AWS firewall suricata rules not working as expected

i am trying to understand how aws based suricata rules work. With these two rules below, all websites are working and i expect only for google.com to work. Am i missing any thing ? i understand that the order is pass, and then drop. i added the drop tcp with flow so tls.sni will be evaluated and the pass rule will work. It seems like it is working BUT i expected all other sites that don't match to not work ? (i have tried the DOMAIN LIST rule and that too doesn't work)

NOTE - default order is in use, no stateless rules, forwarding frag and no frag packets is configured, INT network forward to FW SUBNET and then to the NAT SUBNET which then forward to IGW. HOME_NET is the VPC CIDR and EXTERNAL_NET is 0.0.0.0/0

Rule 1 pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:".google.com"; nocase; endswith; msg:"pp-Permit HTTPS access"; sid:1000001; rev:1;)

Rule 2 drop tcp $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; msg:"pp-Deny all other TCP traffic"; sid: 1000003; rev:1;)