how to set security group for tower

[GeorgeGuo2018]

I deployed kubesphere on aws，i want to set security group for each component of host cluster.

When ks-apiserver 、ks-controller-manager and tower are within the same security group， ks-apiserver and ks-controller-manager can access tower via service under kubesphere-system namespace. as follows:

ks-controller-manager:/# kubectl get endpoints -n kubesphere-system |grep mc-
Warning: v1 Endpoints is deprecated in v1.33+; use discovery.k8s.io/v1 EndpointSlice
mc-eks-test01    10.89.37.222:16481,10.89.37.222:6481    11d
mc-eks-test-02  10.89.37.222:6096,10.89.37.222:16096   12d
ks-controller-manager:/# telnet 10.89.137.222 6481
Connected to 10.89.137.222
^C

But once I add tower to a seperated security group and allowed the security group of ks-controller-manager to access tower with port range 8080 & 6000-7000 & 16000-17000 and protocol TCP. ks-controller-manager can only access to tower's 8080 port.

apiVersion: vpcresources.k8s.aws/v1beta1
kind: SecurityGroupPolicy
metadata:
  name: ks-tower
  namespace: kubesphere-system
spec:
  podSelector:
    matchLabels:
      app: tower
  securityGroups:
    groupIds:
    - sg-314d8a32xe3dr18d9
    - sg-398ce4a0djx2463d2

Should I set the access port range with some other protocol?

Any reply would be appreciated.