According to AWS documentation for NLB, it is layer 4 not layer 3. Also the backend or target servers are not required to be on a public subnet. As a matter of fact the IP address ranges of the target groups must be one of the following:
The following are the possible target types:
The targets are specified by instance ID.
The targets are specified by IP address.
When the target type is ip, you can specify IP addresses from one of the following CIDR blocks:
The subnets of the VPC for the target group
10.0.0.0/8 (RFC 1918)
100.64.0.0/10 (RFC 6598)
172.16.0.0/12 (RFC 1918)
192.168.0.0/16 (RFC 1918)
You can't specify publicly routable IP addresses.
I hope this helps.