A company has a multi-tier application running on AWS. The web tier is in a public subnet, and the application and database tiers are in private subnets. The application tier needs to download software updates from the internet. The security team requires that the application tier's outbound internet access be restricted to only the specific domains of the software vendors. How can this be achieved?

Use a NAT Gateway and configure Security Groups on the application instances to allow outbound traffic only to the vendor domains.

Deploy an AWS Network Firewall in the VPC. Configure stateful rules with domain list filtering to allow access only to the vendor domains. Route application tier internet traffic through the firewall.

Configure a VPC Endpoint for the software vendor's domains.

Use AWS WAF on an Application Load Balancer to filter outbound requests.