![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 35%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
1,172 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 81%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
NSGs operate at Layers 3 and 4 of the OSI model. They control network traffic based on IP addresses and ports. Therefore, NSGs filter traffic first. They determine whether network traffic is allowed to reach the Application Gateway's subnet in the first place. Please refer the document.
The WAF operates at Layer 7. It inspects the HTTP/HTTPS traffic for web application vulnerabilities. Therefore, the WAF processes traffic after it has been allowed by the NSGs. The WAF examines the content of the web requests.
NSGs act as the first line of defense, controlling network access and the WAF then provides deeper application-level inspection, protecting against web-based attacks. Please refer the document.
when an Azure Application Gateway has both the WAF and a NSG enabled, client requests are first filtered by the NSG associated with the Application Gateway's subnet, and subsequently by the WAF.
This order of processing is fundamental to how security is enforced for web applications deployed on Azure. The NSG acts as a network-level firewall, controlling access based on IP addresses, ports, and protocols, while the WAF provides application-level protection by inspecting the content of HTTP/HTTPS requests for common web exploits and vulnerabilities.
If the above has been helpful, please take a moment to click 'Accept answer'
If you still have questions, please let us know what is needed in the comments so the question can be answered.