There are security groups and network ACLs settings to allow or deny traffic within the VPC. In security groups, responses to requests allowed inbound are allowed regardless of the outbound settings, but network ACLs are stateless for each request and response.

Once traffic is denied by these settings, the action field in VPC Flow Logs becomes REJECT, so if you output it to CloudWatch Logs, you can see the number of rejections of specific enis for each src/dst by executing the following query with Insights.

stats count() as count by srcAddr, dstAddr
| filter action = 'REJECT' and interfaceId in ['eni-aaaaaa', 'eni-bbbbbb']
| sort byte count
| limit 200