You have deployed Compute Engine instances in regions us-west1 and us-east1 within a VPC using default routing. Your security policy requires that VMs must not have public IP addresses, but the instances need to download updates from the internet without allowing inbound external access. What is the recommended solution?