Azure Firewall vs NSG
What is Azure Firewall?
Azure Firewall is a cloud-based fully-managed intelligent firewall that protects workloads from OSI layer 3-7.
Azure Firewall goes beyond the classic security approach of authorization based on IP, port, and protocol by inspecting the network traffic itself to determine if the incoming/outgoing traffic is malicious. It’s a completely managed, highly-available cloud service that boasts features like threat intelligence and signature-based IDPS. Azure Firewall is Microsoft’s go-to technology to protect workloads on Azure Cloud.
What is Azure NSG?
An Azure Network Security Group (NSG) is a firewall that operates at OSI Layers 3 and 4 to filter ingress and egress traffic from resources on an Azure Virtual Network (vNET).
Unlike Azure Firewall, which monitors all traffic for workloads, NSG is commonly deployed for individual vNets, subnets, and network interfaces for virtual machines to refine traffic. It does so by activating a rule (allow or deny) or Access Control List (ACL), which allows or denies traffic to Azure resources.
Azure Firewall vs. NSG
Azure Firewall and NSG are both security services offered by Azure. They both operate by securing traffic based upon a set of rules. However, that is where the similarity ends. While NSG is a classic firewall, Azure Firewall offers next-generation firewall capabilities such as packet inspection and intrusion detection.
Azure Firewall vs. NSG: Overview
The table below details some of the key similarities and differences between Azure Firewall and Azure NSG.
Azure Firewall | Network Security Group | |
---|---|---|
Description | Managed, highly available, robust, and intelligent firewall with advanced packet inspection capabilities | A basic/classic firewall based on a 5-tuple hash |
Layers of Protection | Offers protection to workloads by inspecting OSI layers 3-7 | Basic traffic filtering at OSI layer 3 and 4 |
FQDN tag support | Supports FQDN tags | Does NOT support FQDN tags |
Threat detection and blocking | Supports real-time threat detection | Filters traffic based on allow and block rules |
Availability Zones | Supports Availability Zones | Does NOT support or require Availability Zones |
Cost | Starts at $1.25/hour excluding data processing charges | Free, but standard data ingress/egress costs apply |
Complexity | Requires intermediate to advanced knowledge to configure and implement | Requires basic network knowledge to configure and implement. |
Azure Firewall vs NSG: Features
Azure Firewall is a modern intelligent firewall built to secure the entire workload. Azure Firewall comes in two flavors, standard and premium. Premium offers additional security features.
Key Azure Firewall technology and security features include:
- Protection at OSI layers 3,4 and 7– While traditional rule-based firewalls operate at layers 3 and 4, Azure Firewall works at layers 3, 4 and 7.
- Packet inspection– Azure Firewall intelligently inspects packets and offers protection on the application layer.
- Stateful firewalling– Being a stateful firewall means Azure Firewall continuously analyzes traffic with context. Azure Firewall inspects data packets and runs threat detection by comparing patterns against more than 58,000 signatures available in over 50 categories which are all updated in real-time.
- Threat intelligence-based filtering– Standard version offers L3-L7 filtering and real time threat detection which is directly fed from Microsoft Security Center. Threat intelligence-based filtering compares all inbound/outbound traffic with the blacklist IP addresses to allow or deny traffic. Microsoft updates this blacklist in realtime to safeguard against any potential new attacks.
NSG, on the other hand, is an OSI layer 3 and 4 security service. Administrator-defined rules allow or block the traffic based on the 5-tuple hash. A 5-tuple uses five parameters to enforce rules. It includes the IP address for source and destination, the port number for source and destination, and the protocol (TCP/UDP or both).
NSG is created by default with every vNet and virtual machine. You can either create a new NSG or specify an existing NSG while creating the resource. NSG is easy to configure, and the rules work on a priority basis. If an ACL has conflicting rules, the rule with the highest priority (lowest priority number, 100 takes priority over 110) takes precedence.
The image below provides an excellent conceptual breakdown of how Azure NSG features work. The NSG sits inside a subnet filtering all traffic that goes in and out of the subnet. This could also have been implemented on the Default Virtual Network (10.1.0.0/16) or a single VM in the reference image.