Zero-Trust Private Network Access Platform
A reusable, shared "hub" networking platform so any internal team can privately connect Azure PaaS resources to a corporate VPN, without each team building its own DNS/peering plumbing from scratch.
3-phase: throwaway → low-risk → prod
Rollout model
1, reused org-wide
Shared network hubs built
Zero — connection-refused by default
Public exposure
The Problem
Cloud data platforms and internal services were reachable over the public internet by default, gated only by login. Security requirements moved to a stronger posture: sensitive workspaces should be unreachable at the network layer unless the client is on the corporate VPN — a public request should get connection-refused, not a login page. Doing this one service at a time would mean re-solving the same DNS/peering/routing problem repeatedly.
My Approach
- Designed a single shared hub virtual network, peered once into the existing VPN termination point, with dedicated subnets carved out per target environment/subscription for Private Endpoints — so onboarding a new service means "add a Private Endpoint in the right subnet," not "build new network plumbing."
- Deployed a DNS Private Resolver (inbound + outbound endpoints) so VPN clients resolve private service names to internal IPs automatically, while everything else still forwards to public DNS — no per-service DNS reconfiguration needed on the client side.
- Centralized Private DNS Zone management in the hub, linked once, reused by every consuming service.
- Used a phased, risk-managed rollout: proved the entire pattern end-to-end on a disposable/throwaway workspace first, validated it a second time on a low-blast-radius real workspace, and only then applied the proven playbook to the actual production target.
- Documented prerequisites and platform gotchas discovered along the way (subnet/NSG ordering requirements, RBAC scope needed for cross-subscription DNS zone links, compute that must be stopped before a network-access-mode change) so the next team doesn't rediscover them the hard way.
Stack
Networking
Identity/Access
Data Platform Integration
Practices
Skills Demonstrated
- ▸Zero-trust network architecture at an enterprise, multi-subscription scale
- ▸DNS architecture for hybrid VPN + cloud environments
- ▸Security-first infrastructure design — treating "public until proven private" as the wrong default
- ▸Risk-managed rollout planning (throwaway → low-risk real target → production), not big-bang changes
- ▸Clear technical documentation of platform prerequisites for other teams to self-serve