I set up a non-default VPC using the "Create VPC" rather than the "Create VPC Wizard" command button on the VPC service's home page in the AWS Management Console - that's because I will eventually automate the process using CloudFormation. I set up an Internet Gateway for the Public subnet and a NAT gateway to serve the private subnet. Then I created an Amazon Linux instance for each subnet.
I was able to ping www.columbia.edu on the Public subnet but my "sudo yum update" command within the instance on the Private subnet - the execution of that command returned a message that the repo couldn't be found.
What went wrong?
The Custom Route Table for the Public subnet aka { Main: No } includes in the "Routes" tab as its last line the default route 0.0.0.0/0 igw-**** where igw-**** is the ID of the Internet Gateway. In the "Subnet Associations" tab, the Public subnet is explicitly associated with the Custom Route Table.
At this point, verification by pinging www.columbia.edu from the instance on the Public subnet should be successful.
The Main Route Table { Main: yes } includes in the "Routes" tab as its last line the default route 0.0.0.0/0 nat-**** where nat-**** is the ID of the NAT Gateway. One more time: the private IP address of the NAT Gateway must be one of the private addresses of the Public subnet.
At this point, running "sudo yum update" on the instance on the private subnet - that command should be successful.
If you are adding more public subnets, make sure to associate each newly added public subnet with the Internet Gateway - I think the Internet Gateway automatically does that but it doesn't hurt to verify.
If you are adding more private subnets, make sure to assign a brand new NAT Gateway to each newly added private subnet. Remember, if the AZ (Availability Zone) goes down, so does the NAT Gateway that serves the AZ.