Menu
Dev.to #architecture·May 18, 2026

Designing AWS VPCs: Hub-Spoke, Mesh, and Multi-Account Patterns for Scalable Cloud Architectures

This article explores common and effective patterns for designing Virtual Private Clouds (VPCs) in AWS, moving beyond the simple single-VPC setup to address the complexities of security, connectivity, and scalability in growing platforms. It discusses Hub-and-Spoke, Full Mesh, and Multi-Account strategies, highlighting their trade-offs, ideal use cases, and critical design decisions for long-term architectural success.

Cloud & InfrastructureDistributed SystemsPerformance & Scaling
Read original on Dev.to #architecture

Designing a robust AWS infrastructure requires a strategic approach to Virtual Private Clouds (VPCs), which serve as the foundational layer for security, connectivity, and scalability. Many architectures initially start with a single VPC, but this quickly becomes a bottleneck as platforms grow to include multiple teams, environments (dev, QA, prod), stringent security requirements, or hybrid connectivity needs.

Common VPC Design Patterns

While there's no single 'correct' way to design VPCs, several patterns consistently appear in real-world production environments. Understanding their strengths, weaknesses, and appropriate use cases is crucial for making informed architectural decisions.

1. Hub-and-Spoke

The Hub-and-Spoke pattern centralizes network services in a 'hub' VPC (e.g., VPN, Direct Connect, NAT Gateways, firewalls) and connects it to multiple 'spoke' VPCs where applications and microservices reside. Connectivity between spokes and the hub is typically managed via AWS Transit Gateway for scale, or VPC Peering for simpler scenarios.

  • Use Cases: Multi-account architectures, centralized network control, strong security requirements, hybrid connectivity.
  • Trade-offs: Can incur significant Transit Gateway costs, especially with many attachments and intense east-west traffic. Requires careful initial traffic dimensioning to prevent the hub from becoming a bottleneck. Integrating centralized inspection (e.g., AWS Network Firewall) can introduce asymmetric routing, demanding explicit design from the start to avoid production issues.

2. Full Mesh

In a Full Mesh topology, every VPC connects directly to every other VPC using VPC Peering. This eliminates a central point of failure and offers minimal latency between services.

  • Use Cases: Few VPCs (typically 3-4), low complexity, services requiring minimal inter-VPC latency.
  • Trade-offs: Scales poorly due to the N*(N-1)/2 peering connections (e.g., 10 VPCs require 45 peerings, 20 VPCs require 190). Lacks centralized control and observability, making troubleshooting and auditing routes challenging as multiple teams manage different peerings.

3. Multi-Account Strategy

More of a strategy than a direct network pattern, multi-account involves separating AWS resources into distinct accounts (e.g., production, development, security, networking) using AWS Organizations, often in conjunction with Transit Gateway and VPC sharing. This strategy aims to provide true isolation and faster team velocity by reducing interference.

  • Use Cases: Real blast radius isolation, compliance and auditing requirements, organizational scalability.
  • Trade-offs: Introduces initial governance and ownership complexity (e.g., who owns the networking account? Who approves TGW route table changes?). Without clear answers upfront, it can generate more friction than it solves.
  • Complementary Nature: Multi-account and Hub-and-Spoke are complementary. Multi-account defines trust, governance, and blast radius boundaries, while Hub-and-Spoke defines how these networks connect in a controlled manner. It's common for a multi-account architecture to use a Hub-and-Spoke topology for connectivity.

Critical Design Decisions

Beyond choosing a pattern, several fundamental decisions dictate an architecture's ability to scale and remain manageable:

  • Traffic Inspection: Centralized in the hub or distributed per VPC. Impacts security, latency, and cost. Centralized inspection is often operationally cheaper but can introduce asymmetric routing.
  • Internet Egress: NAT Gateway per VPC or centralized NAT in the hub. Centralizing NAT can significantly reduce costs compared to deploying a NAT Gateway in every spoke VPC.
  • Segmentation Strategy: Decide whether to segment by VPC, subnet, or account. Mixing strategies without a clear rationale can lead to auditing difficulties and security incidents later.
  • Future Scalability: Anticipate future needs regarding the number of accounts, hybrid connectivity requirements, network ownership, and expected east-west traffic between workloads. These answers should drive the pattern selection, not vice-versa.
AWS VPCNetwork ArchitectureHub-and-SpokeMulti-AccountVPC PeeringTransit GatewayCloud NetworkingScalability

Comments

Loading comments...

Architecture Design

Design this yourself
Design a scalable and secure multi-tenant SaaS platform on AWS for enterprise clients. The platform requires strong tenant isolation, centralized network services, and hybrid connectivity to on-premise systems. Architect the VPC strategy using a combination of multi-account organization and a hub-and-spoke network topology, detailing the role of Transit Gateway, centralized traffic inspection, and optimized internet egress. Explain how to manage governance and avoid common pitfalls related to cost and routing complexity.
Practice Interview
Focus: scalable VPC network architecture using hub-and-spoke and multi-account patterns
Other design angles
· Design a highly secure financial application on AWS, focusing on a multi-account structure with strict network segmentation and auditing capabilities.· Design a data analytics platform on AWS that processes large volumes of data across multiple environments (dev, QA, prod), optimizing inter-VPC communication and data transfer costs using an appropriate VPC network pattern.· Architect a global content delivery system that leverages AWS VPCs for regional deployments, ensuring low-latency communication and efficient routing between regions and to end-users.

Related Lessons

Distributed CachingServerless ArchitecturePeer-to-Peer Architecture