According to AWS best practices, each tier’s security group must restrict inbound traffic to only the upstream trusted source. For the web tier, the Application Load Balancer must be the only entity allowed to send traffic. AWS documentation specifies: “Restrict the security groups associated with your targets to accept traffic only from the load balancer.” This confirms that the web tier security group should allow inbound HTTPS from the ALB security group (A).
For communication between the web and application tiers, AWS states: “You can specify a security group as the source or destination in a rule” and “Create rules only for the protocols and ports required by your application.” Therefore, the application tier security group must allow inbound HTTPS traffic from the web tier security group (E).
For the database tier, AWS guidance says: “Allow only the necessary ports for database communication.” Microsoft SQL Server listens on port 1433 by default, so the database tier security group must allow inbound SQL Server traffic from the application tier security group (C).
Outbound rules (options B, D, and F) are unnecessary because AWS specifies that “Security groups are stateful. Return traffic is automatically allowed.” This means once inbound rules are defined, the return path is automatically permitted without extra outbound configurations.
This combination (A, C, E) applies the principle of least privilege, ensures end-to-end secure communication across tiers, and follows AWS recommendations for ALB-to-target security group setups.
[References:• Elastic Load Balancing User Guide — Application Load Balancers: Security groups for your load balancer, Target security groups• Amazon VPC User Guide: Security groups for your VPC, Security group rules• AWS Well-Architected Framework — Security Pillar: Apply the principle of least privilege, , , ]
