Enterprise-grade Azure network infrastructure with multi-layer security, featuring a DMZ with Azure Firewall and DDoS Protection, distribution layer with Application Gateway WAF and load balancers, and access layer with segmented subnets for web, app, database, and management workloads. Traffic flows from Internet through Firewall and WAF to web servers, then to app servers, and finally to SQL Primary/Standby and Cosmos DB in isolated database subnets. Network segmentation is enforced via NSGs on each subnet, with role-based access through Azure Bastion, secrets management via Key Vault, and comprehensive monitoring through Azure Monitor, Log Analytics, and Sentinel. This architecture demonstrates Azure best practices for zero-trust networking, least-privilege access, and defense-in-depth across a production VNet spanning 10.0.0.0/8. Fork this diagram to customize subnets, add additional regions, or integrate with your Azure governance policies and compliance requirements.