The correct method to prevent direct Internet access to backend servers while allowing them to be accessed through the front-end interface (like a load balancer) is to configure the backend servers' security group to only permit inbound traffic from the security group attached to the load balancer. This setup ensures that requests can only reach the backend servers when routed through the load balancer, providing a secure architecture. Associating Elastic IP addresses to backend instances would make them publicly accessible, contrary to the requirements. Setting up the security group to allow SSH connections doesn't relate directly to the question of protecting against public internet access. Modifying route tables to direct traffic to a NAT gateway would not prevent the servers from being accessed if they are assigned public IP addresses; it's a solution more relevant to outbound internet access from private instances.