Architecture gallery
CloudPlatformDevOpsproduction

Azure Hub-Spoke Landing Zone

A Terraform hub-spoke topology for Azure: a firewall + private-DNS hub peered to four VNets, with every data and AI service reachable only through private endpoints.

NETWORK TOPOLOGY · hub-spoke · Central US
peeringpeeringpeeringHUB VNet · 10.0.0.0/16Azure Firewall+ Private DNS zonesSPOKE VNet · 10.1.0.0/16 · workloadsDatabricks+ access connectorAzure OpenAIcognitiveData Factory+ SHIRFunctionsapp / planKey VaultsecretsStorageADLS↳ every service reachable only via a private endpointBrowserAuth VNet10.2.0.0/16 · Databricksbrowser-auth workspaceSandbox VNet10.3.0.0/16 · testingNSGs + route tables force all egress through the hub firewall · ~21 Terraform modules
01 · Hub · Firewall + DNS02 · Spoke · workloads03 · BrowserAuth · Databricks04 · Sandbox05 · Private endpoints
Tech stack
TerraformAzure FirewallPrivate DNSVNet PeeringDatabricksAzure OpenAIData Factory

What it does

Builds a segmented Azure network from code (Central US). A hub VNet (10.0.0.0/16) runs Azure Firewall and Private DNS; three spokes peer back to it — workloads (10.1), Databricks browser-auth (10.2), and sandbox (10.3). Every service connects over a private endpoint, and route tables push egress through the firewall.

Related
Case study
Azure Hub-Spoke Landing Zone