2 Answers
Great point thank you!
Port 443 needs to be allowed for the security group of the NAT instance so that the NAT instance can receive routed HTTPS traffic from traffic in private subnets. If port 443 were not allowed, private instances routing their traffic via the NAT instance would have only been able to use HTTP.