A web application is running on Amazon EC2 instances behind an Elastic Load Balancing Application Load Balancer (ALB). The EC2 instances should receive no traffic, except for web requests to the application.
Based on these requirements, what security group rules should be put on the Amazon EC2 instances?
A. An inbound rule allowing traffic from the security group attached to the ALB
B. An inbound rule allowing traffic from the network ACLs attached to the ALB
C. An outbound rule allowing traffic to the security group attached to the ALB
D. An outbound rule blocking all traffic to the Internet