A private subnet is reachable internally only and can use security group rules to specify which traffic to allow from the Internet. But the easiest way is using a bastion host. A bastion is a special purpose server instance that is designed to be the primary access point from the Internet and acts as a proxy to your other EC2 instances. Create a Windows EC2 instance and configure a security group rule to allow RDP access. Install and configure RD Gateway on that instance. Reconfigure security groups on the RD Gateway instance and all other Windows server instances to control which connections are allowed. Verify you can connect to your Windows instances through RD Gateway.