No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

This feels familiar.  I believe I ended up using awsx for the security group as well.

```const appSecurityGroup = new awsx.ec2.SecurityGroup(`${appName}-sg`, {
  ingress: [{ fromPort: 3000, toPort: 3000, protocol: "tcp", cidrBlocks: ["0.0.0.0/0"] }],
  egress: [{ fromPort: 0, toPort: 0, protocol: "-1", cidrBlocks: ["0.0.0.0/0"] }],
  vpc,
});

const lbSecurityGroup = new awsx.ec2.SecurityGroup(`${appName}-default-http-and-https`, {
  egress: [{ fromPort: 3000, toPort: 3000, protocol: "tcp", sourceSecurityGroupId: appSecurityGroup.id }],
  vpc,
});

const alb = new awsx.lb.ApplicationLoadBalancer(`${appName}-lb`, {
  external: true,
  securityGroups: [lbSecurityGroup],
  subnets: vpc.publicSubnetIds,
  vpc,
});```

I believe the warning about duplicate security rule is because Pulumi is creating the new rule (with `toPort: 65534`) before deleting the old rule and the port ranges overlap - `0-65535` is inclusive of `0-65534`. So they are effectively duplicate.

You can tell Pulumi to delete the previous resource before creating the new one with `deleteBeforeReplace`.

e.g.
```new aws.ec2.SecurityGroupRule(`sg-ingress-alb-to-containers`, {
  type: 'ingress',
  description: 'Allow all traffics from ALB to ECS containers',
  protocol: 'all',
  fromPort: 0,
  toPort: 65534,
  cidrBlocks: ["0.0.0.0/0"],
  securityGroupId: albSg.id,
}, {
  deleteBeforeReplace: true
});```