When deploying SFTP Gateway with a high-availability template, you may notice that the health checks on the target groups are failing. To resolve this, you need to allow traffic on ports 22, 80, and 443 to your EC2 Security Group, originating from your VPC's CIDR range. This allows the Network Load Balancer (NLB) to perform health checks.
Network Load Balancer Health Checks
The Network Load Balancer (NLB) performs health checks against the target groups for ports 22, 80, and 443. These health checks help determine whether EC2 instances are healthy.
By default, the EC2 Security Group only allows traffic from your public IP, which you specify at initial launch. This means that the NLB's server nodes are denied access when performing health checks.
If we were using an Application Load Balancer (ALB), we could simply allow the ALB's Security Group ingress over the health check ports. Unfortunately, you cannot associate a Security Group with NLB. So we have to fall back on using a CIDR range instead.
The solution is to create ingress rules, allowing the entire VPC CIDR range ingress over the health check ports. The NLB nodes will use these IP addresses to perform health checks.
See this article for details.