Amazon Virtual Private Cloud FAQs: "Q. How do instances without EIPs access the Internet?
Instances without EIPs can access the Internet in one of two ways
Instances without EIPs can route their traffic through a NAT instance to access the Internet. These instances use the EIP of the NAT instance to traverse the Internet. The NAT instance allows outbound communication but doesn't enable machines on the Internet to initiate a connection to the privately addressed machines using NAT, and
For VPCs with a Hardware VPN connection, instances can route their Internet traffic down the VPN Gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices."