We have an instance within a private subnet that has a managed NAT gateway. On that instance, we are able to access the internet:
$ curl https://www.google.com/
<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head>...
However, we are not able to access the cloudwatch endpoint, e.g. the following times out: (EDIT: My mistake, not the cloudwatch endpoint, but rather the site storing the cloudwatch monitoring scripts.)
$ curl https://cloudwatch.s3.amazonaws.com
DNS is not the problem:
$ dig cloudwatch.s3.amazonaws.com
cloudwatch.s3.amazonaws.com. 2303 IN CNAME s3-1-w.amazonaws.com.
s3-1-w.amazonaws.com. 1 IN A 54.231.72.59
Any ideas about what might be happening?