Which feature can be used to meet this requirement?

Explanations:

Host-based firewalls operate at the instance level and do not provide a centralized way to deny traffic for all services in a VPC. They are effective for controlling traffic to individual instances but do not manage ingress and egress at the VPC level.

A NAT Gateway is used to enable outbound internet access for instances in a private subnet but does not provide functionality to explicitly deny traffic. It manages egress traffic but does not control ingress or block specific IP addresses.

Network Access Control Lists (NACLs) are stateless filters that can be used to control inbound and outbound traffic at the subnet level. They can explicitly deny traffic from specific IP addresses for both ingress and egress requests, making them suitable for this requirement.

Security Groups are stateful and operate at the instance level, primarily allowing traffic rather than explicitly denying it. While they can restrict access to instances, they do not provide a straightforward mechanism to deny specific IP addresses for all services in a VPC.