@Ganesh1903 

Hi there,

I think it's still not 100% clear as a hub/spoke model doesn't really have to do much with a landing zone. That network model is often most relevant for the infrastructure itself and the management behind the scenes, versus the functionality of a landing page.

Regardless, this image might help you out with what you're looking to achieve. Have a WAF in front of it or use something like Azure Front Door in front, then the App Gateway sitting in a vNet behind that:

@Ganesh1903 

The Landing zone prep and implementation process is more about the type of the Org u want to migrate and the level of governance u need to have . the hub spoke scenario is not new and it doesn't play a major part in getting the landing zone ready coz the firewall architecture and all its Networking components will be grouped under a Networking / Connectivity Subscription .

Landing Environment design areas should consider Identity /Access , Network , Billing and Resource. For compliance do consider Security, Management and Governance . For all the subscribing division u have make sure to assign proper Role to Manage , Policy to Govern , security and Traffic Monitoring. 

After you decide and align the above ,decide on the implementation option - we have several, like Migration, BluePrint , Terraform Modules  and Partner - choose the best for you and work it out 

For more info - check , https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/implementation-o...

Do consider using the Landing zone accelerator  - Iam sure ur aware of this , this has lot of options on pre prepared ARM templates which are easy to be modified and used accordingly . 

Hope this helps u out on the basic layout of the landing zone prep and factors to consider .