AWS RDS / EC2: TimeoutError: Knex: Timeout acquiring a connection. The pool is probably full











up vote
0
down vote

favorite












I'm attempting to retrieve a User model from a Node js 8.12.0 API, using knex and bookshelf ORM. Database is Postgres 10.4.



The API works fine locally, but hosted on ElasticBeanstalk EC2 and RDS, I get error:




Unhandled rejection TimeoutError: Knex: Timeout acquiring a
connection. The pool is probably full. Are you missing a
.transacting(trx) call?




I'm able to connect and make queries to the RDS instance separately via connection string / password (it prompts for pw after I enter this):



psql -h myinstance.zmsnsdbakdha.us-east-1.rds.amazonaws.com -d mydb -U myuser


Security Groups:




  • The EC2 security group (set up by EB) is sg-0fa31004bd2b763ce, and RDS has an inbound security rule for PostgreSQL / TCP / port 5432 / for the matching source (sg-0fa31004bd2b763ce)— so it doesn't seem like the security group is a problem


RDS was created in a VPC, but the VPC's security rules are open too:



- security groups attached (multiple)
- name: mysgname
- group ID: sg-05d003b66fe1a4a94
- Inbound rules:
- All Traffic (0.0.0.0/0)
- HTTP (80) for TCP (0.0.0.0/0)
- SSH (22) for TCP (0.0.0.0/0)
- PostgreSQL (5432) for TCP (0.0.0.0/0)


Publicly accessible: Yes



users controller:



router.get('/users', function(req, res) {
new User.User({'id': 1})
.fetch({withRelated: ['addresses']})
.then((user) => {
res.send(user);
});
});


Knexfile:



production: {
client: 'pg',
version: '7.2',
connection: {
host: process.env.PG_HOST || 'localhost',
port: process.env.PG_PORT || '5432',
user: process.env.PG_USER || 'myuser',
password: process.env.PG_PASSWORD || '',
database: process.env.PG_DB || 'mydb',
charset: 'utf8',
},
pool: {
min: 2,
max: 20
},
},


Firstly, why is this happening only on AWS hosted environment and not locally. Secondly, how can I fix this issue? Should I increase max for pools?










share|improve this question




























    up vote
    0
    down vote

    favorite












    I'm attempting to retrieve a User model from a Node js 8.12.0 API, using knex and bookshelf ORM. Database is Postgres 10.4.



    The API works fine locally, but hosted on ElasticBeanstalk EC2 and RDS, I get error:




    Unhandled rejection TimeoutError: Knex: Timeout acquiring a
    connection. The pool is probably full. Are you missing a
    .transacting(trx) call?




    I'm able to connect and make queries to the RDS instance separately via connection string / password (it prompts for pw after I enter this):



    psql -h myinstance.zmsnsdbakdha.us-east-1.rds.amazonaws.com -d mydb -U myuser


    Security Groups:




    • The EC2 security group (set up by EB) is sg-0fa31004bd2b763ce, and RDS has an inbound security rule for PostgreSQL / TCP / port 5432 / for the matching source (sg-0fa31004bd2b763ce)— so it doesn't seem like the security group is a problem


    RDS was created in a VPC, but the VPC's security rules are open too:



    - security groups attached (multiple)
    - name: mysgname
    - group ID: sg-05d003b66fe1a4a94
    - Inbound rules:
    - All Traffic (0.0.0.0/0)
    - HTTP (80) for TCP (0.0.0.0/0)
    - SSH (22) for TCP (0.0.0.0/0)
    - PostgreSQL (5432) for TCP (0.0.0.0/0)


    Publicly accessible: Yes



    users controller:



    router.get('/users', function(req, res) {
    new User.User({'id': 1})
    .fetch({withRelated: ['addresses']})
    .then((user) => {
    res.send(user);
    });
    });


    Knexfile:



    production: {
    client: 'pg',
    version: '7.2',
    connection: {
    host: process.env.PG_HOST || 'localhost',
    port: process.env.PG_PORT || '5432',
    user: process.env.PG_USER || 'myuser',
    password: process.env.PG_PASSWORD || '',
    database: process.env.PG_DB || 'mydb',
    charset: 'utf8',
    },
    pool: {
    min: 2,
    max: 20
    },
    },


    Firstly, why is this happening only on AWS hosted environment and not locally. Secondly, how can I fix this issue? Should I increase max for pools?










    share|improve this question


























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I'm attempting to retrieve a User model from a Node js 8.12.0 API, using knex and bookshelf ORM. Database is Postgres 10.4.



      The API works fine locally, but hosted on ElasticBeanstalk EC2 and RDS, I get error:




      Unhandled rejection TimeoutError: Knex: Timeout acquiring a
      connection. The pool is probably full. Are you missing a
      .transacting(trx) call?




      I'm able to connect and make queries to the RDS instance separately via connection string / password (it prompts for pw after I enter this):



      psql -h myinstance.zmsnsdbakdha.us-east-1.rds.amazonaws.com -d mydb -U myuser


      Security Groups:




      • The EC2 security group (set up by EB) is sg-0fa31004bd2b763ce, and RDS has an inbound security rule for PostgreSQL / TCP / port 5432 / for the matching source (sg-0fa31004bd2b763ce)— so it doesn't seem like the security group is a problem


      RDS was created in a VPC, but the VPC's security rules are open too:



      - security groups attached (multiple)
      - name: mysgname
      - group ID: sg-05d003b66fe1a4a94
      - Inbound rules:
      - All Traffic (0.0.0.0/0)
      - HTTP (80) for TCP (0.0.0.0/0)
      - SSH (22) for TCP (0.0.0.0/0)
      - PostgreSQL (5432) for TCP (0.0.0.0/0)


      Publicly accessible: Yes



      users controller:



      router.get('/users', function(req, res) {
      new User.User({'id': 1})
      .fetch({withRelated: ['addresses']})
      .then((user) => {
      res.send(user);
      });
      });


      Knexfile:



      production: {
      client: 'pg',
      version: '7.2',
      connection: {
      host: process.env.PG_HOST || 'localhost',
      port: process.env.PG_PORT || '5432',
      user: process.env.PG_USER || 'myuser',
      password: process.env.PG_PASSWORD || '',
      database: process.env.PG_DB || 'mydb',
      charset: 'utf8',
      },
      pool: {
      min: 2,
      max: 20
      },
      },


      Firstly, why is this happening only on AWS hosted environment and not locally. Secondly, how can I fix this issue? Should I increase max for pools?










      share|improve this question















      I'm attempting to retrieve a User model from a Node js 8.12.0 API, using knex and bookshelf ORM. Database is Postgres 10.4.



      The API works fine locally, but hosted on ElasticBeanstalk EC2 and RDS, I get error:




      Unhandled rejection TimeoutError: Knex: Timeout acquiring a
      connection. The pool is probably full. Are you missing a
      .transacting(trx) call?




      I'm able to connect and make queries to the RDS instance separately via connection string / password (it prompts for pw after I enter this):



      psql -h myinstance.zmsnsdbakdha.us-east-1.rds.amazonaws.com -d mydb -U myuser


      Security Groups:




      • The EC2 security group (set up by EB) is sg-0fa31004bd2b763ce, and RDS has an inbound security rule for PostgreSQL / TCP / port 5432 / for the matching source (sg-0fa31004bd2b763ce)— so it doesn't seem like the security group is a problem


      RDS was created in a VPC, but the VPC's security rules are open too:



      - security groups attached (multiple)
      - name: mysgname
      - group ID: sg-05d003b66fe1a4a94
      - Inbound rules:
      - All Traffic (0.0.0.0/0)
      - HTTP (80) for TCP (0.0.0.0/0)
      - SSH (22) for TCP (0.0.0.0/0)
      - PostgreSQL (5432) for TCP (0.0.0.0/0)


      Publicly accessible: Yes



      users controller:



      router.get('/users', function(req, res) {
      new User.User({'id': 1})
      .fetch({withRelated: ['addresses']})
      .then((user) => {
      res.send(user);
      });
      });


      Knexfile:



      production: {
      client: 'pg',
      version: '7.2',
      connection: {
      host: process.env.PG_HOST || 'localhost',
      port: process.env.PG_PORT || '5432',
      user: process.env.PG_USER || 'myuser',
      password: process.env.PG_PASSWORD || '',
      database: process.env.PG_DB || 'mydb',
      charset: 'utf8',
      },
      pool: {
      min: 2,
      max: 20
      },
      },


      Firstly, why is this happening only on AWS hosted environment and not locally. Secondly, how can I fix this issue? Should I increase max for pools?







      node.js postgresql amazon-ec2 amazon-rds amazon-elastic-beanstalk






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 11 at 4:53









      John Rotenstein

      64.3k768112




      64.3k768112










      asked Nov 10 at 16:18









      Growler

      4,7051265154




      4,7051265154
























          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          You need to check your Network Access Control List (NACL) in your VPC and make sure your INBOUND and OUTBOUND are configured correctly. Security Groups are at the Instance level of security and the NACL is security at the Subnet level.



          Most of the time when you are experiencing a Timeout error connecting to something in a custom VPC it will be a configuration problem with a Security Group or a NACL or Both.






          share|improve this answer





















          • For testing, the inbound Security Group rules for the VPC is pretty much wide open: i.imgur.com/G0HRqx3.png. Is this incorrect? If so, where can I find NACL on the VPC specifically?
            – Growler
            Nov 10 at 19:55










          • Okay I found NACL— here are the listings for the subnets attached to the VPC: i.imgur.com/Vnq8QGT.png
            – Growler
            Nov 10 at 19:57










          • Here is the NACL tab: i.imgur.com/mQCSi0a.png — it says "rule 100" allows all traffic, but * Denies (I'm guessing this is all others)
            – Growler
            Nov 10 at 19:59












          • Add a Rull #200 for that port for both inbound and outbound, but I also noticed in your code above that you have the Security Group Configured for port 5432, and your code says 5433?
            – Chad Elias
            Nov 10 at 19:59










          • Sorry that 5433 was a typo in my SO post. Should be 5432.
            – Growler
            Nov 10 at 20:01











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53240899%2faws-rds-ec2-timeouterror-knex-timeout-acquiring-a-connection-the-pool-is-p%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          You need to check your Network Access Control List (NACL) in your VPC and make sure your INBOUND and OUTBOUND are configured correctly. Security Groups are at the Instance level of security and the NACL is security at the Subnet level.



          Most of the time when you are experiencing a Timeout error connecting to something in a custom VPC it will be a configuration problem with a Security Group or a NACL or Both.






          share|improve this answer





















          • For testing, the inbound Security Group rules for the VPC is pretty much wide open: i.imgur.com/G0HRqx3.png. Is this incorrect? If so, where can I find NACL on the VPC specifically?
            – Growler
            Nov 10 at 19:55










          • Okay I found NACL— here are the listings for the subnets attached to the VPC: i.imgur.com/Vnq8QGT.png
            – Growler
            Nov 10 at 19:57










          • Here is the NACL tab: i.imgur.com/mQCSi0a.png — it says "rule 100" allows all traffic, but * Denies (I'm guessing this is all others)
            – Growler
            Nov 10 at 19:59












          • Add a Rull #200 for that port for both inbound and outbound, but I also noticed in your code above that you have the Security Group Configured for port 5432, and your code says 5433?
            – Chad Elias
            Nov 10 at 19:59










          • Sorry that 5433 was a typo in my SO post. Should be 5432.
            – Growler
            Nov 10 at 20:01















          up vote
          0
          down vote













          You need to check your Network Access Control List (NACL) in your VPC and make sure your INBOUND and OUTBOUND are configured correctly. Security Groups are at the Instance level of security and the NACL is security at the Subnet level.



          Most of the time when you are experiencing a Timeout error connecting to something in a custom VPC it will be a configuration problem with a Security Group or a NACL or Both.






          share|improve this answer





















          • For testing, the inbound Security Group rules for the VPC is pretty much wide open: i.imgur.com/G0HRqx3.png. Is this incorrect? If so, where can I find NACL on the VPC specifically?
            – Growler
            Nov 10 at 19:55










          • Okay I found NACL— here are the listings for the subnets attached to the VPC: i.imgur.com/Vnq8QGT.png
            – Growler
            Nov 10 at 19:57










          • Here is the NACL tab: i.imgur.com/mQCSi0a.png — it says "rule 100" allows all traffic, but * Denies (I'm guessing this is all others)
            – Growler
            Nov 10 at 19:59












          • Add a Rull #200 for that port for both inbound and outbound, but I also noticed in your code above that you have the Security Group Configured for port 5432, and your code says 5433?
            – Chad Elias
            Nov 10 at 19:59










          • Sorry that 5433 was a typo in my SO post. Should be 5432.
            – Growler
            Nov 10 at 20:01













          up vote
          0
          down vote










          up vote
          0
          down vote









          You need to check your Network Access Control List (NACL) in your VPC and make sure your INBOUND and OUTBOUND are configured correctly. Security Groups are at the Instance level of security and the NACL is security at the Subnet level.



          Most of the time when you are experiencing a Timeout error connecting to something in a custom VPC it will be a configuration problem with a Security Group or a NACL or Both.






          share|improve this answer












          You need to check your Network Access Control List (NACL) in your VPC and make sure your INBOUND and OUTBOUND are configured correctly. Security Groups are at the Instance level of security and the NACL is security at the Subnet level.



          Most of the time when you are experiencing a Timeout error connecting to something in a custom VPC it will be a configuration problem with a Security Group or a NACL or Both.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 10 at 19:48









          Chad Elias

          21825




          21825












          • For testing, the inbound Security Group rules for the VPC is pretty much wide open: i.imgur.com/G0HRqx3.png. Is this incorrect? If so, where can I find NACL on the VPC specifically?
            – Growler
            Nov 10 at 19:55










          • Okay I found NACL— here are the listings for the subnets attached to the VPC: i.imgur.com/Vnq8QGT.png
            – Growler
            Nov 10 at 19:57










          • Here is the NACL tab: i.imgur.com/mQCSi0a.png — it says "rule 100" allows all traffic, but * Denies (I'm guessing this is all others)
            – Growler
            Nov 10 at 19:59












          • Add a Rull #200 for that port for both inbound and outbound, but I also noticed in your code above that you have the Security Group Configured for port 5432, and your code says 5433?
            – Chad Elias
            Nov 10 at 19:59










          • Sorry that 5433 was a typo in my SO post. Should be 5432.
            – Growler
            Nov 10 at 20:01


















          • For testing, the inbound Security Group rules for the VPC is pretty much wide open: i.imgur.com/G0HRqx3.png. Is this incorrect? If so, where can I find NACL on the VPC specifically?
            – Growler
            Nov 10 at 19:55










          • Okay I found NACL— here are the listings for the subnets attached to the VPC: i.imgur.com/Vnq8QGT.png
            – Growler
            Nov 10 at 19:57










          • Here is the NACL tab: i.imgur.com/mQCSi0a.png — it says "rule 100" allows all traffic, but * Denies (I'm guessing this is all others)
            – Growler
            Nov 10 at 19:59












          • Add a Rull #200 for that port for both inbound and outbound, but I also noticed in your code above that you have the Security Group Configured for port 5432, and your code says 5433?
            – Chad Elias
            Nov 10 at 19:59










          • Sorry that 5433 was a typo in my SO post. Should be 5432.
            – Growler
            Nov 10 at 20:01
















          For testing, the inbound Security Group rules for the VPC is pretty much wide open: i.imgur.com/G0HRqx3.png. Is this incorrect? If so, where can I find NACL on the VPC specifically?
          – Growler
          Nov 10 at 19:55




          For testing, the inbound Security Group rules for the VPC is pretty much wide open: i.imgur.com/G0HRqx3.png. Is this incorrect? If so, where can I find NACL on the VPC specifically?
          – Growler
          Nov 10 at 19:55












          Okay I found NACL— here are the listings for the subnets attached to the VPC: i.imgur.com/Vnq8QGT.png
          – Growler
          Nov 10 at 19:57




          Okay I found NACL— here are the listings for the subnets attached to the VPC: i.imgur.com/Vnq8QGT.png
          – Growler
          Nov 10 at 19:57












          Here is the NACL tab: i.imgur.com/mQCSi0a.png — it says "rule 100" allows all traffic, but * Denies (I'm guessing this is all others)
          – Growler
          Nov 10 at 19:59






          Here is the NACL tab: i.imgur.com/mQCSi0a.png — it says "rule 100" allows all traffic, but * Denies (I'm guessing this is all others)
          – Growler
          Nov 10 at 19:59














          Add a Rull #200 for that port for both inbound and outbound, but I also noticed in your code above that you have the Security Group Configured for port 5432, and your code says 5433?
          – Chad Elias
          Nov 10 at 19:59




          Add a Rull #200 for that port for both inbound and outbound, but I also noticed in your code above that you have the Security Group Configured for port 5432, and your code says 5433?
          – Chad Elias
          Nov 10 at 19:59












          Sorry that 5433 was a typo in my SO post. Should be 5432.
          – Growler
          Nov 10 at 20:01




          Sorry that 5433 was a typo in my SO post. Should be 5432.
          – Growler
          Nov 10 at 20:01


















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53240899%2faws-rds-ec2-timeouterror-knex-timeout-acquiring-a-connection-the-pool-is-p%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Florida Star v. B. J. F.

          Danny Elfman

          Lugert, Oklahoma