The VPC Flow Logs provide critical information. The ACCEPT record for inbound traffic (192.168.0.13 → 172.31.16.139:8080) confirms that both the Network ACL (NACL) and the EC2 instance's security group are correctly configured to allow the initial request.

However, the REJECT record for the return traffic (172.31.16.139:8080 → 192.168.0.13:59003) indicates the response is being blocked. Security groups are stateful, meaning if inbound traffic is allowed, the return traffic is automatically permitted. In contrast, NACLs are stateless and require explicit rules for both inbound and outbound traffic. The rejection of the response packet, destined for the client's ephemeral port (59003), points directly to a missing or incorrect outbound rule in the NACL associated with the instance's subnet.

A. The inbound traffic is ACCEPTed, which would not be possible if the security group were blocking traffic from the NLB's targets.

B. Network Load Balancers do not have security groups. Security groups are associated with the target EC2 instances, not the NLB itself.

C. The initial traffic from the on-premises environment was ACCEPTed by the AWS VPC, indicating the on-premises ACL is not the source of the block.

1. AWS Documentation - VPC Flow Logs: "If the traffic is permitted by both the security groups and the network ACLs

the record shows ACCEPT. If the traffic is denied by a security group or a network ACL

the record shows REJECT." (Source: AWS Documentation

VPC User Guide

"Log file format"

section on the action field).

2. AWS Documentation - Network ACLs: "Network ACLs are stateless

which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)." (Source: AWS Documentation

VPC User Guide

"Network ACLs"

section "Network ACL basics").

3. AWS Documentation - Ephemeral Ports: "When a client connects to a server

a random port from the ephemeral port range... becomes the client's source port. The response from the server is sent to this ephemeral port on the client... The network ACL for the subnet... must have an outbound rule to allow traffic destined for the ephemeral ports." (Source: AWS Documentation

VPC User Guide

"Network ACLs"

section "Ephemeral ports").

4. AWS Documentation - Security Groups: "Security groups are stateful. If you send a request from your instance

the response traffic for that request is allowed to flow in

regardless of inbound security group rules." (Source: AWS Documentation

VPC User Guide

"Security groups"

section "Security group basics").