Azure ISV SaaS platform using hub-spoke architecture with dedicated single-tenant VM instances for each customer, centralizing security and networking through a shared hub virtual network. The hub contains Azure Firewall, Bastion, VPN Gateway, and Private DNS Resolver, while production and non-production spoke VNets host customer workloads with Linux VMs running Java, Apache Tomcat, and MySQL. Traffic flows through Application Gateway with WAF v2 and DDoS Protection, with all infrastructure managed via Azure DevOps CI/CD, Terraform/Bicep IaC, and Azure VM Image Builder for golden images. This lift-and-shift pattern isolates customer data and compute while maintaining centralized governance, monitoring via Azure Monitor and Log Analytics, and compliance through Microsoft Defender for Cloud and Azure Policy. Fork this diagram to customize subnets, add ExpressRoute connectivity, or adjust VM SKUs for your SaaS customer base.