No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

if so, can anyone explain why:
```const alb = new awsx.classic.lb.ApplicationLoadBalancer(
    "net-lb", { external: true, securityGroups: cluster.securityGroups });```

This adds 443 to the cluster sg, which then is also the lb sg, and leaves the `0.0.0.0/0` `ALL` rule there, as well as `0.0.0.0/0` ssh `22`  ingress, which is insecure.

I can you you that I've had issues with this and I can show you my solution

```const alb = new awsx.lb.ApplicationLoadBalancer(
  `${appName}-lb`,
  {
    loadBalancer: new aws.lb.LoadBalancer(`${appName}-alb`, {
      accessLogs: {
        bucket: logBucketId,
        enabled: true,
        prefix: appName,
      },
      dropInvalidHeaderFields: true,
      internal: false,
      securityGroups: [albSecurityGroup.id],
      subnets: publicSubnetIds,
    }),
    securityGroups: [],
    vpc: vpc.vpc,
  },
  {
    dependsOn: albSecurityGroup,
  },
);```