Azure firewall vs Azure network security group

I've been trying to understand the difference between a Azure firewall (https://azure.microsoft.com/en-us/services/azure-firewall/) and the features offered by NSGs/network security groups (https://docs.microsoft.com/en-us/azure/virtual-network/security-overview).

In our designed landscape, we currently have around 5~10 virtual networks within our subscription. Each of these has it's own network security group at the moment. These networks contain a variety of Azure products(web apps, vms, exposed to only trusted locations, exposed to the internet, ...). From my perspective, we can manage the in- & outbound traffic based via the network security groups. The only benefit of the firewall, I see, is that it can be used as a single point for managing traffic rules. But I don't see the cost of the firewall being worth just reducing the management of this. I think I'm missing something painstakingly obvious in the picture about the difference between what a Azure firewall does, and how a network security group operate. But I don't understand what.

To have a concrete question:

• When is it necessary to have a Azure firewall within your architecture?
• What is the difference between an Azure network security group and the Azure firewall to manage traffic rules (HTTPS & RDP)

but there is nothing preventing you from using a vnet to manage access from outside the vnet though? Why go for the firewall and not manage it from nsg? In my case I have 3 types of traffic: RDP from a predefined list of IPs, HTTPS from a predefined list of IPs, and internet HTTPS traffic to a limited amount of vnets/servers/endpoints.

That works fine and I have done that on certain environments also. FW has some extra features for l blocking URLs and so on and MS will add more features in the future. But if you only need to block/allow ports and IPs then skip the FW and use NSG.

Good answer but there are many diagrams on documentation. which diagram is it? A link would have helped. Thanks.