Our networking group reserved a network segment of Private IP addresses that are reserved for use solely in AWS and our VPN. We set up the VPC to use that reserved IP space so that access to the AWS infrastructure would be similar to that of our on-premise infrastructure. Other groups on campus within the M Cloud service have full control over their VPC's IP space.
Security between on-premises datacenter and AWS datacenter ( SS - beefing)
Firewalling can be done on either side of a VPN tunnel (if established), and via traditional CIDR blocks without a VPN on either side as well.
In M Cloud, each "customer" has their own AWS account and there is no inherent relationship between accounts. Eventually, we expect to either launch new customer accounts into a secured area in our central VPC or explore a multi-account configuration, utilizing something like VPC Peering. Apart from customer account isolation, we haven't seen a compelling case to use VPC architecture as a security mechanism.