Knowledge Center Monthly Newsletter - September 2025

Stay up to date with the latest from the Knowledge Center. See all new Knowledge Center articles published in the last month, and re:Post’s top contributors.

RDS instances can't use VPC-associated Security Group?

I am trying to associate 2 security groups to an RDS instance I'm creating and one of them belongs to another VPC (but is "given" to the RDS's VPC via VPC assocation).

Context: The RDS instance must be created in vpc-0b080b222222.

The Security Groups I'm trying to use:

sg-0b2c61111111: belongs to vpc-00c0ea111111 and is associated with vpc-0b080b222222
sg-047fed222222: belongs to vpc-0b080b222222

The VPCs I have :

vpc-0b080b222222: has a Security Group and where I want the RDS instance to be.
vpc-00c0ea111111: has another Security Group, which I fail to use.

I get the following (using Terraform):

Error: creating RDS DB Instance (main-db): operation error RDS: CreateDBInstance, https response error StatusCode: 400, RequestID: ***, api error InvalidParameterCombination: The DB instance and EC2 security group are in different VPCs. The DB instance is in vpc-0b080b222222 and the EC2 security group is in vpc-00c0ea111111

It looks like "VPC assocations" aren't supported by RDS…

Topics: Networking & Content Delivery
Tags: Amazon VPC
Language: English

CDuv

asked 3 days ago25 views

2 Answers

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

This recommendation was generated using AWS Generative AI capabilities. You are responsible for evaluating the recommendation in your specific context and implementing appropriate oversight and safeguards. Learn more

You're correct that you cannot associate a security group from one VPC with an RDS instance in another VPC. The error message you're receiving is accurate - RDS instances can only use security groups that belong to the same VPC where the RDS instance is being created.

Security groups are VPC-specific resources, and while you mentioned that one security group is "associated with" another VPC, security groups cannot actually span across VPCs. Each security group exists within exactly one VPC and can only be attached to resources within that same VPC.

In your case, since you're creating the RDS instance in vpc-0b080b222222, you can only use security groups that belong to vpc-0b080b222222 (like sg-047fed222222). You cannot use sg-0b2c61111111 because it belongs to vpc-00c0ea111111.

If you need to allow traffic between resources in different VPCs, you would need to set up VPC peering, Transit Gateway, or another connectivity solution, and then configure the security groups within each VPC appropriately.
Sources
Control traffic to your AWS resources using security groups - Amazon Virtual Private Cloud
DBSecurityGroup - Amazon Relational Database Service

re:Post Agent

answered 3 days ago

EXPERT

SHAJAM

reviewed 3 days ago

-1

There is a also a new feature - VPC Security Group sharing - that came out recently that lets you share the security group to accounts in an AWS organisation. I have not tried this myself, but I think it fits your usecase.

https://docs.aws.amazon.com/vpc/latest/userguide/security-group-sharing.html

EXPERT

SHAJAM

answered 3 days ago

CDuv
3 days ago
Sharing the VPC Security Group to other accounts is, also, something RDS does not support.

I get:

The sg-047fed222222 security group is owned by another account. Please provide a valid VPC security group.

I can't:

Use SG from another VPC

Use SG from another AWS account

Relevant content

How to connect an EC2 in a VPC to an Aurora RDS in another VPC using VPC Peering
Accepted Answer
Mahmoud
asked 2 years ago
Unable to connect to new RDS instance (timeout)
Accepted Answer
Nick
asked 2 years ago
VPC Sharing, security groups, and RDS
Hugo Lewenhaupt
asked 2 years ago
How to Successfully Connect AWS App Runner with a Privately Accessible RDS Instance?
jk
asked a year ago
How do I connect to an Amazon RDS DB instance that uses a public or private subnet of an Amazon VPC?
AWS OFFICIALUpdated 16 days ago
How do I move an Amazon RDS DB instance from a public subnet to a private subnet within the same VPC?
AWS OFFICIALUpdated 6 months ago
How do I connect to an Amazon RDS DB instance from an Amazon SageMaker notebook instance that's in a different VPC?
AWS OFFICIALUpdated a year ago
Why am I unable to create an Aurora read replica for my RDS for PostgreSQL instance?
AWS OFFICIALUpdated 3 years ago
Usage of Security Group associated with AWS Client VPN
EXPERT
Karthikiran Ilango
published 2 years ago
Security Groups and Classic Ports
EXPERT
NARRAVULA MUNI SAI TEJA
published a year ago