Public and Private subnets in AWS

If a subnet's traffic is routed to Internet Gateway, the subnet is known as public subnet

If a subnet doesn't have a route to the Internet gateway, the subnet is known as private subnet

The machines in private subnet can access internet through NAT gateway(instance). A NAT instance is an instance on public subnet and has a public IP address.

Can instances in private subnet have public IP addresses?

Yes, public IP address can be assigned to instances in private subnet. But it is of no use.

Inbound traffic from the Internet would hit the public IP of the instance, but the replies would try to route outward through the NAT instance, which would either drop the traffic (since it would be composed of replies to connections it's not aware of, so they'd be deemed invalid) or would rewrite the reply traffic to use its own public IP address, which wouldn't work since the external origin would not accept replies that came from an IP address other than the one they were trying to initiate communications with.

Why create subnets in AWS VPC?

When you create a VPC, it spans all of the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone. When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block. 

Each subnet must reside entirely within one Availability Zone and cannot span zones. 

Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. We assign a unique ID to each subnet.