Abstract

Hybrid cloud architectures have become a fundamental component of modern enterprise information systems, enabling organizations to integrate on-premises infrastructure with scalable cloud platforms such as Microsoft Azure. While this architectural model improves operational flexibility and resource scalability, it also introduces complex security challenges related to traffic control, lateral movement, and policy enforcement across distributed network environments. Network segmentation has therefore emerged as a critical mechanism for strengthening security and isolating workloads within hybrid enterprise infrastructures. This study presents an experimental evaluation of virtual network segmentation strategies in Azure-based hybrid enterprise environments. The research compares four segmentation architectures: flat virtual network configuration, subnet-based segmentation, Network Security Group (NSG) policy segmentation, and Azure Firewall–based segmentation. A hybrid experimental testbed was developed to simulate enterprise workloads across on-premises and cloud environments connected through secure gateway infrastructure. Network performance and security effectiveness were evaluated using metrics including throughput, latency, packet loss rate, and segmentation efficiency. Mathematical models were also developed to quantify segmentation efficiency and network overhead introduced by policy enforcement mechanisms. The experimental results show that segmentation significantly improves traffic isolation and reduces unauthorized communication across network segments. Subnet segmentation and NSG-based policy enforcement provide a balanced trade-off between security effectiveness and network performance, while firewall-based segmentation delivers stronger traffic inspection capabilities at the cost of increased latency overhead. The findings provide empirical insights that support enterprise architects in designing secure and scalable hybrid cloud networking architectures using Azure-based segmentation mechanisms.