A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances, but a security engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.
This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates. However, the security team does not want the application’s EC2 instance exposed directly to the internet. The security engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet.
What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?

A. Launch a NAT instance in the public subnet. Update the custom route table with a new route to the NAT instance.
B. Remove the internet gateway, and add AWS PrivateLink to the VPC. Then update the custom route table with a new route to AWS PrivateLink.
C. Add a managed NAT gateway to the VPC. Update the custom route table with a new route to the gateway.
D. Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway.