Hub-spoke network architecture using AWS Transit Gateway to connect on-premises IT and OT networks to cloud workloads with strict segmentation. Traffic flows from spoke VPC (10.1.0.0/16) through Transit Gateway to centralized AWS Network Firewall in hub VPC (10.0.0.0/16), enforcing inspection before reaching on-premises via Site-to-Site VPN. On-premises topology separates IT VLAN 10 (192.168.10.0/24) from air-gapped OT VLAN 20 (192.168.20.0/24) using proxy servers and demarcation firewalls, preventing direct IT-to-OT access while enabling controlled cloud-to-OT communication. This design solves industrial and critical infrastructure requirements for zero-trust segmentation between corporate IT systems and operational technology like SCADA, PLCs, and HMIs. Fork this AWS Transit Gateway diagram on Diagrams.so to customize CIDR blocks, add spoke VPCs, or integrate AWS Security Hub findings into your compliance documentation.