Private compute instance in DMZ cannot reach anything thru service gateway

[gillfimj]

I deployed the Hub/Spoke configuration with DMZ. I would have expected the DMZ indoor route table to include a route rule that goes through the NAT gateway. I found that it was configured with the Internet Gateway. I searched through the code and found that while the NAT gateway was created, it really wasn't being used anywhere. Since the indoor subnet is a private subnet, it needs to have the NAT gateway route in order to find it's way to the allowed outside network resources, like services for OS updates. Was this by design? If so, then how would one do OS updates on private devices? If not, then this might be a bug that should be addressed.