Hybrid AWS VPN Hub-Spoke Architecture
About This Architecture
Hybrid AWS VPN hub-spoke architecture connects on-premises KTIO data center to DRIV2-Prod spoke account through centralized Nexus-Prod network hub. IPSec tunnels from Palo Alto VPN Gateway terminate at AWS Customer Gateway, routing traffic through Transit Gateway to AWS Network Firewall in inspection VPC before reaching spoke VPC 10.207.192.0/22 with three-tier subnet design. Architecture enables bidirectional data flow where DRIV2 polls from on-prem sources (CTS, HMI, Agilion, Hastus) and pushes to Expert2 SMB share, demonstrating centralized security inspection and network segmentation for hybrid workloads. Fork this diagram on Diagrams.so to customize CIDR blocks, add spoke accounts, or adapt the inspection VPC topology for your multi-account AWS environment.
People also ask
How do I design a hub-spoke network architecture in AWS with VPN connectivity and centralized firewall inspection?
Use AWS Transit Gateway as the central hub connecting spoke VPCs and on-premises networks via Customer Gateway VPN tunnels. Route all traffic through an inspection VPC with AWS Network Firewall for centralized security policy enforcement before reaching spoke accounts.
- Domain:
- Networking
- Audience:
- AWS network architects designing hybrid cloud connectivity with on-premises data centers
Generated by Diagrams.so — AI architecture diagram generator with native Draw.io output. Fork this diagram, remix it, or download as .drawio, PNG, or SVG.
