Azure Firewall and NSG configuration?

EnterpriseArchitect 4,721 Reputation points

Hi People,

I've got 40+ VMs in Azure Resource group located in different regions.
I wanted to allow only 10 VMs to access the internet and the rest is just Corporate Intranet only (via Express Route to my OnPremise network).

Should I deploy one Azure Firewall or this can be set by NSG but repetitively?
If I have VNET that I have peered with the other VNET with Azure Firewall, do I still need to edit or modify the NSG or no longer need?

Thank you in advance,

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
563 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,131 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
82 questions
0 comments No comments
{count} votes

Accepted answer
  1. SaiKishor-MSFT 17,176 Reputation points


    If you restrict traffic at the VM itself you can minimize the costs and utilization for traffic going to Azure FW and then getting dropped. However, if its easier for you to do it at the firewall for ease of management, you can do so. Therefore, it depends upon the use case and the requirement but traffic can be managed at both the firewall and the NSGs using IP/ports.

    Please let me know if you have any more questions and I will be happy to help :) Thank you!


    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. SaiKishor-MSFT 17,176 Reputation points


    If I understand you correctly, you want to allow some VMs to access internet and rest only to the on-premise network via Express Route. Please correct me otherwise.
    This can be achieved using NSGs and you do not necessarily need a Firewall to do the same. You can use the same NSGs if you would like, as long as the VMs are in the same region/subscription. If they are in different regions, you can still be able to use an Azure Resource Manager template to export the existing configuration and security rules of an NSG. More details are given in this document.

    You can implement a firewall if you are looking for more features/security than just restricting or allowing traffic based on IP/ports. Here is a great blog that explains the difference between NSGs and Firewall and when each can be used and also using both at the same time.

    In regards to this question, If I have VNET that I have peered with the other VNET with Azure Firewall, do I still need to edit or modify the NSG or no longer need? Can you explain this in more detail so I can understand and assist you better? Thank you!

    1 person found this answer helpful.