After setting up the new NACL I can no longer ping or ssh from the web server to the DB server in the private subnet. What did I forget?
Make sure you have ICMP enabled for pinging on onbound and inbound rules. This at least allows me to ping. Probably look into SSH after this.
Allow ICMP for both inbound and outbound as NACL is stateless