Hello

I working to desing the network architecture on Azure for our needs. I would like to know your suggestions regarding the best appraoch for dmz zone when you needs to host ressources for differents projects/customers. What is you design recommandation ? 

If I create a vNet "DMZ_Public" (/16) splitted with in differents subnets :

    - Subnet dmzdsi_web and subnet dmzdsi_data for IT Corporate needs (only dmzdsi_Web will be reachable from Internet, dmzdsi_data is for APP/BDD servers used by Web servers)

   - Subnet dmzprojA_web and subnet dmzprojA_data for ProjectA needs (only dmzprojA_Web will be reachable from Internet, dmzprojA_data is for APP/BDD servers used by Web servers)

   - Subnet dmzprojB_web and subnet dmzprojB_data for ProjectB needs (only dmzprojB_Web will be reachable from Internet, dmzprojB_data is for APP/BDD servers used by Web servers)

  - Subnet dmz_sharedServices  for servers used by all DMZ subnet such as AD DS, DNS, Patch Management. This zone is to avoid to have traffic from dmz_web into internal network 

The vNet DMZ-Public will communicate with my Hub (where is my Palo Alto firewall) via vNet Peering 

Is-it correct for you ? Or do you have suggestion or best architecture to cover my needs ?

Regards

Jerome