Speaking as an IaC practitioner (rather than a Pulumi employee), this is a problem that's plagued me the entire time I've been doing cloud. To my knowledge, there is no easy solution. The stuff I've learned is:
1. It's nearly always security groups, so check them first.
2. If you author your infra so that you use SG IDs instead of inbound CIDR blocks for rules, and each service gets a unique SG, you do not need to worry about other services talking to each other in an unauthorized fashion. I think it would not be terribly tough to add some unit tests against the Pulumi code to verify that SGs have certain paths open/closed.
3. You almost never need NACLs - I haven't seen a necessary use case yet, personally.
I also vaguely remember AWS coming out (recently, like 2021) with a testing tool for "can this entity talk to this other entity across the network", but I cannot find it for the life of me. Maybe this will ring a bell for someone reading this thread.
I've tried stuff like the Chef testing framework whose name I forget, but that requires you to provision the tool on your infra and often adds network connections you don't actually want in prod infra, which was a nonstarter for me.