A company has created a web service for language translation, hosted on a fleet of Amazon EC2 instances within an Auto Scaling group. These instances are deployed in a private subnet and are fronted by an Application Load Balancer (ALB). The web service handles requests with data sizes in the hundreds of megabytes.

The company must enable specific customers, each with their own AWS account, to access the web service. Access should be restricted to approved customers only, without exposing the service to all customers.

Which two-step combination will fulfill these requirements with the MINIMUM operational overhead? (Choose two.)