inbound rule of security group for EC2 Instance in private subnet

Have you considered splitting up your security groups for easier management? An instance can have up to 5 security groups assigned so you might create one which allows traffic from the load balancer; another that allows traffic from instances on the subnet then assign both of them to the target instance.

Second, you can cross-reference other resources in your security groups. So rather than use a static IP you can add the load balancer itself to the security group and the VPC control plane will automatically fill that in for you.

For other instances within the subnet, you can add the instances to the security group in the same way; but this might be inconvenient if there is auto-scaling happening. In that case, you might want to allow traffic from the entire private subnet. Some might say "well, that's insecure" but you control that private subnet - if there are other instances being launced in that subnet that you don't control I would say that is a larger thing to be concerned about. That said, you could create some automation to add/remove entries to/from the security group - but it's some extra work you have to do.

As far as the port is concerned - you will need to determine that based on what your application is doing. Presumably it will be TCP/443 (HTTPS) and/or TCP/80 (HTTP).