To securely enable a private subnet with a service gateway, what must you do?

To securely enable a private subnet with a service gateway, enabling service CIDR labels for the gateway is essential because it allows the private subnet to route traffic to specific services in Oracle Cloud Infrastructure (OCI) without needing a public IP address or an internet connection. The service gateway facilitates access to OCI services such as Oracle Object Storage directly from the private subnet, thereby maintaining a high level of security while interacting with those services.

By using service CIDR labels, you ensure that the traffic is managed through the service gateway, allowing secure communication with services that are designed to be accessed only from within the OCI environment, all while keeping the subnet private. This approach eliminates unnecessary exposure to the internet, aligning with best practices for cloud security.

In contrast, disabling internet access alone does not facilitate the desired interaction with OCI services, while attaching a public subnet would compromise the private nature of the subnet. Enabling default routes for all services is not specifically necessary for the secure interaction with services, especially when you have the service gateway set up correctly. Thus, enabling service CIDR labels becomes the most critical step in securing the private subnet's interaction with OCI services.