I am trying to connect my EC2 host setup inside a private subnet to publish logs to cloud watch. I have setup a VPC interface endpoint for com.amazonaws.us-east-1.logs. Both the interface endpoint and EC2 are in private subnet.
My Security groups
Security Group rules for Interface endpoint
Inbound rule
Type Protocol Port Range Destination
All TCP TCP 0 - 65535 sg-OfEC2Server
Outbound rules - None
Security Group rules for EC2
Inbound rules - None
Outbound rule
Type Protocol Port Range Destination
All TCP TCP 0 - 65535 sg-OfInterfaceEndpoint
The cloudwatch agent keeps timing out, so i sense that there is an issue with my security group rules but none of the trouble shoot steps helped.
I recreated your setup and encountered the same problem when using same security groups as yours.
What I found is that the issue is caused by the following outbound rule:
All TCP TCP 0 - 65535 sg-OfInterfaceEndpoint
This allows EC2 to connect only to the interface endpoint, and nowhere else. Changing it to the CIDR of my VPC (10.1.0.0/16) fixed the problem and I could use the interface endpoint.
I think that the root cause of the timeout was that with the original outbound rule, your (and mine) private instance could not connect to DHCP or DNS servers for the VPC. Subsequently, resolution of DNS name of the logs endpoint was not possible.