I’m reading everywhere (including the official documentation) that an EC2 instance in a private subnet cannot be reached from the internet, even if it has a public IP.