GameLift is running in a VPC owned and managed by the service. This VPC is not visible in your AWS account. If you have a need to enable private connectivity between the GameLift server fleets and backend running in your own VPC you can then use VPC Peering. This lets you connect to your backends using private IP addresses.
UE4 doesn't package the server and client code together if you don't want to. In my understanding there is a way to separate server-only code from the client code. Allowing you to define the what kind of build you are doing and what parts of code is even included. I believe the terminology in UE4 is Cook and Packaging. When searching UE Dev Community forums I found at least one post describing how to disable server-only code from client builds.
Even without splitting the code, your Client to Game Server backend should be secured by using known methods such as Oauth and JWTs. As for your server to backend communicate you could use shared secret or some other method to validate that it's a server under your control calling and not something else on the internet.