AWS Certified Solutions Architect - Professional (#502)

A user is hosting a public website on AWS. The user wants to have the database and the app server on the AWS VPC. The user wants to setup a database that can connect to the Internet for any patch upgrade but cannot receive any request from the internet. How can the user set this up?

Setup DB in a private subnet with the security group allowing only outbound traffic.
Setup DB in a public subnet with the security group allowing only inbound data.
Setup DB in a local data center and use a private gateway to connect the application with DB.
Setup DB in a private subnet which is connected to the internet via NAT for outbound.