Instances within a VPC can communicate through private IP addresses across subnets using a router. An instance can also connect to resources outside the VPC like a customer's datacenter using a VPN or AWS Direct Connect. When troubleshooting connectivity issues between instances, you can use tcpdump to capture packets and confirm the routes using ip route. Security groups control inbound/outbound traffic to instances while network ACLs filter traffic at the subnet level in a stateless manner.