About This Architecture

Ani Platform demonstrates a production-grade Azure landing zone architecture spanning identity, platform, hub networking, and workload subscriptions with strict network segmentation. External traffic flows through Azure Front Door and WAF into an Application Gateway, routing requests to Next.js and FastAPI services running on Container Apps across isolated spoke virtual networks. The design enforces least-privilege access via Microsoft Entra ID, Managed Identities, and RBAC, while segregating data tier resources—PostgreSQL, Redis, Neo4j, and Blob Storage—into a dedicated data network spoke with private endpoints and key vault integration. Fork this diagram on Diagrams.so to customize subnets, add additional workload spokes, or integrate your own CI/CD and monitoring tooling.

People also ask

How do I design a scalable Azure landing zone with hub-spoke networking, Container Apps, and a secure data tier?

The Ani Platform architecture uses a hub virtual network with Azure Firewall and Front Door to route external traffic, spoke VNets for application and data workloads, and Microsoft Entra ID with Managed Identities for zero-trust access. PostgreSQL, Redis, and Neo4j are isolated in a data spoke with private endpoints, while Container Apps run Next.js and FastAPI services in the application spoke.