A few months back I was setting up SCCM IBCM with AWS EC2s. However, as our management only wants one-way communication from our corporate network to DMZ, and the SQL database push-based replication failed during the setup(I opened a case with Microsoft, and they directly told me that one-way communication setup for SCCM is not possible), I have to switch to Microsoft's new Cloud Management Gateway – SCCM CMG.
Here is an old article I used to set up the SQL push-based replication, and apparently it didn't work.
So now I switched to the SCCM CMG configurations.
First thing I have to know is the different ways of client authentication methods with CMG:
1. PKI Certificate
This way is recommended by Microsoft, each client has a unique certificate issued by the internal CA. And it can be worked on all windows clients.
2. Azure AD
Clients will be joined to Azure AD. Only Windows 10 devices are supported in this setup. However it supports both user and device.
3. Site Token
Can support all the windows clients, they are best for the environment that doesn't have a PKI infrastructure. The site token has validity between 3-5 days.
About the Client Authentication and Authorization choices:
Azure AD device registration error codes
Differences of Co-management, Hybrid Azure AD joined and CMG
Troubleshooting Hybrid Azure AD Join
Troubleshooting hybrid Azure Active Directory joined devices
Azure AD – Hybrid Device Join (HDJ) Status – Pending
Install and assign Configuration Manager Windows 10 clients using Azure AD for authentication
Token-based authentication for cloud management gateway
CMG token based authentication with ConfigMgr 2002
How to setup Cloud Management Gateway with Enhanced HTTP
How to find your AADCLIENTAPPID
Differences of Retire/Wipe/Delete/Fresh Start/Autopilot Reset in Intune Device Management
Detection method to in SCCM via Intune