Aug 16, 2017

You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the Internet

But prevent the Internet from initiating a connection with those instances.