I was the network architect who designed the network and configured the IPSec VPN with the on-prem partner.

The client asked me to help setup the site-to-site VPN with their on-prem partner, from the client's AWS environment. However as it turned out after I reviewed the current AWS network setup, we need to make design changes, to have a better network.

I created couple of subnets as per AWS design recommendations. I created private and public subnets, with the appropriate route tables and security groups. I created an additional CIDR, since the existing CIDR was not acceptable from the partner side, so we couldn't create the site-to-site VPN due to overlapping networks.

I created a private NAT Gateway with the new CIDR, so the partner was able to accept traffic from our side. I did setup the site-to-site VPN, towards the partner's physical firewall.

I created a public NAT Gateway as well, in order to provide internet access to various lambda functions.

I created the appropriate route tables and security groups, and eventually I created a comprehensive network drawing with explanation, so the client will be able to use it in the future.