EC2 instances in a private subnet must download OS patches from the internet, but must not be directly reachable from the internet. What should the architect deploy?
A) An Internet Gateway attached directly to the private subnet.
B) A NAT Gateway in a public subnet, with a route from the private subnet to it.
C) An Elastic IP on each private instance.
D) A VPC peering connection to the internet.
Correct Answer: B
Explanation: A NAT Gateway (in a public subnet) lets private instances initiate outbound connections while blocking inbound connections from the internet. (A) would make instances publicly reachable. (C) Elastic IPs make instances publicly addressable — the opposite of the requirement. (D) VPC peering connects VPCs, not the internet.