About This Architecture

Azure ISV SaaS platform using hub-spoke architecture with dedicated single-tenant VM instances for each customer, centralizing security and networking through a shared hub virtual network. The hub contains Azure Firewall, Bastion, VPN Gateway, and Private DNS Resolver, while production and non-production spoke VNets host customer workloads with Linux VMs running Java, Apache Tomcat, and MySQL. Traffic flows through Application Gateway with WAF v2 and DDoS Protection, with all infrastructure managed via Azure DevOps CI/CD, Terraform/Bicep IaC, and Azure VM Image Builder for golden images. This lift-and-shift pattern isolates customer data and compute while maintaining centralized governance, monitoring via Azure Monitor and Log Analytics, and compliance through Microsoft Defender for Cloud and Azure Policy. Fork this diagram to customize subnets, add ExpressRoute connectivity, or adjust VM SKUs for your SaaS customer base.

People also ask

How do you design a multi-tenant SaaS platform on Azure with dedicated customer instances and centralized security?

Use a hub-spoke virtual network topology where the hub contains shared services (Azure Firewall, Bastion, VPN Gateway, DNS Resolver) and each production spoke hosts dedicated single-tenant customer VMs with isolated subnets. Route all ingress through Application Gateway with WAF v2 and DDoS Protection, manage infrastructure via Terraform/Bicep and Azure DevOps CI/CD, and monitor with Azure Monitor