Traffic on individual VLANs is delivered only to the applications assigned to each VLAN, providing a level of security. Each VLAN is a separate collision domain, and broadcasts are limited to a single VLAN. Blocking broadcasts from reaching applications connected to other VLANs eliminates the need for those applications to waste processing cycles on broadcasts not intended for them.
VLANs operate at Layer 2, the link layer, and can be limited to a single physical link or extended across multiple physical links by connecting to Layer 2 switches. Because each VLAN is a collision domain and Layer 3 switches terminate collision domains, VLAN segments can't be connected by a router. Essentially, a single VLAN can't span multiple subnets.
Subnet segments connect via switches. It's common to connect components of an application executing on multiple servers by placing them on a single VLAN and subnet. For example, a single subnet and VLAN may be dedicated to the accounting department, but if department members are too far apart for a single Ethernet cable, switches connect the different Ethernet links that carry the VLAN and subnet, while VLAN routers connect the subnet to the rest of the network.
VLAN trunk links carry more than one VLAN, so packets on a trunk carry additional information to identify its VLAN. Access links carry a single VLAN and don't include this information. Bits are removed from the packet connected to the access link, so a connected port receives just a standard Ethernet packet.