Which AWS managed service allows this?
VPC endpoint
NAT gateway
Amazon PrivateLink
VPC peering
Explanations:
A VPC endpoint allows private connections to services within AWS without needing an internet gateway, but it does not enable outbound internet access for updates. It is primarily used for accessing AWS services privately without traversing the internet.
A NAT gateway is specifically designed to allow instances in a private subnet to initiate outbound connections to the internet while preventing unsolicited inbound traffic from the internet. This makes it suitable for pulling OS updates while keeping the instance secure.
Amazon PrivateLink provides private connectivity to services across VPCs and does not facilitate general outbound internet access. It allows you to access services without exposing your VPC to the internet, which does not meet the requirement of pulling updates from the internet.
VPC peering allows two VPCs to communicate privately, but it does not provide a means for instances in a private subnet to connect to the internet. It is primarily used for inter-VPC communication rather than internet access.