Correct way to define ALB and the security groups needed in CF Template

Question

I am trying to get a handle on how to you define an ALB, its Listeners, Target group and Security groups in a CF Template.  So I wrote out this sudo code listing.  Is this correct if the ALB is Internal, listening on port 443 for traffic and sending that traffic to port 80 on the instance webserver?
* ALB
*     Properties:
*         Type: internal
*         Listener: 80
*         Listener: 443
*         Subnets
*         SecurityGroups
*         LBAttributes
* ALBListener80
*     Properties:
*         Reference: ALB
*         Port: 80
*         Redirect rule to port 443
* ALBListener443
*     Properties:
*         Reference: ALB
*         Port: 443
*         SSL Policy
*         Certificate
*         Forward rule to ALBTarget80
* ALBTarget80
*     Properties:
*         Port: 80
*         VPCid
*         TargetgroupAttributes
*         Registered instance(s)
*         Healthcheck
*         Check port 80
* ALBSecurityGroup
*     Ingress rules:
*         Allow port 80 from VPC CIDR
*         Allow port 443 from VPC CIDR
*     Egress rules:
*         Allow port 80 to InstanceSecurityGroup
*         Allow port 443 to InstanceSecurityGroup
*         Allow All traffic to 127.0.0.1/32
* InstanceSecurityGroup
*     Ingress rules:
*         Allow port 80 from VPC CIDR
*         Allow port 443 from VPC ALBSecurityGroup
*     Egress rules:
*         Allow all to 0.0.0.0/0

Am I looking at this correctly?

Accepted Answer

Hi, that's roughly right.

Your ALBSecurityGroup only needs egress on port 80 to the InstanceSecurityGroup.

Your InstanceSecurityGroup only needs ingress on port 80 from the ALBSecurityGroup.

Your InstanceSecurityGroup doesn't need any egress rules for this purpose, but may need some to support its functionality.

Correct way to define ALB and the security groups needed in CF Template

Relevant content