My client VPC has services exposed through a Network Load Balancer (NLB). I want to restrict access to these services so that only our application consumer VPC can access the applications privately. Is it possible to enable the private connectivity for specific applications across VPCs?
Yes it's possible with the help of VPC Endpoint Services (PrivateLink)
Create a VPC Endpoint Service with NLB as backend in client VPC. Note: NLB must be internet-facing: false
Create a VPC Endpoint in application consumer VPC. Note: security group should allow TCP access to the target port of NLB
Optionally, you can enable private DNS for the endpoint, so that consumer vpc apps use that endpoint DNS to reach the application service privately over AWS backbone
[ Consumer VPC ] [ Application VPC ]
[ App A (EC2/ECS/Lambda) ] --> [ NLB ] --> [ App Service B ]