Hybrid AWS VPN Hub-Spoke Architecture

aws · architecture diagram.

Diagrams.so

About This Architecture

Hybrid AWS VPN hub-spoke architecture connects on-premises KTIO data center to DRIV2-Prod spoke account through centralized Nexus-Prod network hub. IPSec tunnels from Palo Alto VPN Gateway terminate at AWS Customer Gateway, routing traffic through Transit Gateway to AWS Network Firewall in inspection VPC before reaching spoke VPC 10.207.192.0/22 with three-tier subnet design. Architecture enables bidirectional data flow where DRIV2 polls from on-prem sources (CTS, HMI, Agilion, Hastus) and pushes to Expert2 SMB share, demonstrating centralized security inspection and network segmentation for hybrid workloads. Fork this diagram on Diagrams.so to customize CIDR blocks, add spoke accounts, or adapt the inspection VPC topology for your multi-account AWS environment.

People also ask

How do I design a hub-spoke network architecture in AWS with VPN connectivity and centralized firewall inspection?

Use AWS Transit Gateway as the central hub connecting spoke VPCs and on-premises networks via Customer Gateway VPN tunnels. Route all traffic through an inspection VPC with AWS Network Firewall for centralized security policy enforcement before reaching spoke accounts.

Hybrid AWS VPN Hub-Spoke Architecture

AWSadvancedTransit GatewayVPNNetwork FirewallHybrid CloudHub-Spoke
Domain: NetworkingAudience: AWS network architects designing hybrid cloud connectivity with on-premises data centers
1 views0 favoritesPublic

Created by

February 24, 2026

Updated

February 25, 2026 at 9:44 AM

Type

architecture

Need a custom architecture diagram?

Describe your architecture in plain English and get a production-ready Draw.io diagram in seconds. Works for AWS, Azure, GCP, Kubernetes, and more.

Generate with AI