A healthcare company has developed a series of microservices for processing patient data, hosted on AWS. These microservices are accessed through REST APIs managed by Amazon API Gateway. To comply with healthcare regulations, the company needs to ensure that these APIs are only accessible from their internal application, which runs on an Amazon EC2 instance within their AWS VPC. The application must securely access these APIs without exposing them to the public internet. Which step should a solutions architect take to ensure that the REST APIs are securely accessible by the internal application, while complying with the healthcare regulations?