Network address translation (NAT) can be used to enable instances in a private subnet to connect to the internet or other AWS services while preventing the internet from initiating a connection with those instances.
You provision the NAT Gateway in the public subnet (and thus the same AZ), allowing instances in the private subnet to access the internet (but only outwards).
NAT Gateways are redundant within the single AZ, not associated with security groups, and are automatically assigned an IP address.
You also have to alter your route table to route requests through the NAT Gateway.
Note that NAT Gateways have a maximum amount of bandwidth.