Why is my database restore failing with ConnectFailure exception?
I am trying to restore a SQL Server database to an AWS RDS instance from a full backup file created on a different non-RDS server. I am running the operation from an EC2 Windows Server instance in the same VPC (we'd like to keep the RDS instance with outside connections disabled). SSMS on that EC2 can connect to the RDS instance with no problem. The EC2 instance has an applied IAM role allowing it to read from S3, and I can see the bucket with the .bak file from there (using the CLI tool, for example). The RDS instance also has an IAM role allowing S3 reading.
When I open a query window on the RDS instance in SSMS and run the command
exec msdb.dbo.rds_restore_database
@restore_db_name = 'database_name'
, @s3_arn_to_restore_from = 'arn:aws:s3:::bucket-name/FULL_database_name_20210316050151.bak'
the restore task is created. But anywhere from two to four minutes later, exec msdb.dbo.rds_task_status @db_name = 'database_name'
shows that the task has been updated to a lifecycle value ERROR with this task_info value:
[2021-05-15 16:27:41.183] Aborted the task because of a task failure or a concurrent RESTORE_DB request. [2021-05-15 16:27:41.213] Task has been aborted [2021-05-15 16:27:41.213] A WebException with status ConnectFailure was thrown.
An hour of Googling A WebException with status ConnectFailure was thrown has turned up nothing relevant to my case, and the AWS doc keeps pointing me back to the IAM roles I've already created. What piece of this puzzle am I missing?
Full disclosure: I am not an experienced sys admin; I work in a small shop with no dedicated admin, moving a web site to AWS for the first time. So please don't assume I've tried all the easy things, because it's entirely possible I don't know what all the easy things are.
EDIT: The applied options group does include the SQLSERVER_BACKUP_RESTORE option
Although the S3 console interface specifically says S3 does not require region selection under the region selector, it turns out that buckets are attached to regions and the bucket used for this procedure must be in the same region as the RDS instance. I created a new bucket for this purpose, and copied the .bak file from the other bucket; you can specify the bucket's region at creation, even though you can't see it in the admin console.
I also had to loosen the permissions on the file more than I was happy with, but it was just for the few minutes it took to complete the restore.