GameLift is running in a VPC owned and managed by the service. This VPC is not visible in your AWS account. If you have a need to enable private connectivity between the GameLift server fleets and backend running in your own VPC you can then use VPC Peering. This lets you connect to your backends using private IP addresses.
UE4 doesn't package the server and client code together if you don't want to. In my understanding there is a way to separate server-only code from the client code. Allowing you to define the what kind of build you are doing and what parts of code is even included. I believe the terminology in UE4 is Cook and Packaging. When searching UE Dev Community forums I found at least one post describing how to disable server-only code from client builds.
Even without splitting the code, your Client to Game Server backend should be secured by using known methods such as Oauth and JWTs. As for your server to backend communicate you could use shared secret or some other method to validate that it's a server under your control calling and not something else on the internet.
Amazon Gamelift: How to tell what VPC the servers are running in - Verifying Servers' access to backend servicesasked a month ago
Persistent Servers - GameLift or EC2 Only? (newb questions)asked 2 years ago
Have an Alexa skill access private backend services or resourcesAccepted Answerasked 6 years ago
Running Steam-enabled servers on GameLiftasked 2 years ago
Need to know what services is provided by gameliftasked 2 years ago
GameLift SDK Updates for Unreal 4.26 and Realtime Serversasked a year ago
GitHub repository for Realtime Servers?Accepted Answerasked 2 years ago
Gamelift with Apple Gamecenter and Google Play ServicesAccepted Answerasked 2 years ago
How to Enable Fleet Autoscaling in Gamelift?asked 10 days ago
What exactly is the difference between Custom vs Realtime servers in gamelift?asked 9 months ago