About This Architecture

Hub-spoke network architecture using AWS Transit Gateway to connect on-premises IT and OT networks to cloud workloads with strict segmentation. Traffic flows from spoke VPC (10.1.0.0/16) through Transit Gateway to centralized AWS Network Firewall in hub VPC (10.0.0.0/16), enforcing inspection before reaching on-premises via Site-to-Site VPN. On-premises topology separates IT VLAN 10 (192.168.10.0/24) from air-gapped OT VLAN 20 (192.168.20.0/24) using proxy servers and demarcation firewalls, preventing direct IT-to-OT access while enabling controlled cloud-to-OT communication. This design solves industrial and critical infrastructure requirements for zero-trust segmentation between corporate IT systems and operational technology like SCADA, PLCs, and HMIs. Fork this AWS Transit Gateway diagram on Diagrams.so to customize CIDR blocks, add spoke VPCs, or integrate AWS Security Hub findings into your compliance documentation.

People also ask

How do I design AWS Transit Gateway hub-spoke architecture with OT and IT network segmentation for SCADA systems?

Use AWS Transit Gateway in a hub VPC with centralized Network Firewall to inspect all traffic between spoke VPCs and on-premises networks. Segment on-premises IT (VLAN 10) from air-gapped OT (VLAN 20) using proxy servers and demarcation firewalls, connecting via Site-to-Site VPN to enforce zero-trust access to SCADA, PLCs, and HMIs.