For providing package updates to an isolated network, you have a couple options:
- As you already have Landscape, you can mirror upstream repositories pockets (e.g. security updates) and series (i.e. versions of Ubuntu) to it, and then create a Landscape repository profile. The mirror basically copies and serves the packages locally and the repository profile instruct client computers to replace their list of repository mirrors by landscape (so there are no external connections). Both of those are covered by the Landscape documentation and require using the Landscape API.
- Alternatively, if you do not wish to mirror the package archive or to rely on Landscape, you could just deploy a caching proxy (e.g. apt-cacher-ng or squid-deb-proxy) to your DMZ (i.e. VLAN11) and point computers from the isolated network (i.e. VLAN12) to it by configuring their apt proxy configuration.
The Landscape mirror has the added benefit of being able to filter packages, snapshot them, and have finer control over how updates are rolled-out. It also handles the client computer's apt configuration.
The proxy method has the benefit of being somewhat lightweight. You could possibly also mix solutions by having both a caching proxy and using a Landscape repository profile to update the clients apt configuration.
P.S. edit: this does not cover snap packages though. At the time of this writing, Landscape doesn't install, handle, or mirror, or proxy or is even aware of snaps.
