Wants to run two webserver on tomcat at port 8080 and 7070 without opening this port in security group of EC2
Solution 1:
Generally your load balancer has a public IP address and your EC2 instances have only private IP addresses. Make sure they're in different security groups. The EC2 security group can whitelist ingress from the load balancer security group on required ports, but the EC2 instances are not available on the internet.
Technically they don't need to be in separate security groups, but I consider that best practice to make it simpler to define tiers within an application.