IGW is used to direct the traffic to the open internet and is associated with the Route Table intended for public subnets. This means the connection to a particular instance can be initiated from the open internet and from the instance itself. For a private subnet, you cannot initiate the connection from the open internet. But for software patches downloads, or to interact with other AWS services, you need to have a route to the internet so that the connection initiated from the instance should be able to download the patches or work with other AWS services; but no one should be able to initiate the connection from the open internet. This is where we need the NAT Gateway.
The NAT Gateway enables instances in a private subnet to connect to the open internet or to other AWS services, but it prevents the open internet from initiating the connection to those private instances...