Unable to ping private instance in subnet.

When troubleshooting ping connectivity issues with private instances in AWS VPC, there are several potential causes to investigate:

1. Security Group Configuration: Even though you mentioned the security group settings are the same, double-check that the security group for the non-responsive instance allows inbound ICMP traffic from your source IP address.

2. Network ACLs: While default Network ACLs allow all traffic, verify that no custom ACLs have been applied to the subnet of the non-responsive instance that might be blocking ICMP traffic.

3. Route Table Association: Confirm that both private subnets are correctly associated with the route table that has the 0.0.0.0/0 route pointing to the NAT Gateway.

4. NAT Gateway Status: Ensure your NAT Gateway is in an "Available" state and has an Elastic IP address properly associated with it.

5. Internet Gateway: Verify that your VPC has an Internet Gateway attached and that the public subnet (where your NAT Gateway resides) has a route table with a route for 0.0.0.0/0 pointing to the Internet Gateway.

6. ICMP Support: The target you're pinging must support ICMP. You can test this by running the same ping command from your local computer to verify the target responds to ICMP requests.

7. VPC DNS Settings: Check that DNS hostnames and DNS resolution are enabled for your VPC for proper name resolution.

To further diagnose the issue, you can enable VPC Flow Logs to analyze the traffic patterns and identify where the communication is breaking down. This will help you see if the packets are being dropped due to security groups, network ACLs, or routing issues.
Sources
Enable private resources to communicate outside the VPC - Amazon Virtual Private Cloud
Instances within the private subnet are unable to access the internet using NAT gateway. | AWS re:Post
Troubleshoot EC2 instance internet access with a NAT gateway | AWS re:Post

There are several potential reasons why one private instance is pingable while the other isn't, I'm assuming the two private instances are each in their own isolated subnet? It's possible that one or more configuration item is different and hence you have different connectivity behaviors. I recommend a systematic approach to troubleshooting pings to Internet:

Check Instance Level:

• Security Group Rules: Verify both instances have identical inbound rules allowing ICMP (ping) traffic
• Network ACLs: Check if NACLs are blocking traffic for one instance
• Instance State: Ensure both instances are fully running and not in a transitional state
• OS-Level Firewall: The unreachable instance might have OS firewall blocking ICMP
• Instance AMI: Verify if the AMIs are exactly the same, different AMIs and AMI versions may have different network configs

Route Table Configuration:

• Default Route: Confirm both private subnets have 0.0.0.0/0 pointing to the NAT Gateway

NAT Gateway Issues:

• Check the NACL of the Subnet that the NAT Gateway reside in to ensure NACLs are not blocking traffic for one instance

Network Interface Issues:

• ENI Configuration: Check if network interfaces have different configurations
• Source/Destination Check: Verify this setting is consistent across instances

To further diagnose the issue, you can enable VPC Flow Logs to analyze the traffic patterns and identify where the communication is breaking down. You should see four sets of traffic flows:

1. flow of traffic from the instance IP address through the NAT gateway network interface to a host on the internet
2. traffic from the NAT gateway network interface to the target host on the internet
3. the response traffic from the host to the NAT gateway network interface
4. response traffic from the NAT gateway network interface to the source instance

For a detailed breakdown of VPC flow logs, please refer to the documentation on this page. [1]

[1] https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-nat