diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md b/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md
index 89baa6791ff2c..e0f3b1f4e5ea5 100644
--- a/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md
+++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md
@@ -182,6 +182,9 @@ lb.addRedirect({
 
 If you do not provide any options for this method, it redirects HTTP port 80 to HTTPS port 443.
 
+By default all ingress traffic will be allowed on the source port. If you want to be more selective with your
+ingress rules then set `open: false` and use the listener's `connections` object to selectively grant access to the listener.
+
 ## Defining a Network Load Balancer
 
 Network Load Balancers are defined in a similar way to Application Load
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts
index 8f0ccf963cc5b..4ad4dcb5fa081 100644
--- a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts
+++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts
@@ -119,7 +119,7 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
     return this.addListener(`Redirect${sourcePort}To${targetPort}`, {
       protocol: props.sourceProtocol ?? ApplicationProtocol.HTTP,
       port: sourcePort,
-      open: true,
+      open: props.open ?? true,
       defaultAction: ListenerAction.redirect({
         port: targetPort,
         protocol: props.targetProtocol ?? ApplicationProtocol.HTTPS,
@@ -665,4 +665,19 @@ export interface ApplicationLoadBalancerRedirectConfig {
    */
   readonly targetPort?: number;
 
+  /**
+   * Allow anyone to connect to this listener
+   *
+   * If this is specified, the listener will be opened up to anyone who can reach it.
+   * For internal load balancers this is anyone in the same VPC. For public load
+   * balancers, this is anyone on the internet.
+   *
+   * If you want to be more selective about who can access this load
+   * balancer, set this to `false` and use the listener's `connections`
+   * object to selectively grant access to the listener.
+   *
+   * @default true
+   */
+  readonly open?: boolean;
+
 }
\ No newline at end of file
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts
index 231279ffb932e..3e7b639cb1a8f 100644
--- a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts
+++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts
@@ -727,6 +727,31 @@ describe('tests', () => {
     });
   });
 
+  test('Can supress default ingress rules on a simple redirect response', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Stack');
+
+    const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', {
+      vpc,
+    });
+
+    // WHEN
+    loadBalancer.addRedirect({ open: false });
+
+    // THEN
+    expect(stack).not.toHaveResourceLike('AWS::EC2::SecurityGroup', {
+      SecurityGroupIngress: [
+        {
+          CidrIp: '0.0.0.0/0',
+          Description: 'Allow from anyone on port 80',
+          IpProtocol: 'tcp',
+        },
+      ],
+    });
+
+  });
+
   test('Can add simple redirect responses with custom values', () => {
     // GIVEN
     const stack = new cdk.Stack();