🐛 BUG: Can't create a Hyperdrive configuration using an Amazon RDS Database

[mnkasikci]

Which Cloudflare product(s) does this pertain to?

Other

What versions are you using?

3.107.3 [Wrangler]

What operating system and version are you using?

macOs Sequoia 15.3

Please provide a link to a minimal reproduction

No response

Describe the Bug

When I try to create a hyperdrive config and provide my amazon rds database credentials, it always fails.

Steps to reproduce:

Option 1:

1- Go to Storage & Databases => Hyperdrive => Create configuration
2- Select Manual entry (advanced)
3- Enter credentials , click Create.

It fails, here is the response :

{
  "result": null,
  "success": false,
  "errors": [
    {
      "code": 2015,
      "message": "Failed to connect to the provided database: Server connection attempt failed: destination_ip_prohibited"
    }
  ],
  "messages": null
}

Option 2

From zsh terminal:

npx wrangler hyperdrive create my-first-hyperdrive --connection-string="postgres://db-name:mypassword@host-url:5432/db-name"

result:

  Failed to connect to the provided database: Server connection attempt failed:
  destination_ip_prohibited [code: 2015]
  
  If you think this is a bug, please open an issue at:
  https://github.com/cloudflare/workers-sdk/issues/new/choose

Things I've already checked:
1- I am confident that the credentials are correct
2- I am confident that the db is publicly accessible. I've accessed it from different locations
3- I've created a firewall policy (dns) with the following options:

Host
matches regex
.*\.rds\.amazonaws\.com
Or
DNS Resolver IP
is
--my database ip--
Or
Domain
matches regex
.*\.rds\.amazonaws\.com
Or
Resolved IP
is
--my database ip--

Action: Allow

4- I've created a firewall policy (network) with the following options:

Traffic
Application
in
AWS (Do Not Inspect)
Or
Destination IP
is
--my database ip--
Or
SNI
matches regex
.*\.rds\.amazonaws\.com

Action: Allow

Both policies are active.

None of the steps above resolved theissue.

Please provide any relevant error logs

Wrangler response:

  Failed to connect to the provided database: Server connection attempt failed:
  destination_ip_prohibited [code: 2015]
  
  If you think this is a bug, please open an issue at:
  https://github.com/cloudflare/workers-sdk/issues/new/choose

Http response (from cloudflare dashboard)

{
  "result": null,
  "success": false,
  "errors": [
    {
      "code": 2015,
      "message": "Failed to connect to the provided database: Server connection attempt failed: destination_ip_prohibited"
    }
  ],
  "messages": null
}

The error shown in the UI is the same as the message above: Failed to connect to the provided database: Server connection attempt failed: destination_ip_prohibited

[lrapoport-cf]

hi @mnkasikci :) we've reached out to the hyperdrive team about this and initial thoughts are that this might be an issue with your configuration rather than a bug. while we're following up internally to check if there are any additional ideas, you may want to double check your configuration.

[lrapoport-cf]

cc @ReppCodes

[ReppCodes]

Hello! I'm sorry to hear that setup has not cooperated for you, that's always a frustrating experience.

I just went and double checked, and at this time we have just under 1,000 active Hyperdrive configurations sending traffic to/from Amazon RDS, so I'm very confident that the integration there is still functioning.

This error message is one that will show up due to either ACL misconfigurations or an Internal IP address being used in place of a public address.

As a further note, we only very recently moved onto the Cloudflare Egress IP space, so at the time this issue was filed it would have been necessary to allow 0.0.0.0. I'm glad to say that is no longer necessary (see changelog for details: https://developers.cloudflare.com/changelog/2025-03-04-hyperdrive-pooling-near-database-and-ip-range-egress/).

Again, my sympathies for the frustration and inconvenience here.