Route53 Health Checks – It is always good to make use of the eco-system of AWS services which are already used extensively – CloudWatch, Security Groups, SNS Notifications, EC2, VPC etc.
Route53 Health Check’s differentiator is by Amazon publishing the list of IPs from where the heath Check Pings are being triggered. Best of all there is a simple AWS CLI call which would give the list of the CIDR IPs.
aws route53 get-checker-ip-ranges
I wrote a small CloudFormation template which would ask you the VPC and Port Range [ for TCP ] and create a security group for only the specified list of IP range where the Route 53 health checks would be triggered.
There are other variants as well HTTP Only, HTTPS Only, TCP Only
Security Group for All [ HTTP, HTTPS, TCP ]