Nuget enforce HTTPS only traffic from AWS CodeBuild

I am running an AWS CodeBuild project to build, test and publish a .NET 8 application locally (within CodeBuild) and then running it as part of an integration test. The CodeBuild project is running/deployed in my account's VPC which, includes a NAT Gateway for outbound internet traffic, because it also requires access to some private VPC resources.

The Security Group on my CodeBuild project ONLY allows outbound HTTPS/443 to the public internet (0.0.0.0/0) and the build process is currently taking an extremely long time, ~22 minutes, on the dotnet restore --verbosity detailed step. Additionally, I have a nuget.config file that has two entries - one for the public NuGet feed with the HTTPS URL (https://api.nuget.org/v3/index.json) and another for our private AWS CodeArtifact repository, which is also an HTTPS URL.

In contrast, when I allow outbound on Port 80 on my Security Group, it takes less than 15 seconds to restore all the packages and publish the DLL locally.

My current hypothesis is that it is trying to use HTTP/80 first for each step, timing out after some very generous timeout value and then falling back to HTTPS/443 - then repeating for the next package.

I can see it making progress since in the logs:

PackageSignatureVerificationLog: PackageIdentity: System.Reflection.TypeExtensions.4.3.0 Source: https://api.nuget.org/v3/index.json PackageSignatureValidity: True
Installed System.Reflection.TypeExtensions 4.3.0 from https://api.nuget.org/v3/index.json to /root/.nuget/packages/system.reflection.typeextensions/4.3.0 with content hash 7u6ulLcZbyxB5Gq0nMkQttcdBTx57ibzw+4IOXEfR+sXYQoHvjW5LTLyNr8O22UIMrqYbchJQJnos4eooYzYJA==.
Acquiring lock for the installation of runtime.opensuse.42.1-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2
Acquired lock for the installation of runtime.opensuse.42.1-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2
PackageSignatureVerificationLog: PackageIdentity: runtime.native.System.IO.Compression.4.3.0 Source: https://api.nuget.org/v3/index.json PackageSignatureValidity: True
PackageSignatureVerificationLog: PackageIdentity: System.Runtime.CompilerServices.Unsafe.4.3.0 Source: https://api.nuget.org/v3/index.json PackageSignatureValidity: True
Installed runtime.native.System.IO.Compression 4.3.0 from https://api.nuget.org/v3/index.json to /root/.nuget/packages/runtime.native.system.io.compression/4.3.0 with content hash INBPonS5QPEgn7naufQFXJEp3zX6L4bwHgJ/ZH78aBTpeNfQMtf7C6VrAFhlq2xxWBveIOWyFzQjJ8XzHMhdOQ==.
Acquiring lock for the installation of runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2
Acquired lock for the installation of runtime.osx.10.10-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2
Installed System.Runtime.CompilerServices.Unsafe 4.3.0 from https://api.nuget.org/v3/index.json to /root/.nuget/packages/system.runtime.compilerservices.unsafe/4.3.0 with content hash rcnXA1U9W3QUtMSGoyoNHH6w4V5Rxa/EKXmzpORUYlDAlDB34hIQoU57ATXl8xHa83VvzRm6PcElEizgUd7U5w==.
Acquiring lock for the installation of runtime.rhel.7-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2
Acquired lock for the installation of runtime.rhel.7-x64.runtime.native.System.Security.Cryptography.OpenSsl 4.3.2
PackageSignatureVerificationLog: PackageIdentity: System.Buffers.4.3.0 Source: https://api.nuget.org/v3/index.json PackageSignatureValidity: True

My question is, is it possible to configure the communication with NuGet to ONLY be over HTTPS/443

Update: I added/set the environmental variable NUGET_CERT_REVOCATION_MODE to offline based on the answer to this question: Nuget package verification is taking too long on a build machine and the restore time was as fast as it was with port 80 open. So I'm thinking the underlying issue is that the revocation status check for the package signing is NOT using HTTPs. Added issue to NuGet GitHub repo: https://github.com/NuGet/Home/issues/13659