Example: VNet + 3 subnets + NSG rules
Segmentation plus filtering lets you allow only the flows you intend. One VNet as the private boundary. Subnets: web / app / database tiers. NSG: allow web → app, allow app → db. NSG: block web → db direct access.