When architecting your VPC, you should aim to layer your infrastructure between subnets; this allows you to layer your security, with each having its own defined set of restrictions. This also allows you to group similar infrastructures together, which in turn allows you to be more restrictive with each set of NACL and security group rules.