diff --git a/network.md b/network.md
index 34e3ecb..c998c77 100644
--- a/network.md
+++ b/network.md
@@ -26,4 +26,65 @@ Tasks:
- Block outgoing DNS
- Plugins wie OPNSense CrowdSec
+
+::: mermaid
+graph LR
+ A[Internet] -->|ISP Connection| ND1[Gateway
gw-jj-nar-prd-opr-1]
+
+ subgraph "On-Prem Hub (VLAN ID 1)"
+ ND1 -->|VPN Tunnel to Azure| C[VPN Gateway]
+ ND1 --> D[Firewall & Security Policies]
+ ND2[Switch
sw-jj-nar-prd-opr-1]
+ ND3[Access Point
ap-jj-nar-prd-opr-0]
+ ND4[Access Point
ap-jj-nar-prd-opr-1]
+ ND5[Access Point
ap-jj-nar-prd-opr-2]
+ ND6[Access Point
ap-jj-nar-prd-opr-3]
+ end
+
+ subgraph "On-Premises Spoke Networks"
+ D --> V2[Management VLAN ID 2]
+ V2 --> V201[Supermicro]
+ V2 --> V202[prd-proxmox-1]
+ V2 --> V203[prd-proxmox-2]
+ D --> V3[Clients VLAN 3]
+ V3 --> V301[Mobiles]
+ V3 --> V302[Laptops]
+ V3 --> V303[Apple TV]
+ V3 --> V304[HomePods]
+ D --> V4[Servers VLAN 4]
+ V4 --> V401[Legacy unneeded in future
will be in VLAN 7/8/9]
+ D --> V5[IoT VLAN 5 - Isolated 🔒]
+ V5 --> V501[Home infrastructure]
+ V5 --> V502[Loxone]
+ V5 --> V503[Home Assistant]
+ D --> V6[Guests VLAN 6]
+ V6 --> V601[Friends visting]
+ D --> V10[Guests VLAN 10]
+ V10 --> V1001[Customers of rented
out flat]
+
+ end
+
+ subgraph "On-Premises Workload Spoke Networks"
+ D --> O[*.volt.* VLAN ID 7]
+ D --> P[*.war.* VLAN 8]
+ D --> Q[*.watt.* VLAN 9]
+ end
+
+ C -->|VPN Tunnel| J[Azure VPN Gateway]
+
+ subgraph "Azure Hub"
+ J --> K[Azure Firewall]
+ end
+
+ subgraph "Azure Workload Spoke Networks"
+ K --> L[Spoke 1: *.volt.*]
+ K --> M[Spoke 2: *.var.*]
+ K --> N[Spoke 3: *.watt.*]
+ end
+:::
+
+
+
+Legacy diagram for reference:
+
