Azure Hub-Spoke Landing Zone
A modular Terraform landing zone for Azure: a hub-spoke network with a central firewall, private DNS, and four peered VNets where every data and AI service sits behind a private endpoint.
Standing up Azure for AI and analytics by hand tends to produce flat networks, public endpoints, and config that drifts between environments. It's hard to repeat and harder to secure.
~21 reusable Terraform modules that deploy a hub-spoke topology across four VNets. The hub runs Azure Firewall and Private DNS; spokes hold the workloads; everything talks over private endpoints, with NSGs and route tables forcing egress through the firewall.
A repeatable, segmented Azure foundation (Central US) where Databricks, Azure OpenAI, Data Factory, Functions, Key Vault, and storage all sit behind private endpoints. A new environment is a config change, not a rebuild.
Four VNets, one hub
A hub VNet (10.0.0.0/16) centralizes Azure Firewall and Private DNS. Three spokes peer back to it: workloads (10.1.0.0/16), an isolated Databricks browser-auth network (10.2.0.0/16), and a sandbox (10.3.0.0/16). Peering is hub-to-each-spoke, so spokes never talk directly.
Private by default
Databricks (with its access connector to ADLS), Azure OpenAI, Data Factory and its self-hosted integration runtime, Functions, Key Vault, and storage all connect through private endpoints with matching Private DNS zones. NSGs and route tables push egress through the hub firewall — nothing is exposed publicly by default.
Modular IaC
~21 single-purpose modules — vnet, subnets, peering, firewall, nsg, route tables, private endpoints, private DNS zones, Databricks workspaces, access connector, Data Factory, SHIR, Functions, Key Vault, storage — composed in one root. Standing up a new environment is wiring modules, not copy-paste.