A company has set up a Virtual Private Cloud (VPC) with public and private subnets. The instances in the private subnet must retrieve updates from the internet, but should not be directly accessible from external sources. Which component should the company use to allow these instances to connect to the internet while ensuring they remain private?
Peering Connection
NAT Gateway
Internet Gateway
Virtual Private Gateway