Hybrid On-Prem to Azure Secure Hub-Spoke

azure · network diagram.

Diagrams.so

About This Architecture

Hub-spoke network topology connecting two on-premises datacenters to Azure via VPN Gateway, with DMZ, Bastion, and managed security services in the hub. Traffic flows from remote users through Edge Firewall and VPN Concentrator into the on-prem core layer, then across WAN to Azure Hub VNet housing Azure Firewall, WAF, and DDoS Protection. Spoke VNets isolate IaaS compute (VMs, VM Scale Sets) and PaaS services (SQL Database, Cosmos DB, Storage) with Entra ID, Defender for Cloud, and Sentinel providing identity and security monitoring. This architecture enforces zero-trust principles, centralizes threat detection, and enables seamless hybrid workload management across on-prem DC1, DC2, and Azure. Fork this diagram to customize subnets, add ExpressRoute, or adjust NSG rules for your compliance requirements.

People also ask

How do I design a secure hybrid network connecting on-premises datacenters to Azure with centralized security and monitoring?

This diagram shows a hub-spoke topology where on-prem DC1 and DC2 connect via VPN Gateway to an Azure Hub VNet containing Azure Firewall, WAF, and Bastion. Spoke VNets isolate IaaS and PaaS workloads, while Sentinel SIEM and Defender for Cloud provide unified threat detection and compliance monitoring across hybrid infrastructure.

Hybrid On-Prem to Azure Secure Hub-Spoke

AzureadvancedAzure networkinghub-spoke topologyhybrid cloudVPN Gatewayzero-trust securityon-premises integration
Domain: Cloud AzureAudience: Azure solutions architects designing hybrid on-premises to cloud migrations
1 views0 favoritesPublic

Created by

March 11, 2026

Updated

March 13, 2026 at 2:56 AM

Type

network

Need a custom architecture diagram?

Describe your architecture in plain English and get a production-ready Draw.io diagram in seconds. Works for AWS, Azure, GCP, Kubernetes, and more.

Generate with AI