Enterprise hub-and-spoke network architecture on Azure with zero-trust identity, DDoS protection, and hybrid connectivity across global offices. Traffic flows from WPS Users through Azure Front Door, WAF Policy, and Azure CDN before routing to hub VNet with Azure Firewall Premium, then to spoke VNets hosting App Service, AKS, Function Apps, and data services like Azure SQL Database and Cosmos DB. Microsoft Entra ID enforces Conditional Access and Privileged Identity Management, while Microsoft Sentinel, Defender for Cloud, and Log Analytics provide unified security monitoring and governance. Hybrid offices in Cayman, Dublin, Hong Kong, Bermuda, BVI, and Singapore connect via Azure Virtual WAN, ExpressRoute, and VPN Gateway, ensuring secure cross-premises traffic. Fork this diagram on Diagrams.so to customize resource groups, add additional spokes, or adapt the security zones for your compliance requirements.