Deployment architecture
The BlastShield Gateway AMI may simply be deployed inside your VPC and it will protect any EC2 or RDS instances in the VPC which you configure as endpoints. The Endpoints do not need to be in the same subnet as the Gateway, they need only be reachable by the Gateway.
