From most of the documentation, what I understand is that Lambda is by
default launched in default VPC and can access internet from there but
no resources inside a "VPC".
That is incorrect. By default Lambda is not launched in a VPC at all. Or if it is in a VPC it is in one that you cannot see because it doesn't exist in your AWS account.
what if I placed the Lambda and RDS both in default VPC, lambda in a
public subnet with --vpc-config info and RDS in a private subnet, will
my Lambda have the internet connection?
No, your Lambda function will not have internet access, even in a public subnet. This is because it is never assigned a public IP address. Once you place a Lambda function inside a VPC you have to have a NAT gateway in order to for the Lambda function to access anything outside the VPC.
Even when everything is in default subnet, should I put my lambda
function in to a private subnet with Internet access through an Amazon
VPC NAT gateway?
Yes, that is the correct way to provide a Lambda function with access to both a VPC and resources that exist outside the VPC.
Also note that DynamoDB (and the AWS API) does not run in your VPC. So if you place a Lambda function inside your VPC that needs to access DynamoDB, or anything else that is accessed via the AWS API, you will have to add a NAT gateway to the VPC.
Note that the "Default VPC" is the term for a the VPC that is setup for you when you first create your AWS account. You can see this VPC in your account in the VPC service console. Aside from it being created for you with default settings, you should just think of this as another VPC in your account. The Default VPC is not used by Lambda when you don't specify a VPC, and it is not used by other services like DynamoDB that exist outside your VPC network.
