Within a VPC, RDS instances will need to be deployed with a security group that only allows communication from the correct source. For example, when using EC2 instances to communicate with RDS instances, always specify only the security group of the instances themselves. This will allow for you to dynamically replace application instances in the EC2, for example, when working with autoscaling EC2 clusters. The best practice for database instances is that they should also always be deployed into private subnets, as there is generally no requirement for a database backend to have any public access from the internet. When designing security groups, always make sure to open only the port the database service responds on, as no other access to the RDS instances should be allowed. In the case of NACL creation, don't forget to create both the incoming and outgoing rules for your RDS instance subnets. When troubleshooting connectivity to the RDS instances, you should be using the VPC flow logs for the subnet that the instances reside in to identify the cause of connectivity issues.