Disable public internet connection for EC2 instances
Your question is unclear. Do you want the servers to not have access to the internet at all, or only when the VPN is connected? I'm going to assume all the time.
The typical way to do this is to use subnets. Your public subnet has a single server which terminates the VPN connection, passing packets to wherever they need to go. There's an internet gateway in this subnet. All other services are in your private subnet, and they have no route to the internet gateway. This is a very standard setup, so standard the VPC wizard can set it up for you.
You could potentially make one server a VPN based bastion and an outgoing NAT, if required.