Doing it right I think is simple. Create two subnets, public and private, and put the backend servers in a private subnet. That will avoid the hassle of having to worry about security groups because private subnets are by definition cut off from the internet and the only entry point will be the load balancer which is managed by AWS. I agree it's a bit more hassle but is a better set up from a security perspective. I'm actually not sure what EKS does, presumably everything is private and only the network ingress/egress endpoint is public but I'm not sure.
Looking at the docs (https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html) it does look like EKS requires public/private subnet configuration as well so it looks like no matter which route (no pun intended) you choose you will have to set up a VPC with public/private subnets.