You’ve set up an EC2 Instance in a VPC. You are trying to ping the instance but are not able to do so. You have verified the following.
a. Internet gateway attached to the VPC
b.Route tables added for the Internet gateway
c. Public IP address assigned to the Instance
You have enabled VPC flow logs and can see a rejection request for the outgoing traffic.
2 123456789111 eni-3456b8ca 54.0.113.12 172.31.16.140 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789111 eni-3456b8ca 172.31.16.140 54.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
What can be done to ensure that the ping request will work?
 

Answer options:

A.Ensure that the NACL allows inbound ICMP request.
B.Ensure that the NACL allows outbound ICMP response.
C.Ensure that the Security Group allows inbound ICMP request.
D.Ensure that the Security Group allows outbound ICMP response.

Answer – B
Option A is incorrect since it is the outbound traffic that is causing the issue.
Options C and D are incorrect since the Security Groups are stateful. Since the ICMP incoming is being accepted, it means that the outgoing for the NACL is the issue.
Since the outgoing traffic is being rejected that means that the NACL outbound rules are not allowing the traffic to flow.
For more information on NACLs, please refer to the below URL
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html