When defining a networkListener for an EC2Service, how do I create a security group rule to only allow inbound traffic coming from the load balancer listener port for the service?

return new awsx.ecs.EC2Service("myservice", {
    cluster,
    subnets: service.subnets,
    taskDefinitionArgs: {
        vpc,
        networkMode: "awsvpc",
        containers: [ 
           "myContainer": { image: '...',
             networkListener = {
                 port: 80,
                 sslPolicy: 'ELBSecurityPolicy-TLS-1-2-Ext-2018-06'
              } 
            } 
        ],
    }
...
}