diff --git a/packages/aws-rfdk/lib/core/lib/health-monitor.ts b/packages/aws-rfdk/lib/core/lib/health-monitor.ts
index a98cd61dc..6332dcd13 100644
--- a/packages/aws-rfdk/lib/core/lib/health-monitor.ts
+++ b/packages/aws-rfdk/lib/core/lib/health-monitor.ts
@@ -14,6 +14,7 @@ import {
 import {SnsAction} from '@aws-cdk/aws-cloudwatch-actions';
 import {
   IConnectable,
+  ISecurityGroup,
   IVpc,
   Port,
   SubnetSelection,
@@ -211,6 +212,13 @@ export interface HealthMonitorProps {
    * @default: The VPC default strategy
    */
   readonly vpcSubnets?: SubnetSelection;
+
+  /**
+   * Security group to associate with this load balancer.
+   *
+   * @default: A security group is created
+   */
+  readonly securityGroup?: ISecurityGroup;
 }
 
 /**
diff --git a/packages/aws-rfdk/lib/core/lib/load-balancer-manager.ts b/packages/aws-rfdk/lib/core/lib/load-balancer-manager.ts
index 22c577639..74c3f7242 100644
--- a/packages/aws-rfdk/lib/core/lib/load-balancer-manager.ts
+++ b/packages/aws-rfdk/lib/core/lib/load-balancer-manager.ts
@@ -200,6 +200,7 @@ export class LoadBalancerFactory {
       internetFacing: false,
       vpcSubnets: healthMonitorProps.vpcSubnets,
       deletionProtection: healthMonitorProps.deletionProtection ?? true,
+      securityGroup: healthMonitorProps.securityGroup,
     });
     // Enabling dropping of invalid HTTP header fields on the load balancer to prevent http smuggling attacks.
     loadBalancer.setAttribute('routing.http.drop_invalid_header_fields.enabled', 'true');