Enterprise-grade Azure network with DMZ, three-tier application architecture, and comprehensive security controls across multiple subnets and NSGs. Traffic flows from Internet through Azure Firewall and DDoS Protection into Application Gateway with WAF, then distributes via public and internal load balancers to web, app, and database tiers. Azure Bastion provides secure management access, while Key Vault, Azure Monitor, Log Analytics, and Sentinel deliver centralized security, compliance, and observability across the vnet-prod virtual network. This production-ready design demonstrates least-privilege NSG rules, traffic segmentation, and defense-in-depth principles essential for regulated workloads. Fork and customize this diagram to match your subscription topology, IP ranges, and security policies.