Skip to content
Foetron Foetron Microsoft cloud operations

Connectivity you can draw on a whiteboard.

Hub-and-spoke Azure topology with explicit seams, segmentation that maps to your org chart, and a change window your team can plan around. Operated as infrastructure code, reviewed before it ships.

Request a network review Customer stories
Network · hub-spoke
Hub
Core · vWAN
HQ
HQ
Branch
Branch
DC
DC
Cloud
Cloud

network.topology.ts

Hub-and-spoke baseline

1 export const topology = {
2 hub: { region: 'centralindia', firewall: 'Azure FW Premium' },
3 spokes: ['prod', 'nonprod', 'shared-services', 'dmz'],
4 edges: ['ExpressRoute', 'VPN backup', 'P2S users'],
5 policy: { default: 'deny', exceptions: 'reviewed' },
6 }

What we keep seeing

The network grew. The diagram didn't.

Four patterns we see in tenants where networking was added a feature at a time, never re-architected.

  • 01

    Flat network with implicit trust

    Every workload can reach every other workload because nobody wrote the rule that said it shouldn't. The blast radius of any compromise is the whole estate.

  • 02

    Topology lives in tribal knowledge

    The person who built the network left. The current team operates by archaeology — reading rules to infer intent. Drift compounds.

  • 03

    Changes land whenever

    There's no published change window. Production breakage shows up Tuesday morning and nobody knows what changed Monday night.

  • 04

    Branch + remote users bolted on

    Site-to-site VPNs added one office at a time. Point-to-site for remote users is its own pile. Identity-aware access happens nowhere consistent.

Topology

Hub-and-spoke, with the seams labelled.

Four layers, three seams. Each seam names the mechanism and the control. This is the working diagram — not a marketing diagram.

  1. 01

    Hub VNet

    Role

    Shared services, identity egress, firewall, ExpressRoute landing.

    Components

    • · Azure Firewall Premium
    • · Azure Bastion
    • · ExpressRoute Gateway
    • · Private DNS resolver

  2. Seam 1

    Mechanism

    VNet peering (forced tunnel)

    Control

    Azure Firewall Premium · UDR override · NSG hairline rules per subnet

  3. 02

    Spoke VNets

    Role

    Per-environment workloads — prod, non-prod, shared services, DMZ.

    Components

    • · VNet per environment
    • · NSG hairlines on subnet boundaries
    • · Private Endpoints for PaaS
    • · User-defined routes to hub firewall

  4. Seam 2

    Mechanism

    ExpressRoute or site-to-site VPN

    Control

    BGP route filters · Azure Firewall ingress inspection · branch firewall posture audit

  5. 03

    Branch sites

    Role

    Office locations with on-prem workloads or local breakout requirements.

    Components

    • · Site-to-site VPN (Azure VPN Gateway)
    • · SD-WAN where the customer has standardized
    • · Local Sophos firewall for office segmentation

  6. Seam 3

    Mechanism

    Identity-aware connection

    Control

    Conditional Access · device compliance · session token protection

  7. 04

    Remote users

    Role

    Identity-conditional access to the hub from anywhere.

    Components

    • · Entra ID Conditional Access
    • · P2S VPN for legacy app access
    • · Defender for Cloud Apps for SaaS visibility

The seams are where most networks fail. We document the mechanism and the control on each seam before any traffic flows.

Segmentation

Who can talk to who, written down.

Source segment in the row, destination segment in the column, the policy in the cell. Default-deny; every allow is a reviewed exception. This matrix lives in the repo, not in tribal memory.

Source ▾ / Destination ▸

Prod

Non-prod

Shared services

DMZ

Internet

Prod spoke

allow

intra-prod, inspected

deny

no path

inspect

AuthN, telemetry

deny

no path

inspect

egress via FW only

Non-prod spoke

deny

isolated

allow

intra-non-prod

inspect

limited services

deny

no path

inspect

egress via FW only

Shared services

inspect

identity, DNS, monitoring

inspect

identity, DNS, monitoring

allow

intra-shared

inspect

log aggregation

inspect

egress via FW only

DMZ

deny

no inbound to prod

deny

no inbound to non-prod

inspect

telemetry only

allow

intra-DMZ

allow

public-facing

Remote users

inspect

Conditional Access + app gating

inspect

Conditional Access + app gating

inspect

identity, dev tools

deny

no path

allow

split-tunnel SaaS

Inspect = traffic passes through Azure Firewall with TLS termination and policy. Deny = no route exists; not just no rule.

What we don't do

We don't ship topology you can't draw. The diagram is the contract — and we keep it current.

If the diagram and the deployment disagree, the diagram is wrong and we fix it the same day.

Change discipline

When changes happen, and how they're rolled back.

Three classes of change, each with its own window, rollback plan, and notice period. Published 90 days out so your business can plan around it.

Routine

Cadence

Tuesdays 23:00–01:00 IST · weekly

Scope

Rule tuning, log policy updates, certificate rotation, planned IaC drift remediation.

Rollback

Automatic via Terraform plan diff; revert merge if telemetry breaches threshold.

Notice

48 h advance ticket auto-opened; visible on customer status page.

Standard

Cadence

Scheduled Saturdays 22:00–04:00 IST · as needed

Scope

Topology changes, new spokes, ExpressRoute circuit changes, firewall rule-set restructuring.

Rollback

Documented rollback runbook tested in non-prod first; exec sponsor on call.

Notice

10 working days advance; change advisory board approval recorded.

Emergency

Cadence

Any time, with bridge open

Scope

Active incident response, exposed-credential rotation, IOC blocking, urgent vendor advisory.

Rollback

Best-effort; documented as part of post-incident review within 48 h.

Notice

Real-time during the change; postmortem within 7 days.

Skipped windows are reported, not hidden. The change log is shared monthly.

Recent networking work

Topology that survived the audit.

One representative engagement. Customer name held back; outcomes signed off by their head of IT.

Mid-market manufacturing · India

Flat Azure estate to hub-and-spoke with segmentation, in 90 days, without an outage.

Customer had grown into Azure by spinning up VNets per project; everything peered to everything. We baselined the topology in 2 weeks, agreed the target hub-and-spoke with 4 spokes (prod, non-prod, shared services, DMZ), migrated workloads spoke by spoke during published change windows, and stood up the segmentation matrix as Terraform. The diagram is now reviewed quarterly with their head of IT.

  • Flat estate → 4-spoke segmented topology in 12 weeks, zero customer-impacting outages
  • Default-deny segmentation: 138 reviewed allows, all in version control
  • Firewall log volume dropped 41% after rule consolidation
  • Change-window adherence: 11 of 11 routine windows since cutover
  • Audit finding resolved: 'inadequate network segmentation' closed at next review

Next step

Request a network review.

We'll spend a session reading your current topology, drafting a target hub-and-spoke, and proposing a 90-day migration plan with the change windows already mapped. No deck, no scare tactics.

Book the reviewRead customer stories