To enforce subnet-level isolation by routing traffic from instance-A (in one subnet) through a security appliance, instance-B (in another subnet), what should you do?

Options:
A. Create a more specific route than the system-generated subnet route, setting the next hop to instance-B without applying any tags.
B. Create a more specific route than the system-generated subnet route, setting the next hop to instance-B and applying a tag that matches instance-A.
C. Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.