Secured multi-tenant ERP deployment using Azure Virtual Network isolation

We successfully implemented a multi-tenant ERP system on Azure serving 12 enterprise clients with strict data isolation requirements. The architecture leverages Virtual Network isolation, Application Gateway for intelligent routing, and Azure Firewall for centralized security.

Each tenant has a dedicated VNet with isolated subnets for web, application, and database tiers. Application Gateway with WAF handles external traffic routing to the appropriate tenant based on host headers. Azure Firewall in a hub VNet provides outbound internet access and inter-tenant communication controls.

The challenge was balancing security isolation with operational efficiency. We needed to prevent any cross-tenant data access while maintaining a manageable infrastructure that didn’t require 12 separate deployments of every component. I’ll share the network architecture, security controls, and automation approach we used to achieve this.

How did you automate the tenant onboarding? With 12 tenants and potentially more, manual deployment would be nightmare. Did you use Terraform or ARM templates? Also curious about your Application Gateway configuration - are you using a single gateway for all tenants or multiple gateways?

For automation, we built Terraform modules that provision the entire tenant stack in 20 minutes. Each module creates VNet, subnets, NSGs, VMs, SQL Database, and registers the backend pool with Application Gateway. We use a single Application Gateway v2 with autoscaling (2-10 instances) that handles all tenants. The gateway has proven reliable - we’ve had zero unplanned downtime in 8 months. For planned maintenance, we use a secondary gateway and update DNS to failover.

Good question. We used a hybrid approach. Each tenant has fully isolated production VNets and databases. For shared services, we created a separate management VNet with Log Analytics workspace, Azure Backup vault, and Azure AD integration. Access is controlled through RBAC with tenant-specific service principals. This reduced costs by 40% compared to fully duplicated infrastructure while maintaining security boundaries.

I’ll provide the complete architecture and implementation details:

Virtual Network Architecture: We implement a hub-spoke topology with one hub VNet and 12 spoke VNets (one per tenant). Hub VNet (10.0.0.0/16) contains Azure Firewall, Azure Bastion for management, and shared services subnet. Each tenant spoke VNet uses /20 address space (10.X.0.0/20) with three subnets: web tier (/24), app tier (/24), and data tier (/26). VNet peering connects each spoke to the hub with “Allow Gateway Transit” enabled. Critical configuration: we explicitly disable VNet peering between spokes, ensuring no direct tenant-to-tenant communication. All inter-VNet traffic must traverse the hub where Azure Firewall applies security policies.

Application Gateway Configuration: Single Application Gateway v2 deployed in the hub VNet with WAF enabled (OWASP 3.1 ruleset). We use multi-site listeners with distinct host headers per tenant (tenant1.erp.company.com, tenant2.erp.company.com, etc.). Backend pools are configured per tenant, pointing to VMs in respective spoke VNets via VNet peering. SSL certificates are managed centrally using Azure Key Vault integration. Health probes monitor each tenant’s web tier independently. Autoscaling is configured for 2-10 instances based on CPU and connection count. This architecture provides layer-7 routing, SSL offloading, and WAF protection while maintaining complete backend isolation.

Azure Firewall Security Controls: Azure Firewall Premium in the hub enforces all outbound internet access and inter-tenant policies. Default deny-all rules with explicit allow lists per tenant. Each tenant has application rules permitting only required external services (payment gateways, API endpoints). Network rules control spoke-to-hub communication for shared services. TLS inspection is enabled for outbound HTTPS traffic. We use Azure Firewall Manager to centrally manage policies across all tenants while maintaining tenant-specific rule collections. Logging integrates with Log Analytics for compliance reporting. For auditors, we provide NSG flow logs and Firewall logs demonstrating zero cross-tenant traffic.

Automation and Operations: Terraform modules provision complete tenant stack. Core module creates VNet, subnets, NSGs, route tables, VNet peering, and Application Gateway backend pool registration. Separate modules deploy compute (VM scale sets), database (Azure SQL with private endpoint), and monitoring (Log Analytics agent). Tenant onboarding workflow: 1) Execute Terraform with tenant parameters, 2) Configure SSL certificate in Key Vault, 3) Update Application Gateway listener, 4) Deploy application code via Azure DevOps pipeline. Average provisioning time: 25 minutes. We maintain a tenant registry in Azure Cosmos DB tracking VNet assignments, gateway configurations, and resource tags. For tenant decommissioning, Terraform destroy removes all resources while preserving audit logs in immutable storage.

Compliance and Audit: For SOC2/ISO27001 compliance, we provide: NSG flow logs showing no cross-tenant traffic, Azure Firewall logs demonstrating policy enforcement, Azure Policy compliance reports for security baselines, and quarterly penetration testing results. Network Watcher packet capture capabilities allow on-demand traffic analysis. We implement Azure Sentinel for security monitoring with tenant-specific workbooks. For external integrations, tenants cannot initiate direct internet connections - all outbound traffic routes through Azure Firewall with explicit allow rules required. This provides audit trail and DLP controls.

Key metrics after 8 months: 99.97% uptime, zero security incidents, 40% cost reduction vs fully isolated deployments, 25-minute tenant provisioning time, supporting 12 tenants with 2 infrastructure engineers. The architecture scales to 50+ tenants with current design.

From a compliance perspective, how do you demonstrate tenant isolation to auditors? We need to meet SOC2 and ISO27001 requirements. Do you have network packet captures or other evidence that proves no cross-tenant communication is possible? Also, how do you handle the scenario where a tenant needs to integrate with external services - do you allow direct internet access from tenant VNets?

This is a great use case. How did you handle shared services like monitoring, backup, and identity? Did each tenant get isolated instances or did you build shared services with proper access controls? We’re designing something similar and struggling with the shared vs isolated decision for non-production resources.