amazon web services – Should app subnet have route table facing NAT or IGW

I am trying to set up a load balancer infront of my api instances. Before needing the load balancer, I simply had a public and private subnet, the public holding my api instance and the private holding my db, configured like this

Public route table : Facing igw

private route table: facing nat (nat was attached to public subnet)

I read on the aws docs for setting up load balancing that with the application load balancer, I can configure an app subnet, which is private, and point the load balancer towards to public subnets, which then pass the traffic on to my private app subnets. This would give me the following architecture:

Public sub: Facing IGW

App (private) sub: Facing NAT (which is attached to public sub)

Data (private) sub: Facing NAT (which is attached to app sub?)

I am trying to figure this all out. The main problem I am dealing with now is the following:

I am able to ssh into a bastion instance sitting in my public subnet no problem, but when I ssh from the bastion to the instance sitting in my app subnet, the connection only works when the route table from my app subnet faces the IGW, not the NAT of the public subnet. Why is this the case?

I have tried the following:

Changed the route table to face:

  1. the security group of my bastion instance
  2. nat gateway attached to my public subnet
  3. network interface attached to my bastion instance
  4. My bastion instance directly

Overall, I know I am missing something huge about this architecture, how is this configured? Should my app layer be private to begin with? Any help is greatly appreciated!!!!!