Create another subnet named bastion, with CIDR block 172.31.112.0/20 in Availability Zone us-east-1a:
There is no need to assign a private route table to it as the EC2 instances running in this subnet will be accessed by clients from the public internet.