Server A is trying to ping
Server B and
Server B's security group grants inbound access from
Server A's security group...
You need to make sure
Server A is pinging
Server B via
Server B's Private DNS Address (or Private IP Address) instead of
Server B's public (or elastic) address.
According to the documentation:
Incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group (and not the public IP or Elastic IP addresses).
If you select an instance from the Instances page on the EC2 Dashboard you can see the instance’s public and private addresses.
The private IP address of an Amazon EC2 instance will never change. It will not change while an instance is running. It will not change while an instance is stopped.
When EC2 instances are launched, the primary elastic network interface is assigned a reserved private IP address from the default VPC DHCP pool.
The private IP address stays assigned to the network interface until it is deleted. The instance’s primary network interface cannot be removed; it stays assigned to the instance until the instance is deleted. It is not possible to remove or change the private IP address of the primary network interface, but it is possible to add more private IP addresses to the network interface.