Security group for VPC Link / ApiGatewayV2 is not working

HTTP VPC Link is an integral part of API Gateway and it is better understood as being part of the same logical entity. What this effectively means is that API gateway does not actually send traffic to the VPC Link, it rather uses the VPC Link to send traffic to the Elastic Load Balancer.

Therefore, the Inbound Rules in the Security Groups attached to an HTTP VPC Link simply do not apply: all traffic to the VPC Link from API Gateway is always allowed because the VPC Link is not a foreign entity, it is internal to API Gateway. On the other hand, Outbound Rules do apply because the traffic is sent outbound to a foreign entity (an ELB).