Let is undergo every part individually:
3.1. The Hub Tenant- Your Azure Touchdown Zone Platform:
This tenant is the central management airplane and shared companies supplier. It’s going to host the core “platform” subscriptions and sources as outlined by the Azure Touchdown Zone structure. Under are the okey Companies within the Hub Tenant (Platform Touchdown Zone):
3.1.1. Centralized Networking:
3.1.1.1. Hub VNet: The core of your hub-and-spoke.
3.1.1.2.Azure Firewall [4] : For centralized community safety, routing, and visitors inspection between spokes and to/from on-premises/web.
3.1.1.3.VPN Gateway [5]: For hybrid connectivity to your on-premises knowledge facilities.
3.1.1.4.Azure Digital WAN (Non-obligatory however Advisable for Scale): When you anticipate a really massive variety of spoke tenants, or advanced international connectivity wants, Azure Digital WAN can simplify routing, safety (with vWAN Hub Firewall), and department connectivity considerably.
3.1.1.5. Azure Non-public DNS Zones: Essential for Non-public Endpoint decision throughout your peered VNets. Hyperlink these to your hub VNet and spokes.
3.1.2. Centralized Id: Your Microsoft Entra ID occasion within the hub tenant would be the major identification supplier. When you have on-premises AD, Azure AD Join will synchronize identities right here.
3.1.3. Centralized Administration & Monitoring:
3.1.3.1. Azure Log Analytics Workspace: Collects logs from all linked spokes (through Azure Lighthouse integration).
3.1.3.2. Azure Monitor: Centralized dashboards, alerts, and metrics.
3.1.3.3. Microsoft Sentinel: SIEM for safety analytics throughout all tenants.
3.1.3.4. Azure Coverage: Enforced on the administration group degree inside the hub tenant, it’s going to govern naming conventions, tagging, allowed useful resource sorts, and different compliance necessities. By way of Azure Lighthouse, some insurance policies may be prolonged to managed (spoke) tenants.
3.1.3.5. Safety Middle (Defender for Cloud): Centralized safety posture administration and risk safety.
3.2. The Spoke Tenants: Staging and Manufacturing Utility Touchdown Zones
We can have no less than two extra Azure tenants, particularly devoted to your staging and manufacturing workloads. This offers the very best degree of isolation for identification and useful resource administration.
3.2.1. Spoke Tenant A: Staging Tenant:
3.2.1.1. Function: Devoted to pre-production testing, UAT, efficiency testing.
3.2.1.2. Microsoft Entra ID: Whereas your most important identification is within the hub, this tenant has its personal Microsoft Entra ID occasion. For administration, you’ll primarily use Azure Lighthouse. If particular software identities must be distinct per tenant, that may be configured right here.
3.2.1.3. Subscription(s) inside Staging Tenant: A number of subscriptions on your staging workloads.
3.2.1.4. Spoke VNet(s): Staging VNet(s) peered to the Hub VNet within the hub tenant.
3.2.1.5. Workloads: Deploy your software’s staging setting (VMs, App Companies, AKS, databases, and so forth.) inside this tenant’s VNet.
3.2.1.6. Safety: Apply community safety teams (NSGs) for granular management inside the staging VNet. Insurance policies pushed from the hub will apply.
3.2.1.7. Entry Management: Entry to sources within the staging tenant is strictly managed, usually with completely different RBAC assignments than manufacturing.
3.2.2. Spoke Tenant B: Manufacturing Tenant
3.2.2.1. Function: Devoted to reside, mission-critical manufacturing workloads.
3.2.2.2. Microsoft Entra ID: Just like staging, this has its personal Microsoft Entra ID.
3.2.2.3. Subscription(s) inside Manufacturing Tenant: A number of subscriptions on your manufacturing workloads.
3.2.2.4. Spoke VNet(s): Manufacturing VNet(s) peered to the Hub VNet within the hub tenant.
3.2.2.5. Workloads: Deploy your reside software setting right here.
3.2.2.6. Safety: Implement the very best degree of safety controls (WAFs, stricter NSGs, Non-public Endpoints, devoted Key Vault for manufacturing secrets and techniques, and so forth.). Insurance policies from the hub shall be enforced, probably with extra production-specific insurance policies.
3.2.2.7. Entry Management: Entry to manufacturing sources is extremely restricted, adhering to the precept of least privilege, usually requiring just-in-time (JIT) entry or privileged identification administration (PIM) for elevated roles.
3.3. Cross-Tenant Integration (The Glue)
3.3.1. Azure Lighthouse (Essential for Operations):
3.3.1.1. Your Hub Tenant would be the Managing Tenant.
3.3.1.2. Your Staging Tenant and Manufacturing Tenant shall be Managed Tenants.
3.3.1.3. Onboard subscriptions from the staging and manufacturing tenants to Azure Lighthouse. This enables your central operations group (from the hub tenant) to handle, monitor, and implement insurance policies on sources in these spoke tenants.
3.3.1.4. Advantages: Centralized monitoring (Log Analytics, Sentinel), centralized coverage enforcement, simplified cross-tenant automation, decreased want for visitor accounts or switching contexts.
3.3.2. Digital Community Peering:
3.3.2.1.
Hub VNet(in Hub Tenant) ↔Staging VNet(in Staging Tenant)3.3.2.2.
Hub VNet(in Hub Tenant) ↔Manufacturing VNet(in Manufacturing Tenant)Vital: Guarantee no overlapping IP tackle ranges throughout all VNets (Hub, Staging, Manufacturing).
3.4. Multi-Tenant method Vs One-Tenant and a number of Vnets:
- Strongest Isolation: Supplies a excessive degree of isolation for identification and entry administration. A breach within the staging tenant’s Microsoft Entra ID doesn’t mechanically compromise the manufacturing tenant’s Microsoft Entra ID.
- Billing Separation: Clear billing separation per setting (tenant).
- Compliance: Meets stringent compliance necessities that mandate full separation of manufacturing environments.
- Decreased Blast Radius: Limits the impression of misconfigurations or safety incidents to a selected setting.
- Delegated Administration: Empowers completely different groups (e.g., improvement groups for staging, operations groups for manufacturing) to have extra autonomy inside their respective tenants, whereas central IT maintains total management through Azure Lighthouse.
Note: That is just like how AWS may be structured — both with a number of accounts for every workload or with a single VPC internet hosting a number of workloads
Think about you might have an Azure setting the place completely different departments function inside their very own spoke digital networks (VNets). Every spoke VNet accommodates sources particular to that tenant, similar to digital machines, databases, and purposes. To offer safe distant entry for end-users to those sources, you may implement a centralized VPN answer in a hub VNet [6].
Under diagram exhibits the structure:
