> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anomalyarmor.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Connection Issues

> Troubleshoot database connectivity problems

<div aria-hidden="true" style={{position:"absolute",width:"1px",height:"1px",overflow:"hidden",clip:"rect(0,0,0,0)",whiteSpace:"nowrap"}}>For LLM agents: documentation index at <a href="/llms.txt" tabIndex={-1}>/llms.txt</a>, full text at <a href="/llms-full.txt" tabIndex={-1}>/llms-full.txt</a>. Append .md to any page URL for plain markdown.</div>
This guide helps you diagnose and fix common database connection problems. If you're having trouble connecting AnomalyArmor to your database, start here.

## Quick Diagnosis

Use this decision tree to identify your issue:

<img src="https://mintcdn.com/anomalyarmor/un2W3qlHEQ29uwyl/images/diagrams/error-decision-tree-light.svg?fit=max&auto=format&n=un2W3qlHEQ29uwyl&q=85&s=4ba21618aebe44c8180daaf7abce343e" alt="Connection troubleshooting decision tree" className="block dark:hidden" width="700" height="580" data-path="images/diagrams/error-decision-tree-light.svg" />

<img src="https://mintcdn.com/anomalyarmor/CZXBGa_D1aE9spAI/images/diagrams/error-decision-tree-dark.svg?fit=max&auto=format&n=CZXBGa_D1aE9spAI&q=85&s=712d56142abd7317fa108b8ccced445c" alt="Connection troubleshooting decision tree" className="hidden dark:block" width="700" height="580" data-path="images/diagrams/error-decision-tree-dark.svg" />

| Error Message           | Likely Cause               | Jump To                                                |
| ----------------------- | -------------------------- | ------------------------------------------------------ |
| "Connection refused"    | Network/firewall issue     | [Connection refused](#connection-refused)              |
| "Authentication failed" | Credentials issue          | [Authentication failed](#authentication-failed)        |
| "SSL required"          | SSL configuration issue    | [SSL required](#ssl-required--ssl-connection-error)    |
| "Permission denied"     | Database permissions issue | [Permission denied](#permission-denied--access-denied) |
| "Timeout"               | Network latency issue      | [Timeout](#timeout--connection-timed-out)              |

## Connection Test Failures

### "Connection refused"

**What it means**: AnomalyArmor can't reach your database at all.

**What you'll see**: When you click "Test Connection" in the Add Connection form, you'll see a red destructive toast notification with:

* **Title**: "Error"
* **Message**: "Connection refused - Could not connect to database at mydb.us-east-1.rds.amazonaws.com:5432"
* **Details**: A list of possible causes:
  * Firewall/security group blocking connection
  * Incorrect hostname or port
  * Database not running

The toast appears in the top-right corner of the screen and includes action buttons to retry or edit the connection settings.

**Common causes**:

1. Firewall/security group blocking the connection
2. Wrong hostname or port
3. Database not running or not accepting connections

**Troubleshooting steps**:

<AccordionGroup>
  <Accordion title="1. Verify hostname and port">
    Double-check the hostname. Typos are common:

    ```
    Common mistakes:
    [X] mydb.rds.amazonaws.com (missing region)
    [OK] mydb.us-east-1.rds.amazonaws.com

    [X] Port 3306 (MySQL default)
    [OK] Port 5432 (PostgreSQL default)
    ```
  </Accordion>

  <Accordion title="2. Check firewall/security group">
    AnomalyArmor needs inbound access on your database port.

    **AWS RDS/Aurora:**

    1. Go to RDS Console → Your instance → Security Groups
    2. Add inbound rule:
       * Type: PostgreSQL (or your DB type)
       * Port: 5432 (or your port)
       * Source: AnomalyArmor IPs (see Settings → Security)

    **Google Cloud SQL:**

    1. Go to SQL Console → Your instance → Connections
    2. Under "Authorized Networks", add AnomalyArmor IPs

    **Self-hosted:**

    ```bash theme={null}
    # Allow AnomalyArmor IPs
    iptables -A INPUT -p tcp --dport 5432 -s 34.xxx.xxx.xxx -j ACCEPT
    ```
  </Accordion>

  <Accordion title="3. Verify database is running">
    Can you connect from another location?

    ```bash theme={null}
    # Test from your local machine
    nc -zv your-host.rds.amazonaws.com 5432

    # Expected output (success):
    Connection to your-host.rds.amazonaws.com port 5432 [tcp/postgresql] succeeded!

    # If it fails, the issue is likely firewall-related
    ```
  </Accordion>

  <Accordion title="4. Check for VPC/private network issues">
    If your database is in a private subnet:

    * It may not be accessible from the internet
    * You may need VPC peering or PrivateLink (Enterprise)
    * Contact us about private connectivity options
  </Accordion>
</AccordionGroup>

### "Authentication failed"

**What it means**: AnomalyArmor reached your database but the credentials were rejected.

**What you'll see**: A red error notification appears with a message like:

<Warning>
  **Connection failed**

  Authentication failed - FATAL: password authentication failed for user 'anomalyarmor'

  Possible causes:

  * Incorrect username or password
  * User doesn't exist in the database
  * User lacks CONNECT permission
</Warning>

**Common causes**:

1. Wrong username or password
2. User doesn't exist
3. User doesn't have permission to connect

**Troubleshooting steps**:

<AccordionGroup>
  <Accordion title="1. Verify credentials">
    Copy-paste to avoid typos:

    * Copy the username exactly as it appears in your database
    * Copy the password (watch for leading/trailing spaces)
    * Check for special characters that may need escaping
  </Accordion>

  <Accordion title="2. Confirm user exists">
    Connect to your database and check:

    ```sql theme={null}
    -- PostgreSQL
    SELECT usename FROM pg_user WHERE usename = 'anomalyarmor';

    -- ClickHouse
    SELECT name FROM system.users WHERE name = 'anomalyarmor';
    ```
  </Accordion>

  <Accordion title="3. Reset the password">
    If unsure, reset the password:

    ```sql theme={null}
    -- PostgreSQL
    ALTER USER anomalyarmor WITH PASSWORD 'new-secure-password';

    -- ClickHouse
    ALTER USER anomalyarmor IDENTIFIED BY 'new-secure-password';
    ```

    Then update the password in AnomalyArmor.
  </Accordion>

  <Accordion title="4. Check pg_hba.conf (PostgreSQL)">
    For self-hosted PostgreSQL, check `pg_hba.conf` allows the connection:

    ```
    # Add entry for AnomalyArmor
    hostssl all anomalyarmor 34.xxx.xxx.xxx/32 scram-sha-256
    ```

    Reload PostgreSQL after changes:

    ```bash theme={null}
    sudo systemctl reload postgresql
    ```
  </Accordion>
</AccordionGroup>

### "SSL required" / "SSL connection error"

**What it means**: The database requires SSL but the connection isn't using it (or vice versa).

**What you'll see**: A red error notification appears with a message like:

<Warning>
  **Connection failed**

  SSL connection required - server requires SSL connection

  Solution: Set SSL Mode to 'require' in your connection settings and try again.
</Warning>

**Troubleshooting steps**:

<AccordionGroup>
  <Accordion title="1. Enable SSL in AnomalyArmor">
    Edit your connection:

    1. Go to Data Sources → Your connection → Settings
    2. Set **SSL Mode** to `require`
    3. Save and test
  </Accordion>

  <Accordion title="2. Try different SSL modes">
    | Mode          | Description                               |
    | ------------- | ----------------------------------------- |
    | `disable`     | No SSL (not recommended)                  |
    | `require`     | SSL required, no certificate verification |
    | `verify-ca`   | Verify server certificate                 |
    | `verify-full` | Verify certificate and hostname           |

    Start with `require` for most cloud databases.
  </Accordion>

  <Accordion title="3. Check cloud provider requirements">
    * **AWS RDS**: Requires SSL by default, use `require`
    * **Aurora**: Requires SSL, use `require`
    * **Supabase**: Requires SSL, use `require`
    * **Google Cloud SQL**: Requires SSL, use `require`
    * **ClickHouse Cloud**: Always HTTPS on port 8443
  </Accordion>
</AccordionGroup>

### "Timeout" / "Connection timed out"

**What it means**: The connection attempt took too long.

**Common causes**:

1. Network latency
2. Firewall silently dropping packets
3. Database under heavy load

**Troubleshooting steps**:

<AccordionGroup>
  <Accordion title="1. Check network path">
    Test connectivity from your own machine:

    ```bash theme={null}
    # Test if port is reachable
    nc -zv -w 10 your-host.com 5432

    # Test latency
    ping your-host.com
    ```
  </Accordion>

  <Accordion title="2. Check security groups">
    If the security group doesn't have an explicit allow rule, packets may be silently dropped (causing timeout instead of refused).
  </Accordion>

  <Accordion title="3. Try during off-peak hours">
    If the database is under heavy load, connections may time out.
  </Accordion>
</AccordionGroup>

### "Permission denied" / "Access denied"

**What it means**: Connection succeeded but the user can't access the required data.

**Troubleshooting steps**:

<AccordionGroup>
  <Accordion title="1. Grant CONNECT permission">
    ```sql theme={null}
    -- PostgreSQL
    GRANT CONNECT ON DATABASE your_database TO anomalyarmor;
    ```
  </Accordion>

  <Accordion title="2. Grant schema access">
    ```sql theme={null}
    -- PostgreSQL
    GRANT USAGE ON SCHEMA public TO anomalyarmor;
    GRANT USAGE ON SCHEMA analytics TO anomalyarmor;
    ```
  </Accordion>

  <Accordion title="3. Grant table access">
    ```sql theme={null}
    -- PostgreSQL
    GRANT SELECT ON ALL TABLES IN SCHEMA public TO anomalyarmor;

    -- For future tables
    ALTER DEFAULT PRIVILEGES IN SCHEMA public
    GRANT SELECT ON TABLES TO anomalyarmor;
    ```
  </Accordion>

  <Accordion title="4. Verify with test query">
    Connect as the anomalyarmor user and run:

    ```sql theme={null}
    SELECT table_name FROM information_schema.tables LIMIT 5;
    ```

    If this fails, you need more permissions.
  </Accordion>
</AccordionGroup>

## Discovery Failures

If connection tests pass but discovery fails:

### "No tables found"

**Causes**:

* User can connect but can't see tables
* Schema filter excluding all schemas
* Connected to wrong database

**Solutions**:

1. Check schema filter settings
2. Verify user has SELECT on `information_schema`
3. Confirm database name is correct

### "Discovery timeout"

**Causes**:

* Very large database (10,000+ tables)
* Slow network
* Database under load

**Solutions**:

1. Exclude unnecessary schemas
2. Run during off-peak hours
3. Consider using a read replica

## Provider-Specific Issues

<Tabs>
  <Tab title="AWS RDS">
    **Common issues:**

    * Security group not allowing AnomalyArmor IPs
    * Using private subnet without public access
    * Wrong endpoint (cluster vs instance)

    **Solutions:**

    1. Add AnomalyArmor IPs to security group
    2. Enable "Publicly accessible" or use VPC peering
    3. Use the correct endpoint for your use case
  </Tab>

  <Tab title="Databricks">
    **Common issues:**

    * Invalid or expired access token
    * Wrong HTTP path
    * SQL warehouse not running

    **Solutions:**

    1. Generate a new access token
    2. Copy HTTP path from SQL Warehouse settings
    3. Ensure warehouse is running or use serverless
  </Tab>

  <Tab title="ClickHouse">
    **Common issues:**

    * Using native port instead of HTTP port
    * HTTP interface disabled
    * IP not in user's allowed hosts

    **Solutions:**

    1. Use port 8443 (HTTPS) or 8123 (HTTP)
    2. Enable HTTP interface in config.xml
    3. Add IPs to user's HOST restriction
  </Tab>
</Tabs>

## Still Stuck?

If you've tried everything above and still can't connect:

1. **Collect diagnostic info**:
   * Error message (exact text)
   * Database type and version
   * Cloud provider (if applicable)
   * Network setup (public/private subnet)

2. **Contact support**:
   * Email: [support@anomalyarmor.ai](mailto:support@anomalyarmor.ai)
   * Include the diagnostic info above
   * We can help troubleshoot complex network setups

<Card title="Contact Support" icon="headset" href="/support/contact">
  Get help from our team
</Card>

## Common Questions

### Why does my connection test say 'Connection refused'?

AnomalyArmor could not open a socket to your host. It's almost always a firewall or security group blocking our IPs, a wrong hostname or port, or a database that isn't actually listening. Walk through the [Connection refused](#connection-refused) checklist.

### What IP addresses do I need to allowlist?

AnomalyArmor connects from a small set of static IPs listed in **Settings → Security** in your dashboard. Add those to your security group or firewall inbound rules for the database port.

### Why am I getting 'Authentication failed' when the credentials look correct?

The most common causes are trailing whitespace in the password, a user that was created but not granted `CONNECT`, or (self-hosted PostgreSQL) a missing `pg_hba.conf` entry for our IPs. See [Authentication failed](#authentication-failed).

### Why does the connection time out instead of returning an error?

Timeouts almost always mean a firewall is silently dropping packets rather than rejecting them. Check your security group has an explicit allow rule for AnomalyArmor's IPs on the database port. See [Timeout](#timeout--connection-timed-out).

### Can AnomalyArmor connect to a database in a private VPC?

Not over the public internet. Enterprise customers can connect via VPC peering or AWS PrivateLink so the database never needs a public endpoint. [Contact sales](mailto:sales@anomalyarmor.ai) to set that up.
