AWS Transit Gateway hub-and-spoke architecture connects a production spoke VPC (DRIV2-Prod) to on-premises metro train networks through a centralized inspection VPC in the Nexus-Prod hub account. Traffic flows from EC2/ECS app servers through NAT Gateways, Transit Gateway with three route tables (Spoke-RT, Inspection-RT, VPN-RT), AWS Network Firewall endpoints in appliance mode across three availability zones, and Site-to-Site VPN with dual-tunnel HA to reach metro train endpoints and onboard WiFi systems. This design demonstrates defense-in-depth for OT environments: security groups restrict outbound to forward proxy IPs, NACLs limit egress to on-prem CIDRs, Network Firewall enforces stateful IPS and domain filtering on HTTPS/443, and on-premises firewalls provide Layer 5 inspection before traffic reaches the metro train OT segment. Fork this diagram on Diagrams.so to customize route tables, add spoke VPCs, modify firewall rules, or export as .drawio for network documentation. Ideal reference for hybrid cloud architects balancing centralized security inspection with high-availability requirements for critical infrastructure connectivity.