UK Online Pharmacy Healthcare / Online Pharmacy

Transit Gateway + Standardised Networking Across 15 AWS Accounts | Case Study | Logicata

Logicata connected 15 AWS accounts via Transit Gateway with a standardised IP plan, replacing point-to-point VPC peering with a scalable hub-and-spoke.

15 Accounts connected
Hub-and-spoke Topology

Executive Summary

A UK healthcare technology company running multiple business units across 15 AWS accounts had reached the breaking point of ad-hoc VPC peering: overlapping IP ranges, routing complexity, no clean environment isolation, and no reliable path back to the corporate office. Logicata designed and deployed a hub-and-spoke architecture using AWS Transit Gateway, standardised the IP addressing scheme, established a dedicated networking account, and configured Site-to-Site VPN. The result: enterprise-grade connectivity for around $130 to $150 per month, with future-proof addressing headroom.

Customer Overview

Sector: Healthcare / Online Pharmacy

Location: United Kingdom

The customer is a UK-based healthcare technology company operating multiple business units, each with separate Development, Staging, and Production AWS accounts. The organisation runs e-commerce, B2B integration, NHS service delivery, and core platform services across a growing multi-account AWS environment.

The Challenge

The network had grown organically across business units and was no longer sustainable:

  • 15 AWS accounts with no centralised connectivity design.
  • Overlapping IP ranges. Multiple accounts used the same private CIDR blocks. Reliable routing between them was impossible.
  • Ad-hoc VPC peering. A full mesh across 15 accounts would have meant up to 105 peering connections. The partial mesh that existed was already a routing maze.
  • No site-to-site VPN. The corporate office had no reliable, secure path into the AWS estate for administrative access.
  • No environment isolation. Development workloads could inadvertently route to production with nothing at the network layer to stop them.
  • No standardised addressing. Each account had picked arbitrary IP ranges. Every new account compounded the problem.

The Solution

Logicata designed and delivered a hub-and-spoke network built on AWS Transit Gateway:

1. IP addressing redesign

Standardised on 10.x.0.0/16 as the base. Each account gets a /20 VPC with /24 subnets (3 Availability Zones × 3 subnet classes = 9 subnets, with 7 spare per VPC for future use). Eliminates overlap risk and gives every account a predictable, scalable shape.

2. Dedicated Networking account

Created to host the Transit Gateway. Centralises control, makes billing for networking visible separately, and simplifies IAM policies around the shared infrastructure.

3. Transit Gateway deployment

Deployed in eu-west-2 with TGW attachments to all 15 accounts via AWS Resource Access Manager (RAM) for cross-account sharing. One hub, fifteen spokes.

4. Route table segmentation

Separate TGW route tables enforce environment isolation. Development accounts cannot route to production unless explicitly permitted by adding the route. The network layer carries the boundary, not just IAM.

5. Site-to-Site VPN

AWS Site-to-Site VPN configured between the Networking account and the corporate office, giving secure administrative access through the same hub-and-spoke structure.

Results

  • 15 accounts connected via a centralised Transit Gateway, replacing the ad-hoc peering mesh
  • Zero IP conflicts. Standardised /20-per-account scheme eliminates overlap risk going forward
  • Site-to-Site VPN connectivity established for secure office access
  • Environment isolation enforced at the network level via TGW route table segmentation
  • Cross-account communication enabled for shared services where it is appropriate, blocked where it is not
  • Future-proof. Seven spare subnets per VPC, additional /20 blocks available for new accounts
  • Approximately $130 to $150 per month total cost for enterprise-grade connectivity across 15 accounts

AWS Services Used

  • AWS Transit Gateway
  • Amazon VPC
  • AWS Site-to-Site VPN
  • AWS Organizations
  • AWS Resource Access Manager (RAM)
  • Amazon Route 53

About Logicata

Logicata is an AWS Advanced Partner holding the AWS Cloud Operations Management Competency, validated through an independent third-party audit. Logicata helps organisations build and operate secure, well-governed cloud platforms on AWS, enabling customers to reduce operational risk, meet assurance expectations, and scale with confidence.

See how we can help your business

Every engagement starts with understanding where you are today. Book a free AWS consultation.

Book a free AWS consultation
Up to 80% Infrastructure costs cut
300% Traffic spike handled
4.9/5 Client CSAT
24/7 UK & US support
AWS Advanced Partner. View our credentials BSI ISO 27001 Certified PCI DSS Compliant BCS Services Company of the Year Finalist 2023 UK Business Tech Awards Finalist 2023

Trusted by

Virgin Experience DaysStream (formerly Wagestream)CharangaChemist 4 UAtriumMohidThe eArIPOSGVectorTracxTMSWild DogLinxSideLightPupil TrackingVitaccessLucky Day CompetitionsFlorida RealtorsFHCNEMSQBenchVirgin Experience DaysStream (formerly Wagestream)CharangaChemist 4 UAtriumMohidThe eArIPOSGVectorTracxTMSWild DogLinxSideLightPupil TrackingVitaccessLucky Day CompetitionsFlorida RealtorsFHCNEMSQBench