After hours of attempting I finally realize the port setting in target group is NOT useless. For example in my scenario, I am holding multiple ports on an ec2 and wish to set up different https respectively. If you set port of a target group to be https 443, the request will be encrypted and require a local cert in your server to process. However, setting target group protocol as http will free you from additional local ssl certificates (you will not have one anyway if you are using ACM) after Cloudfront/ALB because communication from ALB through target group to instance is not encrypted .