A VPC is a logical entity that spans all availability zones in the region where it was created. VPCs in turn consist of subnets which are logical segments of a VPC but unlike a VPC a subnet does not span availability zones, one or sore subnets may be created in each availability zone. Upon creating a subnet within a VPC you specify the availability zone and the IPv4 address from the defined VPC CIDR range. When you create resources they are allocated to one or more subnets.
When a VPC is created a IPv4 CIDR range is allocated with a /16 being the largest possible allocation. The size of the the CIDR block allocated in-turn determines the sizes of the subnets that can be allocated with a /28 being the smallest possible allocation. Attention should be paid to the design of the VPC or subnet architecture when determining allocations as AWS reserve some of the usable addresses within a subnet to provide network services and thus the usable addresses are actually less than what are available in pure networking terms.
As you maybe aware when you create a AWS account account a default VPC is created with one public subnet in each availability zone within a region. This default subnet is a /20 range.
VPCs support both IPv4 and IPv6 where IPv4 is mandatory an IPv6 association is optional. If you choose to use IPv6 you can associate it to an existing subnet and a fixed length /64 is assigned out of the /56 assigned to the VPC. When utilising IPv6 Amazon assign a /56 to each VPC out of their public GUA allocation. Although the IPv6 ranges are fixed length assignments when allocating a subnet you can specify the subnet identifier.
Subnets within a VPC are defined as private, public and VPN only. The internal IPv4 subnet is always private and not advertised to the internet whereas the IPv6 subnet is GUA and therefore public. As the names suggest a private subnet is not internet accessible although the IP allocations could be from public or RFC1918 address space. Public subnets are available on the internet and VPN only subnets are only reachable via VPN endpoints.