Help Center> Relational Database Service> User Guide> Working with RDS for MySQL> Instance Connection> Connecting to an RDS for MySQL Instance Through the MySQL CLI Client> Using MySQL CLI to Connect to an Instance Through a Public Network
Updated on 2023-09-26 GMT+08:00
View PDF

Using MySQL CLI to Connect to an Instance Through a Public Network

If you cannot access your DB instance through a floating IP address, bind an EIP to the DB instance and connect to it through the EIP.

This section describes how to connect a Linux ECS to a DB instance with SSL enabled through an EIP. SSL encrypts connections to the DB instance, making in-transit data more secure.

You can also access your DB instance through Network Address Translation (NAT). If you have configured both NAT and EIP, the EIP is preferentially used.

If you want to connect to a DB instance with SSL disabled, see Connecting to a DB Instance from a Linux ECS.

Step 1: Buy an ECS

  1. Log in to the management console and check whether there is an ECS available.
    Figure 1 ECS
  2. Buy an ECS and select Linux (for example, CentOS) as its OS.

    To download a MySQL client to the ECS, bind an EIP to the ECS.

    For details about how to purchase a Linux ECS, see "Purchasing an ECS" in Elastic Cloud Server Getting Started.

  3. On the ECS Information page, view the region and VPC of the ECS.
    Figure 2 ECS information
  4. On the Basic Information page of the RDS for MySQL instance, view the region and VPC of the DB instance.
    Figure 3 DB instance information

Step 2: Test Connectivity and Install a MySQL Client

  1. Log in to the ECS. For details, see "Login Using an SSH Password" in the Elastic Cloud Server User Guide.
  2. On the Instances page, click the DB instance name.
  3. Choose Connectivity & Security from the navigation pane. In the Connection Information area, obtain the EIP and database port of the DB instance.
    Figure 4 Connection information

    If no EIP has been bound to the DB instance, see Binding an EIP.

  4. On the ECS, check whether the EIP and database port of the DB instance can be connected.

    telnet EIP 3306

    • If yes, network connectivity is available.
    • If no, check the security group rules.
      • If in the security group of the ECS, there is no outbound rule with Destination set to 0.0.0.0/0 and Protocol & Port set to All, add an outbound rule for the EIP and port of the DB instance.
        Figure 5 ECS security group
      • If in the security group of the DB instance, there is no inbound rule with Source set to 0.0.0.0/0 and Protocol & Port set to All, add an inbound rule for the private IP address and port of the ECS. For details, see Configuring Security Group Rules.
        Figure 6 DB instance security group
  5. Download the MySQL client installation package for Linux locally.

    Find the corresponding version, for example, mysql-community-client-5.7.38-1.el6.x86_64.rpm, and download the installation package. A MySQL client running a version later than that of the DB instance is recommended.

    Figure 7 Download
  6. Upload the installation package to the ECS.

    You can use any terminal connection tool, such as WinSCP and PuTTY, to upload the installation package to the ECS.

  7. Run the following command on the ECS to install the MySQL client:

    rpm -ivh --nodeps mysql-community-client-5.7.38-1.el6.x86_64.rpm

    • If any conflicts occur during the installation, add the replacefiles parameter to the command and install the client again.

      rpm -ivh --replacefiles mysql-community-client-5.7.38-1.el6.x86_64.rpm

    • If a message is displayed prompting you to install a dependency package during the installation, add the nodeps parameter to the command and install the client again.

      rpm -ivh --nodeps mysql-community-client-5.7.38-1.el6.x86_64.rpm

Step 3: Connect to the DB Instance Using Commands (SSL Connection)

  1. On the Instances page, click the DB instance name.
  2. In the DB Information area, check whether SSL is enabled.
    • If yes, go to 3.
    • If no, click . In the displayed dialog box, click Yes to enable SSL. Then go to 3.
  3. Click next to the SSL field to download Certificate Download.zip, and extract the root certificate ca.pem and bundle ca-bundle.pem from the package.
  4. Upload ca.pem to the ECS.
    • Since April 2017, RDS has offered a new root certificate that has a 20-year validation period. The new certificate takes effect after DB instances are rebooted. Replace the old certificate before it expires to improve system security.

      For details, see How Can I Identify the Validity Period of an SSL Root Certificate?

    • TLS v1.2 or later is recommended. Versions earlier than TLS v1.2 have security risks.
    • ca-bundle.pem contains both the new certificate provided as of April 2017 and the old certificate.
    • Both ca.pem and ca-bundle.pem can be used for SSL connections because ca-bundle.pem contains ca.pem.
    • RDS for MySQL DB instances do not support X.509-based authentication.
  5. Run the following command on the ECS to connect to the DB instance:
    • Method 1

      mysql -h <host> -P <port> -u <userName> -p --ssl-ca=<caName>

      Example:

      mysql -h 172.16.0.31 -P 3306 -u root -p --ssl-ca=ca.pem

    • Method 2

      mysql -h <host> -P <port> -u <userName> -p --ssl-capath=<caPath>

    Table 1 Parameter description

    Parameter

    Description

    <host>

    EIP obtained in 3.

    <port>

    Database port obtained in 3. The default value is 3306.

    <userName>

    Administrator account root.

    <caName>

    Name of the CA certificate. The certificate should be stored in the directory where the command is executed.

    <caPath>

    Path of the CA certificate.
  6. Enter the password of the database account if the following information is displayed:
    Enter password:

FAQs

What Should I Do If I Can't Connect to My RDS DB Instance?

Follow-up Operations

After logging in to the DB instance, you can create or migrate databases.