Support internal-facing gateways on AWS

[r4victor]

Currently, dstack AWS gateways are instances with public IP addresses. Users may want to create an internal-facing gateway so that the gateway is only accessible via internal IP inside the VPC. Users would still assign a domain to the gateway that is publicly resolved, but it's resolved to internal IP. This is similar to the AWS internal load balancer.

The limitations of internal-facing gateways:

• The dstack server must be deployed in the same VPC as gateways so that they can communicate.
• The SSL certificates can't be renewed automatically via certbot since ACME providers cannot access the gateway. We cloud allow disabling https or ask users for SSL certificates that they can acquire via DNS, for example.

Next step would be to support internal-facing gateways in all providers that allow for that.

[r4victor]

I suggest the following interface to create internal-facing gateways:

1. Users can specify the new gateway parameter visibility. By default, it's visibility: public. To create an internal-facing gateway, users specify visibility: private.
2. Optionally, users can specify subnet_id for deploying the gateway in a specific subnet. The VPC is chosen according to the backend configuration.

[r4victor]

To issue SSL certificates for internal-facing gateways, we can use ACME DNS-01 challenge instead of HTTP-01 challenge used currently for public gateways. It will require creds/permissions to automatically manage the DNS records for the users' domains. The DNS-01 challenge is automated for many DNS providers: https://github.com/dehydrated-io/dehydrated/wiki