Regarding Use case #2, the video indicates the use of a separate Internet VPC but Checkpoints Cloud Formation Template for AWS GWLB and TGW consolidates the Security and Internet VPC into one VPC. Any reason as to why the video indicates the use of a separate Security and Internet VPC?
The video shows case#2 for all traffic types (egress, ingress, east/west) in one architecture and having GWLB endpoints in Security VPC instead of spoke VPCs .
Before recently released AWS VPC Routing Enhancements, Internet VPC was required for ALB routing to work properly. The ALB performs source NAT therefore it should be located in a separate VPC in order to forward traffic to GWLBe.
Now with VPC Routing Enhancements the Internet VPC becomes optional. The ALB can be located in the Security VPC.