NSG vs Firewall

Question

NSG vs Firewall

Handian Sudianto 6,096

Hello,

If our vnet using NSG and Firewall and i need to block some internet access from azure VM, should i make an rule in NSG or Azure Firewall?

Accepted answer

0 additional answers

Your answer

Answer 1

TP 124.9K Volunteer Moderator

Hi,

That depends on exactly how you need/want to block the access and possibly your preference. Some ways of blocking access are not possible using NSG, so of course in one of those cases you would need to use Firewall.

For example, say you wanted to block HTTP/S access to a list of 50 different FQDNs (*.domain1.com, *.domain2.com, etc.). In this case you would use Azure Firewall since NSG doesn't allow you to block at the Application Layer.

On the other hand, say you wanted to block outgoing port 25 (SMTP). You could do this using NSG, or via Azure Firewall, or both. My preference (in this example) would be to block it via NSG so that Azure Firewall doesn't need to process the traffic.

One thing to know is Azure Firewall can essentially do everything NSG can, plus more. Assuming all Internet traffic is flowing through Azure Firewall you could have it do all blocking if you wanted to.

Please click Accept Answer if the above was helpful

Thanks.

-TP

Handian Sudianto 6,096 Reputation points

2023-09-08T08:23:14.21+00:00

Hello,

If NSG and Firewall used together so the traffic will be pass thru Firewall then to NSG if we see from outside / internet side?
TP 124.9K Reputation points Volunteer Moderator

2023-09-08T09:27:25.6+00:00

Yes, for incoming/outgoing Internet traffic, it will need to be allowed by Azure Firewall rules AND NSG rules.

For example, if VM makes outbound connection to Internet host, traffic will need to be allowed by NSG on network interface + allowed by NSG on subnet + allowed by Azure Firewall, assuming that Firewall is connected directly to Internet. If no NSG exists on VM interface and/or VM subnet then of course only the Azure Firewall rules would need to allow the traffic.
GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator

2023-09-08T13:20:30.97+00:00
Hello @Handian Sudianto , as @TP mentioned if you are using both NSG and Azure Firewall, you can make use of either NSGs or Azure Firewall to block traffic, depending upon the layer in which you want to block the access.

Azure NSG is an OSI layer 3 & 4 network security service to filter traffic to and from Azure VNet.

Azure Firewall is an OSI layer 4 & 7 network security service to protect a VNet with workloads in it.

Refer: https://social.technet.microsoft.com/wiki/contents/articles/53658.azure-security-firewall-vs-nsg.aspx

The Azure Firewall service complements network security group functionality. Together, they provide better "defense-in-depth" network security. So, you could also use them together.

Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups--nsgs--and-azure-firewall

If NSG and Firewall used together, assuming all the traffic (inbound/outbound) flow happens via Azure Firewall:

For Inbound traffic: The client connects to Azure Firewall Public IP directly and then the Firewall rules are processed, and the traffic is forwarded to the respective VM and if the NSG on the VM's NIC or subnet allows it, the traffic will be delivered to the VM.

For Outbound traffic: The VM initiates an outbound connection, so NSG will be checked first to see if that connection/traffic is allowed. If allowed, the traffic will be forwarded to the Azure Firewall (if UDR is configured to force all subnet traffic to Firewall) and the Firewall will process the traffic using the configured rules and will decide whether to send the traffic out or drop it.

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,

Gita

Share via

NSG vs Firewall

0 additional answers

Your answer