It would be nice to be able to attach VPC security groups to VPC Load Balancers.
We wanted to restrict access to our public LBs from only CIS WAF services. We were only able to do this by creating network ACLs using the IPs from the LBs and the Cloudflare IP list (https://www.cloudflare.com/ips). If Cloudflare or LBs IP changes, then we would need to update rules to match.
If we do not block access, then a bad actor could just bypass the WAF as long as they know the LBs FQDN.
curl -H "hostname: myapp.mydomain.com" https://[LB_FQDN]"
Do not place IBM confidential, company confidential, or personal information into any field.