Instance Connection Failure

Last updated: 2021-08-30 16:00:26

    Error Description

    • Symptom 1: failed to connect to or log in to a TencentDB for MySQL instance from a CVM instance.
    • Symptom 2: failed to connect to or log in to a TencentDB for MySQL instance from a local device.
    • Symptom 3: failed to connect to or log in to a TencentDB for MySQL instance from DMC.

    Possible Causes

    Possible CauseDescriptionPossible CauseDescription
    Network issue 1The CVM instance is in a VPC but the MySQL instance in the classic network. Database account authorization issueThe needed host addresses are not authorized by the database account.
    Network issue 2The CVM instance is in the classic network but the MySQL instance in a VPC. Connection command syntax issueThe connection command is incorrect.
    Network issue 3The CVM and MySQL instances are in the same region but different VPCs. IP and port issueThe IP and port in commands or configuration files are incorrect.
    Network issue 4The CVM and MySQL instances are in different regions and different VPCs. MySQL instance statusThe MySQL instance is isolated. Please go to the recycle bin to restore it.
    Security group issueThe security group configuration of the CVM instance is incorrect. CVM instance statusThe CVM instance is isolated or shut down. Please go to the console to restore or start it up.
    Security group issueThe security group configuration of the MySQL instance is incorrect. Public network access statusThe public network access is disabled for the MySQL instance. Please refer to Connecting to MySQL Instance to enable it.

    Solutions

    Solutions to symptom 1 and 2

    1. Use the diagnosis tool to locate the causes.
      You can use the one-click connectivity checker provided in the TencentDB for MySQL console to locate the causes, solve the issues by following the handling suggestions, and connect again.
    2. Locate the causes by yourself.
      If the causes cannot be located by the one-click connectivity checker, you can locate them by yourself by referring to the following document.

    Solution to symptom 3

    1. Confirm that the database account has authorized all IPs of DMC servers in the region. For more information about authorization, please see Modifying Host Addresses with Access Permissions. You can also set % as the host address authorized by the database account to allow all IPs, and only use security groups to control database access.
    2. If you confirm that all needed IPs are authorized, then the cause could be incorrect password. Accordingly, you can enter the password again, reset the password, or create a temporary account with sufficient permissions.

    Troubleshooting Procedure

    Symptom 1 and 2: troubleshooting the CVM or local connection issues

    Step 1. Use the one-click connectivity checker to locate causes and solve the issues

    1. Log in to the TencentDB for MySQL console. In the instance list, click the ID of the instance to be checked and access the instance management page.
    2. Select Connection Check > Private Network Check or Public Network Check.
      Note:

      You can view the private and public network addresses in the Basic Info section on the Instance Details page.

    3. Add CVMs or public network servers that need to access the MySQL instance.
      • Private network check: click Add CVMs to Access This Instance.
      • Public network check: click Add Public Network Servers to Access This Instance.
    4. Click Start Check and a check report will be generated after the check is completed.
    5. Locate the causes based on the report, solve the issues by following the handling suggestions, and connect again.
      • Check items and corresponding solutions in the private network check are as follows:
        Check ItemException Handling
        MySQL instance status The MySQL instance has been terminated. If it is terminated by mistake, please go to the recycle bin to restore it.
        CVM instance status The CVM instance has been terminated. If it is terminated by mistake, please go to the recycle bin to restore it.
        The CVM instance is shut down. To use it, please start it up in the CVM console.
        CVM and MySQL are in the same VPC The networks of the CVM and MySQL instances are of different types. Please refer to Solutions to network issues to modify their network types so that they are in the same type of network.
        The CVM and MySQL instances are using different VPC IP ranges. Please refer to Solutions to network issues to modify their VPCs so that they are in the same VPC in the same region.
        CVM security group policy The outbound rule of the CVM instance's security group rejects the access to the IP and port of the MySQL instance. Please refer to Incorrect CVM security group configuration to modify the outbound rule to allow the access to the IP and port of the MySQL instance.
        MySQL security group policy The inbound rule of the MySQL instance's security group rejects the access from the IP and port of the CVM instance. Please refer to Incorrect MySQL security group configuration to modify the inbound rule to allow the access from the IP and port of the CVM instance.
      • Check items and corresponding solutions in the public network check are as follows:
        Check ItemException Handling
        MySQL instance statusThe MySQL instance has been terminated. If it is terminated by mistake, please go to the recycle bin to restore it.
        Public network access status The public network access has been disabled for the MySQL instance. Please refer to Connecting to MySQL Instance to enable it.

    Step 2. If the causes cannot be located by the one-click connectivity checker, locate them by yourself

    Incorrect password
    If the password used for connection is incorrect, you can reset the password or create a temporary account with sufficient permissions.

    Incorrect connection command syntax
    Check whether the connection command is correct according to the command syntax: mysql -h hostname -u username -p for private network connection and mysql -h hostname -P port -u username -p for public network connection. For more information, please see Connecting to MySQL Instance.

    Incorrect IP and port in commands or configuration files
    Check whether the IP and port displayed in the TencentDB for MySQL console are consistent with those in commands and configuration files.

    Incorrect database account permissions
    Besides security groups, subnets, and other network configurations, database accounts control the access to MySQL. If a database account only allows some specific host addresses to access MySQL, the access from other host addresses will be rejected.
    You can modify the host addresses authorized by a database account in the console to control the access to MySQL, thus enhancing database connection security.

    1. Log in to the TencentDB for MySQL console, click an instance ID in the instance list, and enter the instance management page.
    2. Select Database Management > Account Management, find the account for which to modify the host, and select More > Modify Host in the Operation column.
    3. In the pop-up dialog box, enter the new host address and click OK.
      Note:

      The host address can be an IP and contain % (indicating not to limit the IP range). Multiple hosts should be separated by line breaks, spaces, semicolons, commas, or vertical bars.

      • Example 1: enter % to indicate not to limit the IP range, that is, clients at all IP addresses are allowed to use this account to connect to the database.
      • Example 2: enter 10.5.10.%, which means that clients whose IP range is within 10.5.10.% are allowed to use this account to connect to the database.

    Symptom 3: troubleshooting the DMC connection issues

    1. Confirm that the database account has authorized all IPs of DMC servers in the region. For more information about authorization, please see Modifying Host Addresses with Access Permissions. You can also set % as the host address authorized by the database account to allow all IPs, and only use security groups to control database access.
    2. If you confirm that all needed IPs are authorized, then the cause could be incorrect password. Accordingly, you can enter the password again, reset the password, or create a temporary account with sufficient permissions.

    Appendix 1

    Solutions to network issues

    If the networks of a CVM instance and a TencentDB for MySQL instance are of different types, the former cannot access the latter directly over the private network.

    CVM in a VPC but MySQL in the classic network

    • Solution 1 (recommended): switch the TencentDB for MySQL instance from classic network to VPC as instructed in Network Switch.
      Note:

      • After the switch, both instances must reside in the same VPC before they can interconnect over the private network.
      • The switch from classic network to VPC is irreversible.
      • Switching the network may cause the change of instance's private IP. The original IP will become invalid after the valid period has elapsed. Please modify the instance IP on the client promptly.
        The default valid period of the original IP is 24 hours and the longest valid period can be 168 hours. If the valid period is set to 0 hours, the original IP address will be released immediately after the network switch.
      • The switch from classic network to VPC is irreversible. After the switch to a VPC, the TencentDB instance cannot communicate with Tencent Cloud services in another VPC or classic network.
      • After you switch the network of a source instance, the networks of read-only or disaster recovery instances associated with the source instance won’t be automatically switched, that is, you need to manually switch them.
    • Solution 2: purchase a new CVM instance that resides in the classic network (the existing CVM instance cannot be migrated from VPC to classic network). However, VPC is more secure than classic network and thus highly recommended.
    • Solution 3: connect the CVM instance to the public network address of the TencentDB for MySQL instance. This solution has poor performance, security, and stability, so you are recommended to use VPC.

    CVM in the classic network but MySQL in a VPC

    • Solution 1 (recommended): switch the CVM instance from classic network to VPC as instructed in Switching to VPC.
      Note:

      • After the switch, both instances must reside in the same VPC before they can interconnect over the private network.
      • Before migration, unbind the CVM instance from the CLB and ENI in the private and public networks and release the secondary IP address of the primary ENI. Rebind them after migration.
      • During the migration, the CVM instance needs to be restarted. Therefore, please do not perform other operations during this time.
      • Check the instance status after migration and verify whether private network access and remote login work properly.
      • The switch from classic network to VPC is irreversible. After the switch, the CVM instance cannot communicate with Tencent Cloud services in the classic network.
    • Solution 2: use Classiclink.
    • Solution 3: connect the CVM instance to the public network address of the TencentDB for MySQL instance. This solution has poor performance, security, and stability, so you are recommended to use VPC.

    CVM and MySQL in the same region but different VPCs

    By default, the CVM and TencentDB for MySQL instances can interconnect over the private network only if they are in the same VPC. If they are in the same region but different VPCs, interconnection over the private network can be achieved in the following ways:

    • Solution 1 (recommended): migrate the MySQL instance to the same VPC as the CVM instance as instructed in Network Switch.
    • Solution 2: create a Cloud Connect Network between the two VPCs.
      Otherwise, the instances can only interconnect over the public network, which has poor performance, security, and stability.

    CVM and MySQL in different regions and different VPCs

    If the CVM and MySQL instances are in different regions and different VPCs, the former cannot access the latter directly over the private network.

    • Solution 1 (recommended): use a CVM instance in the same VPC as the TencentDB for MySQL instance to connect.
    • Solution 2: create a Cloud Connect Network between the two VPCs.
    • Solution 3: connect the CVM instance to the public network address of the TencentDB for MySQL instance. This solution has poor performance, security, and stability, so you are recommended to use VPC.

    Solutions to security group configuration issues

    If the security groups of the CVM and MySQL instances are incorrectly configured, the former cannot access the latter directly over the private or public network.

    Incorrect CVM security group configuration

    To use the CVM instance to access the MySQL instance, you need to configure an outbound rule in the security group of the CVM instance. If the target of the outbound rule isn't "0.0.0.0/0" and the protocol port isn't "ALL", the IP and port of the MySQL instance should be added to the rule.

    1. Go to the Security Group page in the CVM console and click the name of the CVM-bound security group to enter its details page.
    2. On the Outbound rule tab, click Add Rule.
      Select MySQL(3306) as Type, enter your TencentDB for MySQL IP address (range) in Target, and select Allow for Policy.

    Incorrect MySQL security group configuration

    To use the CVM instance to access the MySQL instance, you need to configure an inbound rule in the security group of the MySQL instance. If the source of the inbound rule isn't "0.0.0.0/0" and the protocol port isn't "ALL", the IP and port of the CVM instance should be added to the rule.

    1. Go to the Security Group page in the CVM console and click the name of the TencentDB for MySQL-bound security group to enter its details page.
    2. On the Inbound rule tab, click Add Rule.
      Enter the allowed IP address (or range) and port and select Allow.
      Select MySQL(3306) as Type, enter your CVM IP address (range) in Source, and select Allow for Policy.
      Note:

      To connect to a TencentDB for MySQL instance, you must open its port.

      • TencentDB for MySQL uses private network port 3306 by default and supports customizing the port. If the default port is changed, the new port should be opened in the security group.
      • TencentDB for MySQL uses public network port 60719 by default. You can log in to the TencentDB for MySQL console, click an instance ID in the instance list, and view its port number on the instance details page.

    Appendix 2

    Viewing private and public network addresses

    Log in to the TencentDB for MySQL console, click an instance ID in the instance list to enter the instance details page, and view private and public network addresses.

    Viewing network type and VPC information

    To enable connection between CVM and TencentDB for MySQL instances over the private network, they must be under the same account and in the same VPC in the same region, or both in the classic network.

    Note:

    CVM and TencentDB for MySQL instances must be under the same account:

    • If the Network fields in the instance lists both show Classic Network or VPC, it means that the networks of the CVM and TencentDB for MySQL instances are of the same type.
    • If the Network fields in the instance lists both show the same VPC (in the same region), it means that the CVM and TencentDB for MySQL instances are in the same VPC.
    • View CVM network type/VPC: log in to the CVM console and view Network in the instance list.
    • View TencentDB for MySQL network type/VPC: log in to the TencentDB for MySQL console and view Network in the instance list.