Azure Core-Distribution-Access (CDA) network architecture implements a three-tier security perimeter using VNet (10.0.0.0/8) with DDoS Protection, Azure Firewall, Application Gateway WAF v2, and Front Door protecting web, app, and database subnets. Traffic flows from Internet through Traffic Manager and CDN to Application Gateway, then to Web Servers (10.0.2.0/24) and App Servers (10.0.3.0/24), with Azure SQL and PostgreSQL in isolated DB Subnet (10.0.4.0/24). Network Security Groups enforce least-privilege rules per layer: NSG-Web allows 80/443, NSG-App allows 8080, NSG-DB allows 1433/5432, while Azure Bastion, Key Vault, Azure Monitor, and Sentinel provide secure management and observability. This architecture demonstrates defense-in-depth with multiple security controls, granular subnet isolation, and comprehensive logging for enterprise compliance. Fork and customize this diagram on Diagrams.so to match your subscription structure, IP ranges, and regional requirements.