Multi-Account AWS Network Architecture with Centralized VPN Connectivity

Designed and implemented a segmented AWS multi-account network architecture with centralized connectivity, secure remote access, and shared transit routing.

Implemented: June 2022

AWS VPC AWS Transit Gateway AWS Client VPN AWS Site-to-Site VPN AWS Multi-Account Architecture

alt text

Problem

A startup organization required a scalable AWS landing zone capable of supporting separate development, QA, and production environments while maintaining secure connectivity between cloud resources, remote staff, and on-premises infrastructure.

The architecture needed to provide:

  • Environment isolation between workloads
  • Secure remote engineer access
  • Hybrid connectivity to on-premises systems
  • Centralized network and security management
  • A foundation for future cloud growth and governance

Solution

Designed and deployed a multi-account AWS architecture using dedicated VPCs for Dev, QA, and Production workloads connected through a centralized AWS Transit Gateway.

A dedicated Network & Security account was implemented to host shared connectivity services including:

  • AWS Client VPN for remote staff access
  • AWS Site-to-Site VPN for on-premises integration
  • Centralized transit routing and network segmentation

Each environment was isolated within its own VPC and AWS account to improve operational separation, reduce blast radius, and simplify access control management.

The solution also established a repeatable network pattern that could support additional environments and workloads as the company scaled.

Architecture

  • Remote engineers connected securely to AWS using AWS Client VPN over SSL.
  • The on-premises office connected to AWS through an IPSec Site-to-Site VPN.
  • A centralized Transit Gateway handled routing between all connected VPCs and hybrid resources.
  • Separate AWS accounts hosted Dev, QA, and Production VPCs with isolated CIDR ranges.
  • Each VPC contained dedicated compute, database, and storage resources while maintaining controlled interconnectivity through centralized routing policies.

Tech Stack

AWS VPC • AWS Transit Gateway • AWS Client VPN • AWS Site-to-Site VPN • Amazon EC2 • Amazon RDS • Amazon S3 • AWS Multi-Account Architecture

Outcome

The implementation established a secure and scalable AWS foundation for the startup’s cloud operations.

The architecture improved environment isolation, simplified hybrid connectivity management, and enabled secure remote access for distributed staff while supporting future infrastructure expansion.

The centralized networking model also reduced operational complexity by consolidating routing and connectivity services into a dedicated shared services account.

Key Takeaways

  • Implemented centralized AWS networking using Transit Gateway for scalable inter-VPC connectivity.
  • Improved security posture through account-level workload isolation and segmented CIDR allocation.
  • Enabled secure hybrid connectivity using both Client VPN and Site-to-Site VPN solutions.
  • Future iterations could integrate AWS Organizations SCPs, IAM Identity Center, and automated infrastructure deployment using Terraform.

Reflection

If revisiting the design today, I would extend the platform using Infrastructure as Code, centralized logging with AWS Security Hub/CloudWatch, and zero-trust network controls to improve automation, observability, and governance maturity.

© 2026 AK Techno Services Ltd.
Developed by AK Udofeh using Astrofy