Azure hub-and-spoke network segmentation with DMZ, distribution, and access layers protecting workloads across multiple subnets. Traffic flows from Internet through Azure Firewall and DDoS Protection to Application Gateway with WAF, then to internal load balancers routing to app and web servers. Network Security Groups enforce least-privilege rules at each tier: web tier allows 80/443, app tier allows 8080 from web only, database tier allows 1433 from app servers only, and dev tier restricts SSH/RDP to Bastion. Management and security layer includes Azure Bastion, Monitor, Key Vault, Sentinel, and Log Analytics for centralized access control and threat detection. Fork this diagram to customize subnets, NSG rules, or add spoke VNets for multi-region deployments. This architecture demonstrates Azure best practices for zero-trust networking, compliance, and operational visibility.