You'll need two subnets. One is public, and the other is private.
Subnet that is open to the public
Public IP addresses can be enabled on a public network. It must have a NAT gateway as well as a route table:
Target Subnet 10.0.0.0/24
local 0.0.0.0/0 internet-gateway private subnet
The private subnet should be used for your private instance. A route table should be present on the subnet:
10.0.0.0/24 is the local destination target.
0.0.0.0/0 nat-gateway-id \sNACL
It is preferable to leave the default NACLs alone. It's quite easy to make a mistake with these. Only security groups should be used to control access to and from your instance.