Are the healthchecks that the target group performs routed from outside the VPC (aka from internet) or are generated and routed internally. I am asking this because I don't know if I should open the port for healthchecks from security group at internet level (0.0.0.0) or VPC level (10.0.0.0/16)
Thanks
Health checks from the target group are always routed internally, inside the VPC. However, instead of allowing requests from (10.0.0.0/16) you should actually allow requests from the security group ID that is assigned to the load balancer.