Well-Architected architecture study

Hybrid Network Migration

A staged hybrid networking design for moving workloads to AWS while preserving routing control, DNS resolution, segmentation, and rollback paths.

Status Architecture study

AWS focus

Direct ConnectVPNTransit GatewayDNSNetwork Firewall

NET

On-prem network Networking

AWS

Direct Connect Gateway

NET

Transit Gateway Networking

NET

Shared services + workload VPCs Networking

R53

Route 53 Resolver + Network Firewall Route 53

Problem

Hybrid migrations fail when routing, DNS, firewall policy, and rollback are treated as implementation details. The network architecture has to support staged movement without breaking existing dependencies.

Design

Direct Connect provides primary private connectivity with VPN as failover.
Transit Gateway centralizes VPC and on-prem routing.
Separate route tables segment shared services, production, and non-production networks.
Route 53 Resolver endpoints support hybrid DNS.
AWS Network Firewall or inspection VPCs enforce egress and east-west policy.
Migration waves move services behind explicit cutover and rollback plans.

Well-Architected lens

Reliability: redundant connectivity, failover tests, and rollback routes.
Security: segmentation, inspection, and DNS control.
Operational excellence: route ownership, change windows, and runbooks.
Cost optimization: use Direct Connect, TGW attachments, and firewall endpoints where the traffic profile justifies them.

Why it is not live here

Direct Connect, Transit Gateway, and managed firewall components have steady hourly costs and need an on-premises counterpart. The brief demonstrates the design without creating idle networking spend.