Two distinct Security Groups will be required for every RDS setup. The first will be assigned to the RDS instance/nodes, and must allow inbound traffic on port 5432, which is the default PostgreSQL port. If both the RDS and client nodes are deployed within the same Subnet, this rule can be restricted to that Subnet’s IP range for tighter control. This ensures that only internal workloads—such can initiate connections to the database, minimizing exposure and adhering to the principle of least privilege.