CloudWarden
← All field reports
FR-02 Network Engineering

Remote-Access VPN Rebuilt on a Transit Gateway Hub

SaaS company · 11 VPCs across two AWS regions
AWS Client VPNTransit GatewaySAML / Identity CenterCloudFormationRoute 53
48 → 1route tables to maintain
200×route-scale headroom (50 → 10k)
0downtime at cutover
Remote users SAML + MFA Transit Gateway VPC · region A VPC · region A VPC · region B VPC · region B 1 route table · 11 VPCs · 2 regions

Architecture — illustrative, anonymized

01 The situation

  • Remote access ran over a hand-maintained mesh of 22 VPC-peering connections feeding 48 route tables — every new VPC multiplied the manual routing work and the chance of a silent misroute.
  • The peering design could not scale past the per-table route limit and offered no clean path to a second region or to controlled spoke-to-spoke traffic.
  • Authentication and segmentation had to satisfy SOC 2: enforced MFA, least-privilege network access by team, and no shared static keys.

02 The approach

  • Designed a Transit Gateway hub-and-spoke spanning 11 VPCs across two regions, with the VPN endpoint attached to a dedicated hub and centralized routing.
  • Moved authentication to SAML-only via the corporate identity provider with enforced MFA — eliminating mutual-TLS key distribution entirely.
  • Modeled least-privilege access groups (admins, per-region developers, production access, management) so each team only reaches the networks it needs.
  • Delivered the whole environment as version-controlled infrastructure-as-code with a documented deployment order, architecture diagrams, and a cost model comparing both designs.
  • Cut over in stages with return-route validation so existing sessions were never dropped.

03 The outcome

  • Routing maintenance collapsed from 48 route tables to a single Transit Gateway table — new VPCs now attach instead of multiplying connections.
  • Route-scale headroom grew from a 50-route ceiling to ~10,000, with multi-region peering and configurable spoke-to-spoke now possible.
  • SOC 2-aligned: MFA-enforced SSO auth, per-team least-privilege segmentation, no static keys — cut over with zero downtime.
Have something like this?

Let’s scope your version.

If this maps to what you’re facing, a 20-minute call is the fastest way to find out whether I can help — and a Cloud Quick-Win is the lowest-risk way to start.

Book a call ↗ Next report: FR-03 →