An e-commerce company has deployed its application on Amazon EC2 instances and uses Amazon RDS for the backend database. The EC2 instances and RDS instance are in the same VPC. The company wants to enforce security best practices to ensure that only the EC2 instances can communicate with the RDS instance on the database port, and no external database connections are allowed. Which of the following security group rules should be configured to meet the above security requirement? (Select TWO.)