CASE 81 · BOREAL · 2025
One network, many accounts — without VPC peering hairballs.
A robotics infrastructure company had 19 accounts, each with its own VPC, and a peering mesh that took 90 minutes to draw on a whiteboard. We collapsed the architecture with shared VPCs via Resource Access Manager and a single Transit Gateway hub.
Robotics infrastructure
LANDING ZONE
2025
RESULTS
What changed, by the numbers.
PEERING CONNECTIONS
24 → 0
TGW ATTACHMENTS
5
NEW-WORKLOAD NETWORK SETUP
< 1d
CROSS-VPC INCIDENTS
−84%
HOW IT WENT
The peering mesh had grown organically. Every time a new account joined the org, the runbook said "peer with these N other accounts." After a year, the mesh edges outnumbered the team members. Nobody knew which paths were transitive-via-which-route-table.
We migrated to a single shared VPC per environment, with subnets shared into the consumer accounts via RAM. The Transit Gateway carried inter-environment traffic; Network Firewall inspected the north-south paths. Route 53 private hosted zones followed the same sharing model.
The peering count went from 24 to zero. New workload network setup dropped to under a day because the workload account inherits everything from the shared VPC. Cross-VPC incident rate fell 84% year-over-year — most of the previous incidents had been peering-related route surprises.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.