What is Azure Firewall?

Azure Firewall is a cloud-based fully-managed intelligent firewall that protects workloads from OSI layer 3-7.

Azure Firewall goes beyond the classic security approach of authorization based on IP, port, and protocol by inspecting the network traffic itself to determine if the incoming/outgoing traffic is malicious. It’s a completely managed, highly-available cloud service that boasts features like threat intelligence and signature-based IDPS. Azure Firewall is Microsoft’s go-to technology to protect workloads on Azure Cloud.

What is Azure NSG?

An Azure Network Security Group (NSG) is a firewall that operates at OSI Layers 3 and 4 to filter ingress and egress traffic from resources on an Azure Virtual Network (vNET).

Unlike Azure Firewall, which monitors all traffic for workloads, NSG is commonly deployed for individual vNets, subnets, and network interfaces for virtual machines to refine traffic. It does so by activating a rule (allow or deny) or Access Control List (ACL), which allows or denies traffic to Azure resources.

Azure Firewall vs. NSG

Azure Firewall and NSG are both security services offered by Azure. They both operate by securing traffic based upon a set of rules. However, that is where the similarity ends. While NSG is a classic firewall, Azure Firewall offers next-generation firewall capabilities such as packet inspection and intrusion detection.

Azure Firewall vs. NSG: Overview

The table below details some of the key similarities and differences between Azure Firewall and Azure NSG.

Azure FirewallNetwork Security Group
DescriptionManaged, highly available, robust, and intelligent firewall with advanced packet inspection capabilitiesA basic/classic firewall based on a 5-tuple hash
Layers of ProtectionOffers protection to workloads by inspecting OSI layers 3-7Basic traffic filtering at OSI layer 3 and 4
FQDN tag supportSupports FQDN tagsDoes NOT support FQDN tags
Threat detection and blockingSupports real-time threat detectionFilters traffic based on allow and block rules
Availability ZonesSupports Availability ZonesDoes NOT support or require Availability Zones
CostStarts at $1.25/hour excluding data processing chargesFree, but standard data ingress/egress costs apply
ComplexityRequires intermediate to advanced knowledge to configure and implementRequires basic network knowledge to configure and implement.

Azure Firewall vs NSG: Features

Azure Firewall is a modern intelligent firewall built to secure the entire workload. Azure Firewall comes in two flavors, standard and premium. Premium offers additional security features.

Key Azure Firewall technology and security features include:

  • Protection at OSI layers 3,4 and 7– While traditional rule-based firewalls operate at layers 3 and 4, Azure Firewall works at layers 3, 4 and 7.
  • Packet inspection– Azure Firewall intelligently inspects packets and offers protection on the application layer.
  • Stateful firewalling– Being a stateful firewall means Azure Firewall continuously analyzes traffic with context. Azure Firewall inspects data packets and runs threat detection by comparing patterns against more than 58,000 signatures available in over 50 categories which are all updated in real-time.
  • Threat  intelligence-based filtering– Standard version offers L3-L7 filtering and real time threat detection which is directly fed from Microsoft Security Center. Threat intelligence-based filtering compares all inbound/outbound traffic with the blacklist IP addresses to allow or deny traffic. Microsoft updates this blacklist in realtime to safeguard against any potential new attacks.

NSG, on the other hand, is an OSI layer 3 and 4 security service. Administrator-defined rules allow or block the traffic based on the 5-tuple hash. A 5-tuple uses five parameters to enforce rules. It includes the IP address for source and destination, the port number for source and destination, and the protocol (TCP/UDP or both).

NSG is created by default with every vNet and virtual machine. You can either create a new NSG or specify an existing NSG while creating the resource. NSG is easy to configure, and the rules work on a priority basis. If an ACL has conflicting rules, the rule with the highest priority (lowest priority number, 100 takes priority over 110) takes precedence.

The image below provides an excellent conceptual breakdown of how Azure NSG features work. The NSG sits inside a subnet filtering all traffic that goes in and out of the subnet. This could also have been implemented on the Default Virtual Network (10.1.0.0/16) or a single VM in the reference image.

About Author