You need to create two network segments: an untrusted subnet and a trusted subnet. You plan to deploy a virtual appliance, like a next-generation firewall (NGFW), to inspect all traffic between these segments. What is the correct network design to achieve this traffic inspection?