Azure firewall vs Azure network security group
Solution 1
Azure Firewall features https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-capabilities-are-supported-in-azure-firewall
Azure Firewall vs NSG https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups-nsgs-and-azure-firewall
I use NSG to limit access within a vNET and Azure Firewall to limit access to a vNET from the outside. There are some good detailed explanation in the docs articles
Solution 2
Azure security groups is a feature of VNet that describe firewall rules on the subnets in Azure.
Azure firewall is a product for your transit VNet to secure traffic to Azure, across subscriptions and VNets.
Look at the diagrams in the documentation and decide what meets your design.
Related videos on Youtube
Reinard
Updated on September 18, 2022Comments
-
Reinard almost 2 years
I've been trying to understand the difference between a Azure firewall (https://azure.microsoft.com/en-us/services/azure-firewall/) and the features offered by NSGs/network security groups (https://docs.microsoft.com/en-us/azure/virtual-network/security-overview).
In our designed landscape, we currently have around 5~10 virtual networks within our subscription. Each of these has it's own network security group at the moment. These networks contain a variety of Azure products(web apps, vms, exposed to only trusted locations, exposed to the internet, ...). From my perspective, we can manage the in- & outbound traffic based via the network security groups. The only benefit of the firewall, I see, is that it can be used as a single point for managing traffic rules. But I don't see the cost of the firewall being worth just reducing the management of this. I think I'm missing something painstakingly obvious in the picture about the difference between what a Azure firewall does, and how a network security group operate. But I don't understand what.
To have a concrete question:
- When is it necessary to have a Azure firewall within your architecture?
- What is the difference between an Azure network security group and the Azure firewall to manage traffic rules (HTTPS & RDP)
-
Reinard about 5 yearsbut there is nothing preventing you from using a vnet to manage access from outside the vnet though? Why go for the firewall and not manage it from nsg? In my case I have 3 types of traffic: RDP from a predefined list of IPs, HTTPS from a predefined list of IPs, and internet HTTPS traffic to a limited amount of vnets/servers/endpoints.
-
Jarnstrom about 5 yearsThat works fine and I have done that on certain environments also. FW has some extra features for l blocking URLs and so on and MS will add more features in the future. But if you only need to block/allow ports and IPs then skip the FW and use NSG.
-
Eddie Kumar over 3 yearsGood answer but there are many diagrams on documentation. which diagram is it? A link would have helped. Thanks.