If you launched all the instances within the same instance than you can use the concept DNAT in your router. You have to add one rule in your system that whoever coming from outside are not able to connect but your instance can connect to the outside world. AWS also works in this way. Just search about DNAT concept. It will solve your problem.