You are a cloud architect configuring the network architecture for a newly created project in Google Cloud Platform (GCP). The project will host applications using Compute Engine virtual machine (VM) instances. These instances will be deployed across two different subnets (sub-a and sub-b) within a single region:

• Instances in sub-a will have public IP addresses. • Instances in sub-b will have only private IP addresses.

For maintenance purposes, you need all instances, including those in sub-b, to be able to download updated packages from a public repository outside the boundaries of Google Cloud. What should you do to ensure that instances in sub-b can access the external repository while maintaining their private IP addresses?