Skip to content

Instantly share code, notes, and snippets.

@kaushik94

kaushik94/rds-troubleshooting.md

Created January 31, 2026 16:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kaushik94/14c4440b8d4027e84199313e2f22e0d0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kaushik94/14c4440b8d4027e84199313e2f22e0d0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rds-troubleshooting.md

AWS RDS PostgreSQL Connection Troubleshooting Conversation

Date context: January 31, 2026 (as provided)

Initial User Query

I want to connect to my rds instance using psql I allowed all traffic still mo use

Grok Response 1 (Summary)

  • Even with security group allowing all traffic, common blockers are:
    1. Publicly accessible = No
    2. Subnets lack route to Internet Gateway (0.0.0.0/0 → igw-…)
    3. Network ACLs blocking
    4. Local firewall/ISP blocking port 5432
    5. Wrong endpoint/port/credentials
  • Diagnostic commands: ping, telnet/Test-NetConnection on port 5432
  • Recommended psql example command provided

User Follow-up 1

what if public access is disabled?

Grok Response 2 (Summary)

If Publicly accessible = No:

  • Instance has only private IP — no direct public connection possible
  • Options:
    1. Temporarily set to Yes (for dev/testing)
    2. Use EC2 bastion + SSH tunnel (most common secure method)
      • Example SSH tunnel: ssh -L 5433:endpoint:5432 ec2-user@ec2-dns
      • Then psql -h localhost -p 5433 ...
    3. AWS SSM Session Manager port forwarding
    4. Client VPN / Site-to-Site VPN
    5. Other: EC2 Instance Connect Endpoint, etc.
  • Recommendation: Use bastion/SSH tunnel for secure access without exposing DB

User Follow-up 2

can we disable this ssl connection

Grok Response 3 (Summary)

Yes — controlled by rds.force_ssl parameter (default = 1 / on in PostgreSQL 15+)

Steps to disable:

  1. Create/edit custom DB parameter group
  2. Set rds.force_ssl = 0
  3. Associate with instance → Apply & reboot
  4. Connect with PGSSLMODE=disable or sslmode=disable

Warnings:

  • Security risk (unencrypted traffic)
  • Better to keep enabled + use proper SSL (rds-ca bundle + verify-full)
  • Example psql with disable provided

User Follow-up 3

Internet access gateway Disabled is shown on my instance

Grok Response 4 (Summary)

"Internet access gateway: Disabled" means no route to Internet Gateway — subnets are private.

Fix options:

Option 1: Make public (for testing)

  1. Attach IGW to VPC (if missing)
  2. Add 0.0.0.0/0 → igw- route to subnet route table(s)
  3. Enable auto-assign public IP on subnets (optional)
  4. Ensure Public access = Yes on RDS
  5. Wait → status should change to Enabled

Security: Restrict SG to your IP only

Option 2: Keep private (recommended for prod)

  • Launch EC2 bastion in public subnet
  • Allow 5432 from EC2 SG to RDS SG
  • Use SSH tunnel (example commands repeated)
  • Keeps "Internet access gateway: Disabled" — which is secure

Recommendation: Add the IGW route if you want quick public access; otherwise use bastion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment