How do private resources in AWS Private Subnets still get updates from the internet

Virtual Private Clouds (VPCs) hold an organization's resources within a specific region. A VPC Availability zone can hold different types of subnets. Resources in the public subnet are accessible on the internet through an internet gateway. On the other hand, resources in private subnets can only be accessed by other resources in the VPC. For instance, an EC2 backend server in a public subnet interacts with a Postgres database server on RDS (AWS' relational database service) in a private subnet. Now, when the Postgres database server needs updates and security patches from the wider internet, how does this happen? Simple answer: NAT Gateways If NAT Gateways allow instances in private subnets to connect to the internet, how then are these instances not accessible from the internet? This was a point of confusion for me. A public NAT Gateway or Network Address Translation Gateway maps the private instance's IP address to the NAT's private IP address. The NAT's private IP Address is then m