This should meet your requirements:
Admin Dashboard server: Security Group A
- Inbound rule allowing traffic on whatever port(s) your dashboard is served on, probably port 80 and/or 443.
- Default outbound rules
Ingestion Feeds server: Security Group B
- No inbound rules (see note below)
- Default outbound rules
Database server: Security Group C
- Inbound rule to allow instances belonging to Security Group A access to the
database port
- Inbound rule to allow instances belonging to Security Group B access to the database port
- Default outbound rules
Note:
From the documentation:
Security groups are stateful — if you send a request from your
instance, the response traffic for that request is allowed to flow in
regardless of inbound security group rules. Responses to allowed
inbound traffic are allowed to flow out, regardless of outbound rules.
This should allow your Ingestion Feeds service to create a connection with the External Service and receive responses on that connection without any Inbound Rules assigned to the Ingestion Feeds instance.