This covers adding _private_ VPC Subnet objects to an instance by attaching them to their primary `NetworkInterface` object. We'll need to add a column to the `network_interface` table indicating that the subnet is attached to an instance (probably a nullable instance ID column); and then exclude the VPC Subnet when trying to create any other NICs in it. That is, you can use the VPC Subnet for VPC-private address allocation XOR as an attached subnet. We'll also need to update the `InstanceNetworkInterfaceCreate` parameter type, and add these subnets to the API view of the NIC and the data passed to the sled-agent. The sled-agent will simply allow traffic in / out to that CIDR block, as we do with `transit_ips` today. We also need to include these attached subnets in the VPC's System Router, which will ultimately propagate those routes to the OPTE instances that need them through the existing VPC route-management background task.