Carrefour's hybrid microservices platform integrates on-premises infrastructure with Azure West Europe via Hub-Spoke VNet topology, leveraging Azure Container Apps as the recommended compute foundation. Traffic flows from external users through Application Gateway and WAF in the DMZ, then to internal microservices in the Spoke VNet across Ingress, ACA, and Platform Services subnets, with governed egress through Azure Firewall and DNS resolution via Private Resolver. The architecture combines Infrastructure-as-Code (Terraform), CI/CD (Jenkins), artifact management (GCP Artifact Registry), observability (Elastic), and security primitives including Managed Identity, Key Vault, App Configuration, and Private Link for seamless hybrid connectivity. This pattern demonstrates enterprise-grade multi-cloud integration with clear separation of concerns, centralized governance, and event-driven workload orchestration using Azure Functions on ACA for exceptions. Fork and customize this diagram on Diagrams.so to adapt the Hub-Spoke model, adjust subnet ranges, or swap components for your hybrid infrastructure requirements.