Generally you will have 2 kinds of subnets in a VPC:

  1. Public subnet

    • has IGW and optionally NAT
    • 0.0.0.0/0 there points to the IGW
    • hosts (EC2 instances) must have public IP or elastic IP attached as they go directly to the internet
    • hosts can be contacted from the internet on this public/elastic IP (if Security Group permits)
  2. Private subnet

    • has no IGW or NAT
    • the 0.0.0.0/0 points to the NAT in the public subnet above
    • hosts only have private IP and all outbound access is "masked" to the NAT gateway IP
    • hosts can initiate connections to the internet but can't be contacted from outside as they are "hidden" behind the NAT (Network Address Translation gateway).
    • without NAT configured hosts won't have internet access

Hope that explains it :)