There has long been a set of best practices from almost any hardware manufacturer - indicating specific models, topologies, scaling methods, etc. As an example, you can take one of the first Google links for the phrase " cisco network design best practices ".

Everything is simple
1) On each office on a router. (I would take software on Linux. Just a computer or server with the right number of interfaces, with Linux installed. But this is me)
2) Each office has its own dedicated and disguised network - in other words, no one goes anywhere, only the Internet.
3) Each office establishes VPN / VLAN / VxLAN with the central one, and, if necessary, with the necessary neighbors
4) On the routers, we allow what resources will be available inside the center and branches
5) We remove all available resources in DMZ zones
Firstly, I suspect that no one you need to go from offices directly to computers.
Secondly, from the outside, everything should be covered, even from the office, because it’s not good to roam around the computers.
Thirdly, shared resources should not be shared with computers either, because sometimes they break ...
Fourthly, there are a lot of things, from broadcasting to dhcp, authorization and separation ...
Oh, yes, there are L3 switches that may not only VLAN, but also VxLAN, and MPLS, and routing.
Put these in the center of the network, and steer the routes, access and other things ...