Microsoft
MicrosoftHi andyc383838
Thanks for your response. I am not sure if " put them where works best for you" is based on the Microsoft official recommendation. Hub deployment is tied to a specific Azure subscription and therefore manging different environments (e.g. Dev, test, Prod) can be challenging and may not follow the best practices Microsoft recommend. Moreover, Integration services have different components that need to communicate with each other regularly, so network connectivity, security and cost need to be considered as well. With regards to Shared Services, in different reference architecture, express route, firewall, DNS, and Active Directory Domain Services are considered as shared services and not APIM ( I have included the references in the question I posted in the community).
With regard to App GW, I am quoting the below paragraph from MS documentation:
"The Application Gateway shown in the diagram above can live in spoke with the application it's serving for better management and scale. However, corporate policy might dictate you place the Application Gateway in the hub for centralized management and segregation of duty ." See https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/hub-spoke-network-topology.
To your point, Application Gateway (App GW) is considered a shared service and can be placed either in the Spoke or Hub, depending on your organization's governance model. However, APIM and Service Bus are different cases as they fall under integration services (if an organization follows a segregation of duties model). Given the typical requirements for multiple environments, the Spoke is generally better suited for these integration services (at least based on my current understanding of MSFT documentation and discussions, i.e. may change in the future).
