How to get the VPC CIDR range from within an AWS Instance

If your VPC EC2 instances are in private subnets, then to access EC2-Classic, your VPC will need a NAT. Give your NAT an elastic IP address so it's a constant public IP address.

Then in your RDS security group, allow access only for that Elastic IP address.

If your VPC EC2 instances are in public subnets, then you could give each of them elastic IP addresses and allow access to only those IP addresses in your RDS security group. This is more difficult if they are part of auto-scaling groups.

Add the CIDR block of your VPC to your ingress rules of your security group.

You will also need to ensure that egress rules are configured for your other security groups to allow outbound traffic from your instances. Again, you can limit it to the same CIDR block.

For example, if your VPC CIDR block was 10.0.0.0/16, then:

1. On your target security group, add an ingress rule on the desired port for 10.0.0.0/16.
2. On all possible source security groups, add an egress rule on the desired port for 10.0.0.0/16.

However, to be more secure, I would recommend permitting traffic based on security group rather than CIDR block. For example:

1. On your target security group, add an ingress rule on the desired port for the source security group.
2. On your source security group, add an egress rule on the desire port for the target security group.