The LB should allow 443 ingress by default (IMO).
Also the profile is probably not really helpful.
443-ingress-profile.patch