A company is deploying a computationally intensive data processing application on AWS with highly sensitive data. The VPC is configured without direct internet access, and strict network security controls are in place. Data scientists need to transfer data from the on-premises data center (using the network range 172.31.0.0/20) to the application VPC (using the network range 172.31.16.0/20) via an AWS Site-to-Site VPN connection. However, they can launch application instances but cannot transfer data. A network engineer enabled VPC flow logs and tested reachability by pinging an instance, observing the flow logs.

What solution should the network engineer recommend to enable data transfer from the on-premises data center while meeting the requirements?