Share via


Azure Security : Firewall vs NSG

Introduction

One of the most important reasons to move a company their workloads to Azure is security. In this post, we will talk about the two most known Azure security services, Azure Firewall and NSG’s. With those two services, we can manage a VNet Inbound and Outbound traffic.

Overview

Let’s have a quick overview of both Azure services.

Azure Firewall

Azure Firewall is an OSI layer 4 & 7 network security service to protect a VNet with workloads in it. It’s fully managed by Microsoft and we just need to create and configure the rules (NAT rules, Network rules, and Application rules collection), in order to secure the resources.

Features

At the table below we can check all the available features on Azure Firewall service.

Name Description
Built-in high availability There is no need for any Load Balancer configuration because high availability is built-in
Availability zones We can configure Azure Firewall to use availability zones to achieve 99.99% availability
Unrestricted cloud scalability Azure Firewall can scale up as much as we need without any restriction or extra cost
Application FQDN filtering rules To limit outbound traffic access we can specify the FQDN of the service
Network traffic filtering rules We can create allow or deny network filtering rules by source and destination IP address, port, and protocol.
FQDN tags We can create FQDN tags to allow to Azure services network traffic through your firewall.
Service tags We can create a service tag which represents a group of IP address prefixes to minimize the complexity security rule creation
Threat intelligence Threat intelligence-based filtering can be enabled on the firewall to alert and deny traffic from/to known malicious IP addresses and domains.
Outbound SNAT support Azure Firewall uses a Public IP address. The VNet outbound network traffic is translated to this PIP.
Inbound DNAT support The Inbound network traffic to the Firewall PIP is translated and filtered to the private IP addresses on the VNet
Multiple public IP addresses We can associate up to 100 IPs with the Firewall, check for more details this link.
Azure Monitor logging All events are integrated with Azure Monitor

Deploy an Azure Firewall

In this section, we will talk about the steps we need to deploy an Azure Firewall.

Step 2. Tab - Tags

At the next tab, we can add Tags to better organize the resources and select "Next: Review + create" to move to the next tab.

Step 3. Tab - Review + create

At the final tab, we can make a review of the configuration and just select "Create" to begin the deployment of the firewall.

Azure Network Security Groups (NSG's)

Azure NSG's is an OSI layer 3 & 4 network security service to filter traffic from and Azure VNet. A network security group consists of several security rules (allow or deny). The evaluation of these security rules is done using a 5-tuple hash. 5-tuple hash depending on the Source IP,  Source Port, Destination IP, Destination Port, and Protocol Type. NSG's can be associated with a VNet or with the network interface of a VM.

Security Rules

Property Explanation
Name Type a unique name for the NSG rule
Priority Type the priority number of a rule. Every rule is processed based on priority order. Lower numbers processed before higher numbers.
Source or destination Select the Source or destination this can be Any, IP addresses, Service Tag or Application security group
Protocol Select a protocol type between TCP, UDP, ICMP or Any
Direction Whether the rule applies to inbound, or outbound traffic.
Port range We can specify a single port or a range of ports the second choice enables us to create fewer security rules.
Action Select between Allow or Deny

Create a Network Security Group

A few lines above we read about how we can deploy an Azure Firewall and in this section, we can learn how to create an NSG.

Step 1. Tab - Basics

The image below shows which mandatory fields should fill up to begin the NSG deployment.

Step 2. Tab - Review + create

The final tab is about Reviewing the configuration and start the creation of the NSG by clicking the button Create.

Default Azure Network Security Group (NSG) Rules

When an NSG first deployed it contains a set of default security rules for Inbound and Outbound connections. In the image below we can see these rules.

The Conclusion

In this post, we read what is and how to deploy an Azure Firewall and an Azure NSG. The reality is that each service offers security on different network levels, NSGs are responsible to protect Inbound and Outbound network traffic and Firewall can filter network traffic using more intelligence. We can have NSG on a VM and concurrently we can have an Azure Firewall to protect the resources that are running into a VNet. Finally, we should also note that NSG is one more security level for a VM because besides the security provided by the firewall there is extra security on VMs network ports.

See Also