You've got the gist of it, but you probably want to read about NAT and iptables.
The source destination check is important - but implementation specific here. Google Cloud does it like this - https://cloud.google.com/vpc/docs/using-routes#canipforward
From the VPC perspective, the key here is understanding that subnets within VPCs have route tables that determine where traffic from your subnet goes next. In this case traffic to the internet is sent to an interface on the NAT instance.