Cityworks production network on AWS spans three architectural layers—core, distribution, and access—with an internet-facing Application Load Balancer routing traffic through a Transit Gateway to on-premises infrastructure. The VPC (10.0.0.0/16) distributes workloads across two availability zones: public subnets host a bastion, PowerBI gateway, and public works queries server, while private subnets isolate SQL Server and PostgreSQL RDS instances with Multi-AZ standby replicas. Security is enforced via layered security groups (BastionSecurityGroup, ServerSecurityGroup, UserManagerDBSg, EFSSecurityGroup), GuardDuty threat detection, and VPC endpoints, with S3 backup buckets and access logging for compliance. This architecture demonstrates high-availability hybrid cloud design with clear blast radius isolation and cross-AZ failover. Fork and customize this diagram on Diagrams.so to adapt the Transit Gateway attachment, subnet CIDR ranges, or instance types for your own production environment.