All work
Cloud Infrastructure & SRE

Zero-Trust Private Network Access Platform

A reusable, shared "hub" networking platform so any internal team can privately connect Azure PaaS resources to a corporate VPN, without each team building its own DNS/peering plumbing from scratch.

3-phase: throwaway → low-risk → prod

Rollout model

1, reused org-wide

Shared network hubs built

Zero — connection-refused by default

Public exposure

The Problem

Cloud data platforms and internal services were reachable over the public internet by default, gated only by login. Security requirements moved to a stronger posture: sensitive workspaces should be unreachable at the network layer unless the client is on the corporate VPN — a public request should get connection-refused, not a login page. Doing this one service at a time would mean re-solving the same DNS/peering/routing problem repeatedly.

My Approach

  • Designed a single shared hub virtual network, peered once into the existing VPN termination point, with dedicated subnets carved out per target environment/subscription for Private Endpoints — so onboarding a new service means "add a Private Endpoint in the right subnet," not "build new network plumbing."
  • Deployed a DNS Private Resolver (inbound + outbound endpoints) so VPN clients resolve private service names to internal IPs automatically, while everything else still forwards to public DNS — no per-service DNS reconfiguration needed on the client side.
  • Centralized Private DNS Zone management in the hub, linked once, reused by every consuming service.
  • Used a phased, risk-managed rollout: proved the entire pattern end-to-end on a disposable/throwaway workspace first, validated it a second time on a low-blast-radius real workspace, and only then applied the proven playbook to the actual production target.
  • Documented prerequisites and platform gotchas discovered along the way (subnet/NSG ordering requirements, RBAC scope needed for cross-subscription DNS zone links, compute that must be stopped before a network-access-mode change) so the next team doesn't rediscover them the hard way.

Stack

Networking

Azure Private Link / Private EndpointsAzure Private DNS ZonesAzure DNS Private ResolverVNet peering (intra- and cross-subscription)

Identity/Access

VPN (client-to-site)RBAC scoping for cross-subscription operations

Data Platform Integration

Azure Databricks (VNet-injected → Private Link-only access)

Practices

Zero-trust network designPhased/staged migration planningInfrastructure documentation

Skills Demonstrated

  • Zero-trust network architecture at an enterprise, multi-subscription scale
  • DNS architecture for hybrid VPN + cloud environments
  • Security-first infrastructure design — treating "public until proven private" as the wrong default
  • Risk-managed rollout planning (throwaway → low-risk real target → production), not big-bang changes
  • Clear technical documentation of platform prerequisites for other teams to self-serve