As a rule of thumb you can look at your workloads. Workloads that have:
- the same maintenance team
- and have the same lifecycle (thus are all deployed together)
- and need not to be secured from each other (now and in the foreseeable future)
only those workloads can be deployed to the same subnet.
Furthermore, I would ALWAYS separate the DEV and PRD resources into separate networks. This is however under the assumption that DEV workloads do not need to (or even are not allowed to) communicate with the PRD network resources.
A hub-and-spoke set-up has many advantages is your network set-up is growing and you want to couple on premises locations and P2S VPN locations to your network. This is however a step you can add at a later stage.
Peering VNETs will not add any security over using subnets. Peered VNETs are considered to be one big network, like one VNET is. Furthermore, data that is sent via the peering is costing you money. If there is a (future) need to remove the peering in a later stage, having your network already being split up into different VNETs is more easy. This is however under the assumption you already know how you want to split up your networks in the future.
My suggestion would be:
DEV vnet
- app1 subnet
- app2 subnet
- db app 1 subnet
- db app 2 subnet
- web app 1 subnet
- web app 2 subnet
PRD vnet
- app1 subnet
- app2 subnet
- db app 1 subnet
- db app 2 subnet
- web app 1 subnet
- web app 2 subnet
only peer these networks if there is a business need to have communication between DEV and PRD.
You can also add now, or in the future, relevant NSG's that allow specific communication between the subnets. i.e. DEV_app1 can communicate with the DEV_DB_app1, but not with DEV_DB_app2.