Description
Is your feature request related to a problem?
Currently it is possible to reference CIDR's using the alb.ingress.kubernetes.io/inbound-cidrs annotation. This is great for allowing traffic from the public IP space. But for internal ALB's it would be great to have the ability to allow inbound traffic from specific security groups. For example allowing traffic from the API Gateway (via VPC Link) to an ALB without opening up the ALB to the whole subnet or VPC. I would rather reference the security group of the VPC Link. But one can think of other use cases where a specific EC2 instance (not part of the EKS cluster) should be able to connect to an ALB and another EC2 should not.
Describe the solution you'd like
I would like to have an annotation for example alb.ingress.kubernetes.io/inbound-security-groups where I can specify a list of security groups that are allowed to send traffic to the listeners of the ALB.
Describe alternatives you've considered
Configure a custom security group using the alb.ingress.kubernetes.io/security-groups annotation. And reference the SG of the API Gateway in the SG to attach to the ALB. But this would be extra work since I then have to create a security group that would otherwise be managed by the load balancer controller.