When you are implementing your Microsoft Azure Design like a HUB-Spoke model you have to deal with security of your Azure environment (Virtual Datacenter). One of them are Network Security Groups to protect your Virtual networks and make communication between Azure subnets possible in a Secure Azure Virtual Datacenter.
You really have to plan your Azure Virtual networks and implement it by Architectural Design. Now I’m writing about Azure Network Security Groups which is important, but there are more items to deal with like :
Naming Conventions in your Azure Virtual Datacenter
Azure Subscriptions ( who is Owner, Contributor, or Reader? )
Azure Regions ( Where is my Datacenter in the world? )
Azure VNET and Sub-Nets ( IP-addresses )
Security of your Virtual Networks ( Traffic filtering, Routing )