Create an AWS Transit Gateway, attach the shared VPC and authorized business unit VPCs to it, and establish a single transit gateway route table associated with all attached VPCs. Enable automatic route propagation from the attachments into the route table, and configure VPC routing tables to direct traffic to the transit gateway.

Set up a VPC endpoint service using the centralized application's NLB, requiring endpoint acceptance. Create a VPC endpoint in each business unit VPC using the service name of the endpoint service, and manage authorized endpoint requests through the endpoint service console.

Establish a VPC peering connection from each business unit VPC to the shared VPC, accepting these connections from the shared VPC console. Update VPC routing tables to route traffic through the VPC peering connection.

Configure a virtual private gateway for the shared VPC and customer gateways for each authorized business unit VPC. Set up a Site-to-Site VPN connection from the business unit VPCs to the shared VPC, and adjust VPC routing tables to route traffic via the VPN connection.