March 7, 2026

Summary

A multi-site enterprise organisation required a standardised and secure foundation to support its hybrid cloud strategy. The organisation needed to enable both the migration of on-premises workloads to the cloud and the secure deployment of new cloud-native services. With a complex existing infrastructure, they lacked a clean, compliant, and scalable entry point into Microsoft Azure, exposing them to inconsistent security postures and management overhead.

Challenge

The primary challenge was to design and implement a network architecture in Azure that could securely manage traffic between on-premises data centres, multiple virtual networks, and the public internet. The solution needed to enforce strong segmentation, inspect all traffic for threats, and limit the public exposure of Azure platform services. This had to be achieved while establishing a repeatable framework that could be applied across different business units and future projects, ensuring consistent governance and security from the ground up.

Objectives

The project was defined by several core objectives:

• Design and deploy a secure and compliant Azure Landing Zone to serve as the foundation for all cloud workloads.
• Implement a hub-and-spoke network topology to centralise network services and security controls.
• Establish robust and secure connectivity for hybrid integration with on-premises infrastructure.
• Enforce strict network segmentation and traffic inspection using enterprise-grade firewall solutions.
• Minimise the attack surface by using private endpoints for Azure PaaS services.
• Create a scalable and repeatable architectural blueprint aligned with Microsoft’s Zero Trust Framework.

Approach and Delivery

The engagement involved an end-to-end architectural design, build, and rollout. The process began with producing comprehensive Statements of Work (SOWs) and detailed Visio architecture diagrams to ensure all stakeholders were aligned on the to-spec landing zone design.

A hands-on delivery model was adopted to build the infrastructure, configuring all core networking and security components. This was supported by an integrated change management strategy to ensure a seamless transition for the organisation’s technical teams and end-users. A repeatable framework was developed during the process, enabling the rapid and consistent deployment of similar landing zones for future client requirements.

Technical Implementation

The solution was grounded in a robust implementation of Azure networking and security best practices:

• Network Architecture: A hub-and-spoke virtual network architecture was deployed. The central hub VNet hosted shared services, including firewalls and connectivity gateways, while individual spoke VNets provided workload isolation.
• Firewall and Security: A combination of FortiGate and Azure Firewall appliances was integrated into the hub to inspect all ingress, egress, and east-west traffic. Network Security Groups (NSGs) were applied to subnets for micro-segmentation, and all security services were integrated with Entra ID using Managed Identities for secure authentication.
• Hybrid Connectivity & DNS: The architecture established secure peering between virtual networks. For name resolution across the hybrid estate, both on-premises DNS and Azure Private DNS zones were configured to work in tandem, which was critical for resolving private endpoints.
• Private Endpoints: To eliminate public exposure of PaaS services like Azure Storage and SQL Database, Azure Private Link and Private Endpoints were implemented extensively. This ensured that traffic to these services remained entirely on the Microsoft private network.
• Identity Integration: Microsoft Entra ID Connect was configured to synchronise on-premises Active Directory with the cloud, creating a unified hybrid identity model that underpinned the entire Zero Trust security posture.

Outcome

The project successfully delivered a clean, secure, and compliant tenant environment that serves as the cornerstone of the client’s cloud strategy. The new Azure Landing Zone provides a controlled and monitored foundation, enabling secure on-premises-to-cloud and cloud-to-cloud migrations. By centralising security and connectivity, the organisation has significantly reduced its attack surface and simplified network management. The resulting architecture is a scalable, repeatable pipeline that has been used to train internal staff, ensuring long-term operational success and governance.

Risks, Controls and Governance

To mitigate the risk of misconfiguration and security gaps in a complex network build, several controls were put in place. The creation of detailed architectural diagrams and formal SOWs ensured that the implementation was built to an agreed specification. Desired State Configuration (DSC) was leveraged to automate and replicate configurations across tenants, reducing the potential for human error and ensuring consistency.

Governance was embedded directly into the architecture. The hub-and-spoke model provides a natural control plane for enforcing security policy, as all traffic is routed through the centrally managed firewalls. This network foundation was a prerequisite for deploying wider Zero Trust policies, including Conditional Access and Privileged Identity Management (PIM), to govern user access and permissions.

Key Lessons

This project reinforced several key principles for securing enterprise hybrid estates. Firstly, a well-defined hub-and-spoke architecture is a non-negotiable component for achieving scalable security and cost management in Azure. Secondly, centralising traffic inspection at the hub provides the necessary visibility and control to defend against threats effectively.

Furthermore, the extensive use of private endpoints is fundamental to a modern Zero Trust strategy, drastically reducing the public attack surface. Finally, the successful outcome demonstrates that a robust security posture is achieved not just through network controls, but by integrating them tightly with a strong hybrid identity and access management foundation.

Related Services

• Azure Landing Zones (CAF-aligned)
  Build a secure, scalable Azure foundation using CAF-aligned landing zones with clear governance, identity, networking, and management baselines.
• Azure Network Architecture (Hub/Spoke, DNS, Private Link)
  Azure network architecture services covering hub and spoke design, DNS, routing and Private Link to support secure, scalable connectivity.
• Cloud Security (Firewall, WAF, FortiGate, Azure Policy)
  Design and implement Azure firewall, WAF and policy controls that reduce attack surface, govern traffic flows, and improve security monitoring.
• Zero Trust Architecture & Hardening
  Design and implement a Microsoft aligned Zero Trust programme covering identity, devices, least privilege access, segmentation, and continuous monitoring.
• Hybrid Identity (Entra Connect / Cloud Sync)
  Design and implement hybrid identity using Entra Connect or Cloud Sync, delivering reliable directory synchronisation and modern authentication across on-premises and cloud.