Azure mini landing zone implementing hub-and-spoke network topology with centralized security, identity, and logging across nine spoke subscriptions. Hub subscription routes all traffic through FortiGate VM and Azure Firewall with WAF, while management, identity, security, and logging spokes provide platform services. Compute, containerized, and database spokes isolate workloads by deployment model—IaaS, PaaS, AKS, Container Apps, and managed databases—enabling governance, cost allocation, and blast radius containment. This architecture demonstrates Azure landing zone best practices for multi-subscription enterprises requiring centralized network control, compliance monitoring via Sentinel and Log Analytics, and secure hybrid connectivity through VPN Gateway and ExpressRoute. Fork this diagram to customize subscription naming, IP ranges, or add additional spoke tiers for your organization's scale and compliance requirements.