We successfully deployed a multi-tenant ERP system on Azure with strict network isolation requirements for compliance. The architecture needed to support 30+ enterprise customers with complete tenant separation while maintaining centralized management and cost efficiency.
Our solution leveraged Azure Virtual Network with hub-spoke topology, Application Gateway for L7 routing and SSL offloading, and Azure Firewall for centralized egress control. Each tenant operates in a dedicated spoke VNet with custom NSG rules, and Application Gateway uses host-based routing to direct traffic to tenant-specific backend pools.
The implementation reduced infrastructure costs by 40% compared to dedicated deployments while achieving SOC 2 compliance through network-level isolation. Key success factors included automated VNet provisioning, centralized firewall rule management, and comprehensive network monitoring.
Great questions from everyone. Let me provide a comprehensive breakdown of our implementation:
Network Architecture Details:
Hub VNet (10.0.0.0/16) hosts shared services:
- Application Gateway v2 (WAF enabled) in dedicated subnet with /24 CIDR
- Azure Firewall Standard in /26 subnet (40 available IPs for tenant configurations)
- Azure Bastion for secure management access
- Shared monitoring infrastructure (Log Analytics, Network Watcher)
Each spoke VNet (10.X.0.0/16 where X = tenant ID) contains:
- Application subnet /24 for ERP app servers
- Database subnet /25 with service endpoints for Azure SQL
- Integration subnet /26 for Logic Apps and API Management
VNet peering connects all spokes to hub with “Allow Gateway Transit” enabled.
Application Gateway Configuration:
Single gateway handles all tenant traffic with:
- Host-based routing: tenant1.erp.company.com → Backend Pool 1
- Individual SSL certificates per tenant domain (stored in Key Vault)
- WAF policies with tenant-specific custom rules
- Autoscale 2-10 instances handles peak load of 15K requests/sec across all tenants
Azure Firewall Management:
Tenant-specific egress rules managed through:
- Firewall Policy with rule collections per tenant
- FQDN tags for common services (Office 365, Azure services)
- Application rules: Allow HTTPS to specific partner APIs per tenant
- Network rules: Allow SQL to Azure SQL Database service tag
- IP Groups for efficient rule management as tenant count scales
NSG Rule Automation:
Azure Policy enforces baseline security:
- Deny all inbound from Internet except Application Gateway subnet
- Allow outbound only to Azure Firewall IP
- Deny VNet-to-VNet communication between spoke networks
- Custom policies validate NSG configuration during spoke deployment
Infrastructure-as-code (ARM templates + PowerShell) provisions new tenants:
- Create spoke VNet with subnets and NSGs
- Establish VNet peering to hub
- Deploy UDRs forcing traffic through firewall
- Configure Application Gateway listener and backend pool
- Add firewall rules for tenant-specific egress requirements
Monitoring and Compliance:
Network Watcher with Traffic Analytics provides:
- Flow logs from all NSGs aggregated in Log Analytics
- Traffic patterns analysis identifying anomalous communication
- Compliance reports showing no cross-tenant network flows
- Performance metrics for Application Gateway and Firewall
Azure Security Center continuously validates:
- NSG rules compliance with baseline policies
- No public IP assignments in tenant VNets
- Encryption in transit for all connections
- Network topology visualization for audit purposes
Cost Breakdown:
Savings versus dedicated deployments:
- Shared Application Gateway: $450/month vs $450 × 30 = $13,500 (96% savings)
- Shared Azure Firewall: $1,250/month vs $1,250 × 30 = $37,500 (97% savings)
- Reduced VPN Gateway count: 1 ExpressRoute circuit vs 30 VPN gateways (85% savings)
- Centralized monitoring: Single Log Analytics workspace vs 30 separate instances (70% savings)
- Compute density: Shared infrastructure overhead vs dedicated management VMs per tenant
Total monthly infrastructure cost: ~$15K for 30 tenants vs ~$25K per tenant in dedicated model.
The hub-spoke model with Virtual Network isolation provides enterprise-grade security while maintaining operational efficiency. Key success factors were automation of tenant provisioning and using Azure Policy for continuous compliance validation.
The 40% cost reduction is significant. Can you break down where the savings came from? I’m assuming shared Application Gateway and Firewall infrastructure accounts for most of it, but curious about compute and storage savings in the hub-spoke model versus dedicated deployments per tenant.
Impressive architecture. How did you handle the Application Gateway scaling for 30 tenants? Did you use a single gateway instance or multiple gateways? Also curious about the SSL certificate management - are you using wildcard certs or individual certs per tenant domain?
We use a single Application Gateway v2 in autoscale mode (min 2, max 10 instances) with capacity units scaling based on load. For SSL, each tenant has their own custom domain cert stored in Key Vault with managed identities for gateway access. The gateway has 30+ listeners configured with host-based routing rules. Autoscaling handles traffic spikes well - we’ve seen it scale from 2 to 6 instances during month-end processing across all tenants.
How do you manage the NSG rule complexity across 30 VNets? I imagine the rule sets grow quickly as tenants add integrations. Do you use Azure Policy to enforce baseline security rules, or is everything managed through automation? Also interested in your monitoring approach - are you using Network Watcher or a third-party solution for traffic analysis?