A company is expanding its on-premises data center into the cloud and wants to ensure that their cloud-based databases are not accessible directly from the internet while still allowing the web servers to be reachable by clients. Which of the following actions would BEST secure their databases?
Creating a VPN connection from the internet to the database servers.
Placing the database servers in private subnets with routes to a NAT gateway.
Attaching an Internet Gateway to the subnet where the database servers reside.
Using a NACL to block all inbound internet traffic to the database servers.