A government research agency is running Amazon EC2 instances in a private subnet within a VPC. These instances store and process classified information and must adhere to strict network security controls. Per organizational policy, the EC2 instances may access only approved external software update sources via specific URLs. All other internet-bound traffic must be blocked. The team needs a secure and manageable solution that enforces this policy without exposing the instances to the public internet. What is the most appropriate architecture to satisfy these security requirements?