Non public bastion

[supergibbs]

I don't need to access my bastion externally. My VPN gives me access to my VPCs private subnet but the public subnet requires the bastion. I deploy to the private subnets and it works fine, but it's assigning a public IP still. I don't think it's a risk but would be nice to expose a parameter to not assign a public IP.

Then it may make sense to rename PublicSubnet1ID/PublicSubnet2ID to just Subnet#ID and add a note in the docs.