I want to allow outbound network traffic from an amazon VPC to ips where the 3rd octet is within a range, so something like 123.456.*.789, where * could be any value.
I do I do this with Amazon's CIDR notation?
I can do 123.456.0.0/16, but that lets the final octet take on any value.
CIDR notation is not an AWS thing, it's a widely used standard. You cannot use wildcards in CIDR notation and there's no way to do what you want in a single rule. I'm not sure which specific IPs you're wanting, but note that you wouldn't able to use x.x.0.n, x.x.1.n ... x.x.255.n either as that would be 256 total rules. An AWS SG has a hard limit of 100 rules. The x.x.0.0/16 syntax is the closest you can get.