Connection to EC2 Node.js server in a private subnet times out

The architecture diagram shows how I have setup the application on AWS.

Everything works fine if the Application Server group and the Web Server group are in public subnets. However when I have the app servers in a private subnet all API calls time out since there is no Internet Gateway attached to these subnets.

I would like the Nodejs Application Servers still in private subnet and the nginx web servers in the public subnet. The Application Load Balancer for the Web Server Group is internet facing but the Application Load Balancer for the App Server Group is internal not internet facing.

Is it possible to make this architecture work while still keeping the app servers in the private subnet?

Nginx setup is below.

server {
    listen 80;
    listen [::]:80;
    server_name  www.example.com;

    proxy_set_header X-Forwarded-Proto $scheme;
    if ( $http_x_forwarded_proto != 'https' ) {
        return 301 https://$host$request_uri;
    }

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        proxy_pass https://api.example.com;
    }

    error_page  404              /404.html;
    location = /404.html {
        root   /usr/share/nginx/html;
    }

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

server {
    listen 443;
    listen [::]:443;
    server_name example.com;
    location / {
        proxy_pass http://api.example.com;
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        }
}

Route 53

A Records setup

www.example.com A -- web server internet facing load balancer DNS

api.example.com A -- app server internal load balancer DNS

NACL setup

One NACL is setup with each subnet.

Inbound

Outbound

Web Load Balancer Security Groups Allow All traffic on ports 80 and 443 Web Servers Security Groups Allow All traffic on ports 80 and 443 from Web Load Balancer security group Internal Load Balancer security group all traffic on ports 80 and 443 from Web Server security group and on port 3000 from App Server security group App server security group allows traffic on port 3000 from Internal Load Balancer security group, 27017 to MongoDB Atlas VPC Peering connection, HTTPS to VPC Gateway Enpoint for S3, 6379 to redis security group.

Is there a way I can keep the app servers in the private subnet and not have this connection time out issue whenever any calls are made to api.example.com/abc endpoints?

Thanks for any help in advance.