diff --git a/tempnotes.md b/tempnotes.md
index e332208..d34423d 100644
--- a/tempnotes.md
+++ b/tempnotes.md
@@ -153,15 +153,13 @@ Default ports:
 
 `aws --profile admin cloudformation deploy --template-file ./02-stack-vpc.yaml --stack-name strapi-vpc --tags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation`
 
-`aws --profile admin cloudformation deploy --template-file ./02-stack-vpc.yaml --stack-name new-temp-vpc --tags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation`
-
-`aws --profile admin cloudformation deploy --template-file ./03-stack-rdsinstance.yaml --stack-name strapi-rds --parameter-overrides StackName=strapi-vpc`
+`aws --profile admin cloudformation deploy --template-file ./03-stack-rdsinstance.yaml --stack-name strapi-rds --parameter-overrides StackName=strapi-vpc --tags git=web-dev owner=home project=strapi-elb test=true deployment=cloudformation`
 
 ### delete
 
-`aws --profile admin cloudformation delete-stack --stack-name temp-vpc`
+`aws --profile admin cloudformation delete-stack --stack-name strapi-vpc`
 
-`aws --profile admin cloudformation delete-stack --stack-name new-temp-vpc`
+`aws --profile admin cloudformation delete-stack --stack-name strapi-rds`
 
 `aws --profile admin cloudformation delete-stack --stack-name temp`
 
@@ -204,3 +202,9 @@ This security group should be set in `aws:elbv2:loadbalancer` under
 
 Additional security groups (in addition to the default one created by ELB) for the EC2 instances are defined in `aws:autoscaling:launchconfiguration` under `SecurityGroups`
 A security group will be created for you. You can ammend this (add 443 for https for example) by using `.config` file and creating a `AWS::EC2::SecurityGroupIngress` resource. (see 06-https.config)
+
+Security group rule to allow instances in the same security group to talk to one another: <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-other-instances>.
+
+LB SG: inbound/outbound 80/443 0.0.0.0/0
+Scaling SG: inbound 80/443 from LBSG
+DB SG: inbound 5432 from Scaling SG + home ip
diff --git a/todo.md b/todo.md
index 80741be..ad911bf 100644
--- a/todo.md
+++ b/todo.md
@@ -125,3 +125,5 @@ Show how to create private + public subnets as in <https://github.com/awsdocs/el
 If you use private subnets, the nat gateway is not cheap - £30 a month. You dont need the nat gateway, you can achieve the same thing with security groups (block all incoming) (explained <https://www.reddit.com/r/aws/comments/75bjei/private_subnets_nats_vs_simply_only_allowing/>). Advantage to NAT is all outgoing requests to the internet come from a single IP.
 
 Summarise the flow -> VPC, internet gateway, attachment + route tables, subnets etc. Mention the nat gateway but show how it can be replaced with security groups.
+
+Merge the CF templates into one, make sure all the importing and other s nippets are documented.