Our ERP reporting jobs that connect to IBM Db2 on Cloud started failing with connection timeouts yesterday. The jobs run from a VSI in our VPC and worked fine until we updated our VPC security group rules for compliance.
Here’s the error we’re seeing:
COM.ibm.db2.jdbc.app.DB2Exception: [jcc][t4][2043][11550]
Connection timeout. DB2 server not responding.
Error Code: -4499
SQLSTATE: 08001
I’ve verified the Db2 instance is running and accessible from the public internet, but our VSI can’t reach it. I suspect the VPC firewall rules are blocking the connection, but I’m not sure which port Db2 requires or how to properly configure the security group. We’ve enabled Network Insights but I’m struggling to interpret the flow data to confirm port blocking. Has anyone configured VPC security groups for Db2 connectivity? What are the exact port requirements?
Thanks! I checked our security group and found that the recent compliance update added a restrictive outbound rule that only allows HTTPS (443) and DNS (53) traffic. There’s no rule allowing port 50000 or 50001. I need to add an outbound rule, but should I allow all traffic to the Db2 instance IP, or just specific ports? Also, is there a way to use Network Insights to confirm this is definitely a firewall block before I make changes?
Just to add - if your Db2 on Cloud instance uses a public endpoint, the destination IP will be external to your VPC. Make sure your outbound security group rule allows traffic to external destinations (0.0.0.0/0 or the specific public IP range for IBM Cloud Db2). Also check if you have a VPC ACL (network ACL) in addition to the security group - ACLs are stateless and require both inbound and outbound rules for bidirectional traffic, while security groups are stateful.
Db2 on Cloud uses port 50000 for standard connections and port 50001 for SSL connections. Your security group needs to allow outbound traffic on these ports from your VSI to the Db2 instance. Since you mentioned the connection worked before the security group update, check what rules were changed. You likely removed or modified an outbound rule that was allowing traffic to port 50000. Also, if your Db2 instance is public, make sure your security group allows outbound traffic to external IPs on those ports.
For security best practices, only allow the specific ports you need - don’t open all traffic. Add an outbound rule that allows TCP traffic on port 50000 (and 50001 if using SSL) to the specific Db2 instance IP or CIDR range. To confirm the firewall is the issue using Network Insights, look for flow logs from your VSI’s IP to the Db2 IP on port 50000 with action=‘reject’ or ‘drop’. If you see those, it confirms the security group is blocking. You can also check the security group’s ‘deny’ counters in the VPC console to see if traffic is being blocked.
I checked Network Insights and confirmed - there are flow log entries showing TCP SYN packets from my VSI to the Db2 IP on port 50000 with action=‘deny’. So it’s definitely the security group blocking. I’m going to add the outbound rule for port 50000 and 50001 to the Db2 public IP range. Should I also check for any ACL restrictions, or are security groups usually sufficient for this type of connectivity?