🔷Azure Hub-and-Spoke Terraform

OVERVIEW

Production-ready Terraform modules for deploying Azure Hub-and-Spoke network topology with centralized security controls, firewall policies, private endpoints, and automated compliance guardrails using Azure Policy and Defender for Cloud.

ARCHITECTURE

graph TB
  subgraph HUB["HUB VNet (10.0.0.0/16)"]
    FW[Azure Firewall]
    VPN[VPN Gateway]
    DNS[Private DNS Resolver]
    BASTION[Azure Bastion]
  end
  subgraph SPOKE1["Spoke 1 - Production (10.1.0.0/16)"]
    APP1[App Tier]
    DB1[Data Tier]
  end
  subgraph SPOKE2["Spoke 2 - Dev/Test (10.2.0.0/16)"]
    APP2[App Tier]
    DB2[Data Tier]
  end
  subgraph SPOKE3["Spoke 3 - Shared Services (10.3.0.0/16)"]
    ACR[Container Registry]
    KV[Key Vault]
  end
  INTERNET([Internet]) --> FW
  FW --> APP1 & APP2 & ACR
  VPN --> HUB
  HUB <--> SPOKE1
  HUB <--> SPOKE2
  HUB <--> SPOKE3

💡 Render with mermaid.live for interactive diagram

KEY HIGHLIGHTS

• Centralized egress through Azure Firewall with FQDN-based policy
• Private endpoints for all PaaS services — no public internet exposure
• Automated Azure Policy assignments for CIS benchmark compliance
• GitLab CI pipeline with Terraform plan/apply and OPA policy gates
• Cost tagging enforcement and budget alerts at subscription level