What type of subnet allows indirect access to the public internet via "jump boxes"?

The correct choice is private subnet. A private subnet is designed to provide an environment where resources can reside without direct access to the internet. Instead, indirect access is typically facilitated through a jump box, also known as a bastion host. These jump boxes are strategically placed within a public subnet, allowing secure connections to resources in the private subnet.

When you want to access instances in a private subnet, you first connect to the jump box, which has public internet access. From there, you can securely manage or access the resources in the private subnet without exposing them directly to the public internet. This architecture enhances security by limiting the number of entry points and allowing for tighter control over inbound and outbound traffic.

In contrast, public subnets have resources that can be directly accessed from the internet, which are not typically ideal for sensitive instances that require restricted access. Hybrid and isolated subnets do not fit the criteria for providing indirect internet access in the manner that a jump box does for resources residing in private subnets.