Connection failures typically fall into four categories: network misconfiguration, IP address whitelist issues, invalid credentials, or reaching the connection limit. Start by identifying which category your error belongs to, then follow the steps for your database engine.
Common errors by category
Network errors
These errors indicate that the client cannot reach the RDS instance over the network.
ApsaraDB RDS for MySQL and ApsaraDB RDS for MariaDB
Error messages:
ERROR 2003 (HY000): Can't connect to MySQL server on 'XXX' (10038, 10060, or 110)Cannot connect to a database: XXX
Fix: Check all four of the following:
The Elastic Compute Service (ECS) instance and the RDS instance are in the same region.
Both instances use the same network type (both in a virtual private cloud (VPC), or both in the classic network).
If both use a VPC, they are in the same VPC.
The private IP address of the ECS instance is added to an IP address whitelist of the RDS instance.
For a detailed walkthrough, see Solutions.
ApsaraDB RDS for SQL Server
Error message:
Cannot connect to XXX. A network-related or instance-specific error occurred while connecting to SQL Server... (Microsoft SQL Server, Error: 10060 or 258)
Fix: Check all five of the following:
The ECS instance and the RDS instance are in the same region.
Both instances use the same network type.
If both use a VPC, they are in the same VPC.
The private IP address of the ECS instance is added to an IP address whitelist of the RDS instance.
The internal endpoint and port of the RDS instance are correctly configured on the ECS instance.
For a detailed walkthrough, see Solutions.
ApsaraDB RDS for PostgreSQL
Error message:
Unable to connect to server: could not connect to server: Connection timed out (0x0000274C/10060) Is the server running on host "XXX.rds.aliyuncs.com" and accepting TCP/IP connections on port XXX?
Fix:
Confirm which endpoint type to use: Find your endpoint on the Database Connection page in the ApsaraDB RDS console.
Internal endpoint: Use this when your client (ECS instance or application server) is in the same region and uses the same network type as the RDS instance. If the network type is VPC, the VPC IDs must also be the same.
Public endpoint: Use this when connecting from an on-premises device or an ECS instance in a different VPC or region. You must apply for a public endpoint first—see Apply for or release a public endpoint.
Add the IP address of your ECS instance or on-premises device to the IP address whitelist of the RDS instance. To get the public IP address of your device, run:
curl ipinfo.io/ipFor whitelist configuration instructions, see Configure an IP address whitelist.
If you use the enhanced whitelist mode, verify that the IP address is added to the correct whitelist group. See Enhanced whitelist mode.
For a detailed walkthrough, see Solutions.
DNS resolution errors
These errors appear when the client cannot resolve the RDS endpoint to an IP address.
Error messages (MySQL / MariaDB):
ERROR 2005 (HY000): Unknown MySQL server host 'XXX' (110 or 11004)SQLSTATE[HY000] [2002] php_network_getaddresses: getaddrinfo failed: Name or service not knownName or service not knownunknown server host
Fix:
Check that the endpoint is correct. Common mistakes:
Typos in the endpoint. RDS endpoints follow the format
rm-xxx.xxx.rds.aliyuncs.com.The public endpoint was manually released and is no longer active.
The endpoint is truncated by the application because it exceeds the application's maximum string length.
If the endpoint is correct but the error persists, update your DNS server address to Alibaba Cloud's DNS server based on your connection type:
Connection type DNS server addresses Classic network 10.143.22.116or10.143.22.118VPC 100.100.2.136or100.100.2.138Internet 223.5.5.5or223.6.6.6
IP address whitelist errors
These errors mean your client's IP address is blocked by the RDS instance whitelist.
Error messages (MySQL / MariaDB):
ERROR 1045 (HY000): #28000ip not in whitelistERROR 2801 (HY000): #RDS00ip not in whitelist, client ip is XXXERROR 2013 (HY000): Lost connection to MySQL server at 'reading authorization packet', system error: 110
Error message (SQL Server):
Cannot connect to XXX. A connection was successfully established with the server, but an error occurred during the logon process... (Microsoft SQL Server, Error: 64)
Error messages (PostgreSQL):
server closed the connection unexpectedly This probably means the server terminated abnormally before or while processing the request.Error connecting to the server: FATAL: no pg_hba.conf entry
Error message (DMS):
Cannot log on to the RDS instance due to issues related to the IP address whitelist.
Fix: Check and update the IP address whitelist for your engine:
SQL Server: Configure an IP address whitelist
PostgreSQL: Configure an IP address whitelist
MariaDB: Configure an IP address whitelist
For a detailed walkthrough, see Check the IP address whitelist of the RDS instance.
For DMS whitelist issues, see Add the CIDR block of the DMS server to an IP address whitelist.
Authentication errors
These errors indicate that the username or password is incorrect.
Error messages (MySQL / MariaDB):
ERROR 1045 (28000): Access denied for user 'XXX'@'XXX' (using password: YES or NO)ERROR 1045 (28000): Authentication Failed For RDS maybe username or password is incorrectAccess denied for user 'root'@'XXX' (using password: YES) to database 'XX'
Error message (PostgreSQL):
FATAL: password authentication failed for user "xxx".
Fix:
Verify the username and password in your connection string.
ApsaraDB RDS does not provide
rootaccounts. If you need an account, create a dedicated one—see Create an account.If the password contains special characters, enclose it in single quotation marks. For example:
-p 'your_password'.To reset a forgotten password, go to the Accounts page of your RDS instance in the ApsaraDB RDS console and change the password there.
A new password takes effect a few minutes after you change it. If you use Data Management (DMS), log in to DMS again with the new password.
For PostgreSQL, see Reset a password.
`root` account access denied (MySQL):
By default, MySQL allows root account logins only from localhost. Remote root logins are denied. Create a dedicated account with the minimum required permissions:
-- Create an account that can connect only from the ECS instance IP address
CREATE USER '<user_name>'@'<172.16.XX.XX>' IDENTIFIED BY '<password>';
-- Grant only the permissions needed, following the principle of least privilege (PoLP)
GRANT SELECT, INSERT, UPDATE, DELETE ON <database_name>.* TO '<user_name>'@'<172.16.XX.XX>';
FLUSH PRIVILEGES;Authentication plug-in errors (MySQL 8.0)
Error message:
ERROR 2059 (HY000): Authentication plugin 'caching_sha2_password' cannot be loaded: /usr/xx/xx/caching_sha2_password.so: cannot open shared object file: No such file or directory
Cause: MySQL 8.0 uses caching_sha2_password by default, but the plug-in may be missing depending on the system or installation method.
Fix:
Client running MySQL 8.0 (plug-in missing): Use one of these methods:
Method 1: Switch the account to use
mysql_native_password. ``sql ALTER USER 'your_username'@'localhost' IDENTIFIED WITH mysql_native_password BY 'your_password'; FLUSH PRIVILEGES;``Method 2: Reinstall MySQL to restore the plug-in. ``
bash sudo yum reinstall mysql-server``
Client running MySQL 5.x: The client version does not support
caching_sha2_password. Install MySQL 8.0.sudo yum install mysql-server
Connection limit errors
These errors occur when the RDS instance has reached its maximum number of connections.
Error messages:
FATAL: remaining connection slots are reserved for non-replication superuser connections(PostgreSQL)Logon failed for login 'user' due to trigger execution(SQL Server)max_user_connections(DMS)
Fix:
Connection timeout (MySQL)
Error message:
[Note] [MY-010914] [Server] Aborted connection 671541 to db: 'XXX' user: 'XXX' host: 'XXX' (The client was disconnected by the server because of inactivity.)
Cause: The client was idle long enough for the server's interaction timeout to expire. MySQL uses interactive_timeout or wait_timeout to specify an interaction timeout period.
Fix: Adjust the timeout parameters in your RDS instance configuration to match your application's idle behavior.
Instance locked errors (DMS)
Error message:
The MYSQL server is running with the --rds-deny-access option so it cannot execute this statement
Cause: The RDS instance is locked due to expiration or exhausted storage capacity.
Fix: Log in to the ApsaraDB RDS console and check whether the instance is locked:
If locked due to expiration: Renew the instance.
If locked due to insufficient storage: Expand the storage capacity.
"Destination Host Unreachable" error
Error message:
From XXX (172.17.XX.XX) icmp_seq=1 Destination Host Unreachable
Cause: The internal CIDR block of the RDS instance conflicts with the CIDR block of another service, such as an ECS instance.
Connect an ECS instance over an internal network
Before connecting an ECS instance to an RDS instance using the internal endpoint, confirm the following:
The private IP address of the ECS instance is added to an IP address whitelist of the RDS instance. Adding the public IP address instead will not work for internal network connections.
The ECS instance and the RDS instance are in the same region. Instances in different zones of the same region can communicate over an internal network, but instances in different regions cannot.
For whitelist configuration, see: MySQL | SQL Server | PostgreSQL | MariaDB
If the instances are in different regions
You cannot connect them over an internal network. Use one of these approaches:
Option 1 (preferred): Move the instances to the same region by releasing and repurchasing one of them.
Option 2: Connect over the Internet using the RDS public endpoint. This delivers lower performance, security, and stability than an internal connection.
Check network types
Both instances must use the same network type—either VPC or classic network.
If ECS is in a VPC and RDS is in the classic network:
Option 1 (preferred): Migrate the RDS instance to the VPC. See Change the network type.
Option 2: Purchase a new ECS instance in the classic network. Note that a VPC provides higher security than the classic network.
ECS instances cannot be migrated from VPCs to the classic network.
Option 3: Use the public endpoint of the RDS instance. This delivers lower performance, security, and stability.
If ECS is in the classic network and RDS is in a VPC:
Option 1 (preferred): Migrate the ECS instance to the VPC. To find the VPC ID, click View Details next to Network Type for the RDS instance. See Migrate an ECS instance.
Option 2: Change the RDS network type to classic network. Note that a VPC provides higher security than the classic network.
Option 3: Use the ClassicLink feature to connect the classic network-type ECS instance to the VPC-based RDS instance over an internal network. See Enable ClassicLink.
If the connection still fails after enabling ClassicLink, see Troubleshoot connection issues after establishing a ClassicLink connection.
Option 4: Use the public endpoint. This delivers lower performance, security, and stability.
If both instances are in VPCs but different VPCs
Option 1 (preferred): Migrate the RDS instance to the ECS instance's VPC. See Change the VPC and vSwitch.
Option 2: Create a Cloud Enterprise Network (CEN) instance to connect the two VPCs. See Use CEN to enable intra-region network communication.
Option 3: Use the public endpoint. This delivers lower performance, security, and stability.
If both instances are in the same VPC and region but the connection still fails
If the public endpoint works but both ping and telnet fail on the internal endpoint, there may be a routing problem. See What do I do if an ECS instance cannot connect to an RDS instance due to routing problems?
Connect over the Internet
Use the public endpoint of the RDS instance for Internet connections. Find it on the Database Connection page in the ApsaraDB RDS console.
The public IP address of an on-premises device may change dynamically, which can cause intermittent connection failures. For a stable connection, use an internal network connection or add a public CIDR block that covers the range of your device's IP address to the whitelist.
Add the public IP address of your device to the IP address whitelist of the RDS instance. To verify the whitelist is the issue, temporarily add 0.0.0.0/0 to the whitelist—if the connection succeeds, the IP address you originally added was incorrect.
For whitelist configuration, see: MySQL | SQL Server | PostgreSQL | MariaDB
For more information:
Connect instances across Alibaba Cloud accounts
To connect an ECS instance and an RDS instance that belong to different Alibaba Cloud accounts:
Option 1 (preferred): Use a VPC peering connection. See VPC peering connection.
Option 2: Use a RAM role and RAM policy. See RAM roles.
Option 3: Use the public endpoint of the RDS instance. Apply for a public endpoint here: MySQL | SQL Server | PostgreSQL | MariaDB.
Connect using Data Management (DMS)
For DMS-specific connection issues, refer to the guide for your engine:
DMS-specific error: Check whether the endpoint is valid, the IP address whitelists are correctly configured, and network communication is normal.
This error occurs when connecting a self-managed MySQL database (on an ECS instance or on-premises host) to DMS. Common causes:
The firewall on the ECS instance or on-premises host blocks access from DMS.
The security group of the ECS instance does not allow access from DMS.
The self-managed MySQL database is not running.
The self-managed MySQL database only allows
rootaccount logins.
Fix:
Check and update the firewall rules on the ECS instance or on-premises host.
Add the DMS server IP address to the ECS instance security group.
Use the
rootaccount to log in to MySQL.
For more information, see Solutions.
DMS-specific error: You cannot use DMS to connect to the RDS instance.
You are not the owner of the RDS instance and have not been granted login permissions. See Authorize an Alibaba Cloud account.