How to allow outbound connections only for updates

I have a network with a number of VMs hosting applications mainly for internal use, but they are also exposed to the internet via Traefik. Because there is a chance one of them will be hacked eventually, it looks like a good idea to block direct outbound connections for VMs. But, I want to be able to run updates, so I need a way to allow outbound connections for updates. My current idea is to install a proxy server (Squid probably), configure VMs to use this proxy for updates, and forbid all direct outbound connections for VMs in the firewall. Because I am not an IT professional I would like to get some feedback on this idea. Thank you.

What you need to do is:

1. Gather a list of websites or domains that the servers needs to communicate with.
2. Install Squid, configure its ACL to only accept connection from your servers AND to the list of websites you already gathered.
3. Configure your servers to communicate with Squid and deny direct internet access for them.
4. Monitor Squid logs for other websites that the servers might be trying to communicate with but you missed to add them to the list.