Network Firewall whitelist public domain access for private resources

Hi everyone,

I currently have a case in which my Network Firewall runs in the **Drop-all-established **mode and Alert. I also followed the centralized inspection design, which uses a Network Firewall to inspect all traffic inbound/outbound and cross vpc in the AWS environment. So that I have a standard rule group to manage traffic between zones. By the way, traffic going to a specific domain could not be leveraged on that rule group (I don't want to convert the domain to IP to add into the rule group). Then, I created a domain list rule group to add all domains that I would like the private resource to access. But it is not working; the domain in the domain list is somewhat like the below:

.example1.com
.example2.com

After that, I found an article about that, and I have to add one more Suricata-compatible rule group to define the flows:

pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".example1.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:1; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; dotprefix; content:".example1.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:2; rev:1;)
pass http $HOME_NET any -> $EXTERNAL_NET any (http.host; dotprefix; content:".example2.com"; endswith; msg:"matching HTTP allowlisted FQDNs"; flow:to_server, established; sid:3; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; dotprefix; content:".example2.com"; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server, established; sid:4; rev:1;)

The question is:

1. I still do not understand why we need to config 2 rule groups in order to allow specific domain access (I tried to remove one, and it does not work)
2. Is there any other way to do this? (I may be missing the concept, so it makes me do it in a complex way)

Thank you so much!