Amazon Linux Routing Challenge

Hi Everyone, I have not worked with AWS for some time so pls bear with me.

I have the following topology:

• VPC 10.10.0.0/16
• Public subnet 10.10.0.0/24 containing an Amazon Linux instance (call it the 'Firewall') with a single NIC, IP addr = 10.10.0.150 and EIP = 3.45.120.240 (fictitious)
• Private subnet 10.10.1.0/24 with Windows RDS (10.10.1.10) and Windows AD DS (10.10.1.5)
• Route table applied to the public subnet routes 0.0.0.0/0 to IGW and 10.10.0.0/16 to local
• Route table applied to the private subnet routes 0.0.0.0/0 to the firewall NIC and 10.10.0.0/16 to local
• Kernel routing is enabled (ip_forward=1) and the filter table chains (input/forward/output) are configured to ACCEPT
• I use iptables on the firewall to DNAT inbound 3.45.120.240:3388 to 10.10.1.10:3389 and masquerade (SNAT) outbound Basically, any instance in the private subnet routes in/out via the firewall with public IP address 3.45.120.240. I note private instances have a default gateway of 10.10.1.1. I assume this is an IP bound to the VPC?

I recently built a new firewall using Amazon Linux with the same config as the current (old) firewall, except private IP = 10.10.0.254 and EIP = 45.67.3.43 (fictitious). I want to replace this new with the old.

My issue: when I update the target for route 0.0.0.0/0 to the NIC of the new firewall, I do not see any traffic routing thru it (I am connected via SSH running tcpdump). If I start a repeating PING from Windows RDS to 1.1.1.1 and run tcpdump on the old firewall, I can see the ICMP flow, but when I flip the target for 0/0 route to the new firewall I see no packet flow. Both the old and new firewall have a default route 0.0.0.0/0 to 10.10.0.1. I assume this is the VPC router?

Packets from the private subnet do not appear to be reaching the new firewall and I do not know why. How do I troubleshoot further - is there a way to examine packet flow within the VPC? Thank you.