Azure Mini Landing Zone - AI Hub and Spoke
About This Architecture
Azure mini landing zone implementing hub-and-spoke network topology with centralized security, identity, and logging across nine spoke subscriptions. Hub subscription routes all traffic through FortiGate VM and Azure Firewall with WAF, while management, identity, security, and logging spokes provide platform services. Compute, containerized, and database spokes isolate workloads by deployment model—IaaS, PaaS, AKS, Container Apps, and managed databases—enabling governance, cost allocation, and blast radius containment. This architecture demonstrates Azure landing zone best practices for multi-subscription enterprises requiring centralized network control, compliance monitoring via Sentinel and Log Analytics, and secure hybrid connectivity through VPN Gateway and ExpressRoute. Fork this diagram to customize subscription naming, IP ranges, or add additional spoke tiers for your organization's scale and compliance requirements.
People also ask
How do I design an Azure landing zone with hub-and-spoke topology across multiple subscriptions?
This diagram shows a complete Azure mini landing zone with a central hub subscription routing traffic through FortiGate and Azure Firewall, connected to nine spoke subscriptions organized by function: management, identity, security, logging, compute IaaS, compute PaaS, containerized workloads, non-containerized apps, and databases. Each spoke isolates workloads by deployment model while inheriting
- Domain:
- Cloud Azure
- Audience:
- Azure solutions architects designing enterprise landing zones with hub-and-spoke topology
Generated by Diagrams.so — AI architecture diagram generator with native Draw.io output. Fork this diagram, remix it, or download as .drawio, PNG, or SVG.
