instance, log on to the ApsaraDB RDS console and go to the Accounts page of the RDS instance. Then, change the password of the account. Note After you change the password, the new password takes effect a few minutes later.
ERROR 2005 (HY000): Unknown MySQL server host 'XXX' (110 or 11004) SQLSTATE[HY000] [2002] php_network_getaddresses: getaddrinfo failed: Name or service not known Name or service not known unknown server host	The Domain Name System (DNS) server cannot resolve the endpoint of the RDS instance.	Check whether the input endpoint (connection string) of the RDS instance is correct. The error may be caused by the following reasons: The endpoint is incorrectly input. The endpoint of an RDS instance is in the following format: rm-xxx.xxx.rds.aliyuncs.com. The input public endpoint of the instance has been manually released. The input endpoint is truncated by the application because it exceeds the maximum length defined by the application. If you confirm that the input endpoint is correct and the error is still reported, change your DNS server address to the address of Alibaba Cloud's DNS server. If you connect to the RDS instance through the classic network, change your DNS server address to 10.143.22.116 or 10.143.22.118. If you connect to the RDS instance through a VPC, change your DNS server address to 100.100.2.136 or 100.100.2.138. If you connect to the RDS instance through the Internet, change your DNS server address to 223.5.5.5 or 223.6.6.6. Note You can run the ping command to view the current IP address of an RDS instance. However, we recommend that you connect to an RDS instance by using its endpoint but not IP address because the IP address of an instance may change when the instance is migrated or a primary/secondary switchover is performed.
ERROR 2059 (HY000): Authentication plugin 'caching_sha2_password' cannot be loaded: /usr/xx/xx/caching_sha2_password.so: cannot open shared object file: No such file or directory	MySQL cannot load the `caching_sha2_password` authentication plug-in.	Client running MySQL 8.0: By default, MySQL 8.0 uses the `caching_sha2_password` plug-in. However, the plug-in may be missing in specific systems or due to specific installation methods. If the plug-in is missing, you can use one of the following methods to resolve the issue: Method 1: Use a privileged account to log on to MySQL and execute the following statements to modify plug-in settings for reconnection. `ALTER USER 'your_username'@'localhost' IDENTIFIED WITH mysql_native_password BY 'your_password'; FLUSH PRIVILEGES;` Method 2: Install MySQL again to fix the plug-in. `sudo yum reinstall mysql-server` Client running MySQL 5.x: The client version is outdated and does not support the `caching_sha2_password` plug-in. In this case, install MySQL 8.0. `sudo yum install mysql-server`
[Note] [MY-010914] [Server] Aborted connection 671541 to db: 'XXX' user: 'XXX' host: 'XXX' (The client was disconnected by the server because of inactivity.).	The connection to the RDS instance is closed.	The error occurs because the client does not send requests for a long period of time and the interaction timeout period of the server ends. If the RDS instance runs MySQL, `interactive_timeout` or `wait_timeout` is used to specify an interaction timeout period. Check the configuration of the RDS instance and adjust the timeout settings based on your business requirements. This prevents unexpected disconnections.
Access denied for user 'root'@'XXX' (using password: YES) to database 'XX'	MySQL denies access to the RDS instance from the ECS instance by using the `root` account.	By default, MySQL allows only the logons that you initiate from the localhost by using the credentials of the `root` account. Logons from remote IP addresses are denied. In this case, create a dedicated account to connect to the RDS instance. `-- Create a dedicated account that is allowed to connect to the instance only from the IP address of the ECS instance. CREATE USER '<user_name>'@'<172.16.XX.XX>' IDENTIFIED BY '<password>'; -- Grant permissions on the required database based on the Principle of Least Privilege (PoLP). GRANT SELECT, INSERT, UPDATE, DELETE ON <database_name>.* TO '<user_name>'@'<172.16.XX.XX>'; FLUSH PRIVILEGES;`
From XXX (172.17.XX.XX) icmp_seq=1 Destination Host Unreachable	The internal CIDR block of the RDS instance conflicts with the CIDR block of another service such as ECS.	What do I do if I am unable to connect to an ApsaraDB RDS instance and the "Destination Host Unreachable" error message is displayed when I ping the internal endpoint of the instance?

Errors reported when you connect to an RDS instance by using Data Management (DMS)

For more information, see Use DMS to log on to an ApsaraDB RDS for MySQL instance.

Important

After you reset the password of your account, you must log on to DMS again with the new password.

Error message	Cause	Solution
The MYSQL server is running with the --rds-deny-access option so it cannot execute this statement	The RDS instance expires. The storage capacity of the RDS instance is exhausted.	Log on to the ApsaraDB RDS console and check whether the RDS instance is locked. If the instance is locked due to expiration, renew the instance. If the instance is locked due to insufficient storage capacity, expand the instance storage capacity.
You cannot use DMS to connect to the RDS instance.	You are not the owner of the RDS instance, and the owner of the RDS instance has not granted you the logon permissions.	Authorize an Alibaba Cloud account
Check whether the endpoint is valid, the IP address whitelists are correctly configured, and network communication is normal.	In most cases, this error occurs due to the following reasons when you connect a self-managed MySQL database that resides on an ECS instance or an on-premises host to the RDS instance: The firewall of the ECS instance or the firewall of the on-premises host does not allow access from the RDS instance. The security group to which the ECS instance belongs does not allow access from DMS. The self-managed MySQL database is not started. The self-managed MySQL database allows only the logons by using the credentials of the root account.	Check the firewall rules of the ECS instance or the on-premises host on which the self-managed MySQL database resides. Add the IP address of the DMS server to the security group of the ECS instance. Use the root account to log on to the MySQL database. For more information, see Solutions.
max_user_connections	The number of connections to the RDS instance reaches the upper limit.	Resolve the issue that the number connections to the RDS instance reaches the upper limit.
Cannot log on to the RDS instance due to issues related to the IP address whitelist.	The CIDR block of the DMS server is not added to an IP address whitelist of the RDS instance.	Add the CIDR block of the DMS server to an IP address whitelist of the RDS instance.

Issues that cause failures to connect an ECS instance to an RDS instance over an internal network

Before you connect an ECS instance to an ApsaraDB RDS instance by using the internal endpoint of the ApsaraDB RDS instance, you must add the private IP address of the ECS instance to an IP address whitelist of the ApsaraDB RDS instance.
Note
- For more information about how to configure an IP address whitelist, see Configure an IP address whitelist for an ApsaraDB RDS for MySQL instance.
- If you add the public IP address of the ECS instance to an IP address whitelist of the RDS instance, you cannot connect the ECS instance to the RDS instance over an internal network.
You can connect an ECS instance to an RDS instance over an internal network only when the instances reside in the same region. The instances can reside in the same zone or different zones of the same region.
- Make sure that the ECS instance and the RDS instance reside in the same region.
  1. View the region in which the ECS instance resides.
  2. View the region in which the RDS instance resides.
- If the ECS instance and the RDS instance reside in different regions, the instances cannot directly communicate with each other over an internal network. In this case, you can use one of the following methods to resolve the issue:
  - Method 1:
    - Release the ECS instance. Then, purchase an ECS instance that resides in the same region as the RDS instance.
    - Release the RDS instance. Then, purchase an RDS instance that resides in the same region as the ECS instance.
  - Method 2: Connect the ECS instance to the RDS instance by using the public endpoint of the RDS instance. This method delivers poor performance, security, and stability. For more information about how to apply for a public endpoint, see Apply for or release a public endpoint for an ApsaraDB RDS for MySQL instance.

Check network types

Make sure that the ECS instance and the RDS instance both reside in VPCs or in the classic network.
- View the network type of the ECS instance.
- View the network type of the RDS instance.
If one instance resides in the classic network and the other instance resides in a VPC, use one of the following methods to resolve the issue:
- Methods suitable in scenarios in which the ECS instance resides in a VPC and the RDS instance resides in the classic network:
  - Method 1: Migrate the RDS instance from the classic network to the VPC in which the ECS instance to be connected resides. We recommend that you use this method. For more information, see Change the network type.
  - Method 2: Purchase an ECS instance that resides in the classic network. Take note that a VPC provides higher security than the classic network. We recommend that you use VPCs.
    Note
    ECS instances cannot be migrated from VPCs to the classic network.
  - Method 3: Connect the ECS instance to the RDS instance by using the public endpoint of the RDS instance. This method delivers poor performance, security, and stability. For more information about how to apply for a public endpoint, see Apply for or release a public endpoint for an ApsaraDB RDS for MySQL instance.
- Methods suitable in scenarios in which the ECS instance resides in the classic network and the RDS instance resides in a VPC:
  - Method 1: Migrate the ECS instance from the classic network to the VPC in which the RDS instance to be connected resides. You can click View Details to the right of the Network Type parameter to view the ID of the VPC in which the RDS instance resides. We recommend that you use this method. For more information, see Migrate an ECS instance.
  - Method 2: Change the network type of the RDS instance from VPC to classic network. Take note that a VPC provides higher security than the classic network. We recommend that you use VPCs.
  - Method 3: Use the ClassicLink feature to connect the classic network-type ECS instance to the VPC-type RDS instance over an internal network. For more information, see Enable ClassicLink.
    Note
    If the instances cannot be connected after the ClassicLink feature is enabled, resolve the issue based on the descriptions in Troubleshoot connection issues between a classic network and a VPC after you establish a ClassicLink connection.
  - Method 4: Connect the ECS instance to the RDS instance by using the public endpoint of the RDS instance. This method delivers poor performance, security, and stability. For more information about how to apply for a public endpoint, see Apply for or release a public endpoint for an ApsaraDB RDS for MySQL instance.
If the ECS instance and the RDS instance both reside in VPCs, make sure that the instances reside in the same VPC.
- View the ID of the VPC in which the ECS instance resides.
- View the network type of the RDS instance.
If the ECS instance and the RDS instance reside in different VPCs, use one of the following methods to resolve the issue:
- Method 1: Migrate the RDS instance to the VPC in which the ECS instance resides. We recommend that you use this method. For more information, see Change the VPC and vSwitch.
- Method 2: Create a Cloud Enterprise Network (CEN) instance to establish a connection between the two VPCs. For more information about CEN, see Use CEN to enable intra-region network communication.
- Method 3: Connect the ECS instance to the RDS instance by using the public endpoint of the RDS instance. This method delivers poor performance, security, and stability. For more information about how to apply for a public endpoint, see Apply for or release a public endpoint for an ApsaraDB RDS for MySQL instance.
If the ECS instance and the RDS instance reside in the same VPC and the same region, the ECS instance can connect to the RDS instance by using the public endpoint rather than the internal endpoint of the RDS instance, and both the ping and telnet commands return connection failures, you can resolve the issue based on the descriptions in What do I do if an ECS instance cannot connect to an ApsaraDB RDS instance due to routing problems?

Issues that cause failures to connect to an RDS instance over the Internet

Check the Internet connection to the instance
Make sure that the public endpoint of the RDS instance is used for the connection. You can view the public endpoint of the RDS instance on the Database Connection page in the ApsaraDB RDS console.
Check whether the public IP address of the on-premises device is added to the whitelist of the RDS instance
Important
The public IP address of an on-premises device may dynamically change, which results in connection failures. To maintain a stable connection, we recommend that you connect to the RDS instance over the internal network or specify public CIDR blocks that cover the variation of the device's public IP address in the whitelist of the RDS instance.
Make sure that the public IP address of the on-premises device that you want to connect to the RDS instance is added to an IP address whitelist of the RDS instance. If the on-premises device can be connected to the RDS instance after 0.0.0.0/0 is added to the IP address whitelist of the RDS instance, the device IP address that you added to the IP address whitelist is incorrect. In this case, obtain the correct public IP address of an on-premises device and then add the public IP address to an IP address whitelist of the RDS instance. For more information about how to configure an IP address whitelist, see Configure an IP address whitelist for an RDS for MySQL instance.

For more information, see the following topics:

Why am I unable to connect to my ApsaraDB RDS for MySQL instance or ApsaraDB RDS for MariaDB instance from a local server over the Internet?

Errors reported during the connection between the ECS instance and RDS instance that are created within different Alibaba Cloud accounts

You can use one of the following methods to connect the instances:

Method 1: Use a VPC peering connection. For more information, see VPC Peering Connection. We recommend that you use this method.
Method 2: Use a RAM role and RAM policy. For more information, see RAM roles.
Method 3: Connect the ECS instance to the RDS instance by using the public endpoint of the RDS instance. This method delivers poor performance, security, and stability. For more information about how to apply for a public endpoint, see Apply for or release a public endpoint for an ApsaraDB RDS for MySQL instance.

Reference

Troubleshoot issues due to which an ApsaraDB RDS instance cannot be connected

Application scope

ApsaraDB RDS