Rule of thumb:. When you configure resources in a VPC, use ONLY the VPC security groups . Individual RDS, Redshift ... etc. security groups work only with ec2-classic. Meaning when you do not configure things in VPC.
Go to the VPC console, and then find the security groups in the left hand menu. These are security groups that should control access to your AWS resources deployed within the VPC.
I canβt talk in detail about what I donβt know about your VPC configuration and what subnet (public / private) you configure them for.
UPDATE:
Here is a hypothetical scenario
VPC: 10.0.0.0/16 1 public subnet: 10.0.0.0/24 1 Private Subnet: 10.0.1.0/24
- Suppose you put your EC2 instance in Public Subnet
- Suppose you hosted your RDS instance on a private subnet
- And you want the EC2 instance to be available on 80,443 from the world, and the RDS instance should be available only through the EC2 instance.
So these are the security group settings:
for instance EC2 Security Group:
Inbound: port 80, 443 : from 0.0.0.0/0 Outbound: port 3306 : to 10.0.1.0/24
For the RDS security group:
Inbound: port 3306: from 10.0.0.0/24
Explanation:
Inbound: port 80, 443 : from 0.0.0.0/0
This will allow the EC2 instance to be available on ports 80 and 443 from the Internet.
Outbound: port 3306 : to 10.0.1.0/24
This allows the EC2 instance to send traffic to port 3306 only to the private subnet 10.0.1.0/24
Inbound: port 3306: from 10.0.0.0/24
This allows the RDS instance to accept traffic on port 3306 from the shared subnet 10.0.0.0/24. The EC2 instance is in the public subnet, so by default RDS will receive traffic from the Ec2 instance to port 3306
NOTE. . Above the configuration, it is assumed that you have accordingly set up routing tables for public / private subnets.
Hope this helps.