Hey Brian and Kyle,
Sorry I didn't respond to this sooner. Kyle is correct - there is currently an outstanding issue that requires you define VPC configuration on a per-host basis. There is an open pull request to address this that hasn't been merged yet.
vpc_alias is just a human-readable unique identifier for your VPC. Think of this as analogous to an instance alias. If no VPC with a RubberVpcAlias AWS tag of this name exists, Rubber will automatically create it for you.
vpc_cidr is the IP Range that all of your subnets will fall under.
At the instance level, under the private_nic configuration, subnet_cidr is the IP subnet the instance should be created in. If this Subnet doesn't already exist, Rubber will create it for you. An important thing to keep in mind is that AWS requires that all instances in a given Subnet be in the same availability zone, so keep then in mind when creating instances. The gateway configuration should be either the word "public", or the instance id of a NAT Gateway. The difference here is that with a value of "public", Rubber will create an Internet Gateway for this subnet if one doesn't already exist, which makes the subnet publicly accessible. This is where things like your load balancers should go; anything that needs to be reached by the outside world. A gateway value of an instance id will designate the subnet as private, and instances on this subnet will connect to the outside world via the NAT Gateway. Also note that we provide a nat_gateway template in Rubber, so a "rubber vulcanize nat_gateway" will install base configuration for a NAT Gateway. One can then be created like you would a machine with any other role - rubber create, bootstrap, deploy, making sure the machine has the nat_gateway role. Ideally, you should put any instances that don't need to accept connections from the outside world in a private subnet - database servers, app servers (since your load balancer would be in the public subnet), etc. Note that by default, within a given VPC, security groups rules exist so that all subnets, public or private, can communicate with one another.
Let me know if you have any other questions. While this is a very new feature, I admit we could have done a better job documenting it. I will hopefully get the wiki updated at some point this week.