For security group B: Add an inbound rule that allows traffic only from security group A on port 1433

For security group B: Add an inbound rule that allows traffic only from all sources on port 1433

For security group A: Add an inbound rule that allows traffic from all sources on port 443. Add an outbound rule with the destination as security group B on port 1433

For security group B: Add an inbound rule that allows traffic only from security group A on port 443

For security group A: Add an inbound rule that allows traffic from all sources on port 443. Add an outbound rule with the destination as security group B on port 443

Network access control list (network ACL) are stateful, so allowing inbound traffic to the necessary ports enables the connection. Security Groups are stateless, so you must allow both inbound and outbound traffic

Rules associated with network access control list (network ACL) should never be modified from command line. An attempt to modify rules from command line blocks the rule and results in an erratic behavior

Security Groups are stateful, so allowing inbound traffic to the necessary ports enables the connection. Network access control list (network ACL) are stateless, so you must allow both inbound and outbound traffic

IAM Role defined in the Security Group is different from the IAM Role that is given access in the network access control list (network ACL)

AWS Transit Gateway

AWS PrivateLink

Virtual private gateway (VGW)

VPC Peering Connection

Set up three NAT gateways, one in each private subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the NAT gateway in its AZ

Set up three Internet gateways, one in each private subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the Internet gateway in its AZ

Set up three NAT gateways, one in each public subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the NAT gateway in its AZ

Set up three egress-only internet gateways, one in each public subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the egress-only internet gateway in its AZ

Configure an Egress-only internet gateway for the resources in the private subnet of the VPC

Configure the Internet Gateway of the VPC to be accessible to the private subnet resources by changing the route tables

Configure a Network Address Translation instance (NAT instance) in the public subnet of the VPC

Configure a Network Address Translation gateway (NAT gateway) in the public subnet of the VPC

You can use an Internet Gateway ID as the custom source for the inbound rule

You can use a range of IP addresses in CIDR block notation as the custom source for the inbound rule

You can use an IP address as the custom source for the inbound rule

You can use a security group as the custom source for the inbound rule