Create a transit gateway, attach the Site-to-Site VPN, VPC A, and VPC B to it, and update the transit gateway route tables for all networks to include IP range routes for the other networks.

Create a transit gateway, establish a Site-to-Site VPN connection between the on-premises network and VPC B, and connect the VPN to the transit gateway. Add a route to direct traffic to the peered VPCs and an authorization rule to allow access to VPCs A and B.

Update the route tables for the Site-to-Site VPN and both VPCs for all three networks, configure BGP propagation for these networks, and wait for BGP propagation to complete (up to 5 minutes).

Modify the Site-to-Site VPN’s virtual private gateway to include both VPC A and VPC B, and split the virtual private gateway's routers between the two VPCs.