So a target group is a list of places your Load balancers send traffic to. When someone hits your site on port 443, the ALB handle all the HTTPS/TLS stuff. After it decrypts the request, it sends the traffic to your app using whatever port you've set in the target group. That’s why port 80 works, your app is just getting normal HTTP from the ALB, not encrypted traffic.

So the flow is basically:

• User → ALB on 443 (HTTPS)

• ALB decrypts it

• ALB will then send request to your instance on port 80 (HTTP)

Your “redirect 80 → 443” rule applies only to the ALB’s listener for incoming traffic, not the traffic between the ALB and your app. So it doesn’t interfere with the target group at all.

And yes, you could totally use another port like 8080 or whatever, as long as your app is actually running there and your security group allows it. The ALB doesn’t care what internal port you use.