I've been trying to understand the difference between a Azure firewall (https://azure.microsoft.com/en-us/services/azure-firewall/) and the features offered by NSGs/network security groups (https://docs.microsoft.com/en-us/azure/virtual-network/security-overview).
In our designed landscape, we currently have around 5~10 virtual networks within our subscription. Each of these has it's own network security group at the moment. These networks contain a variety of Azure products(web apps, vms, exposed to only trusted locations, exposed to the internet, …). From my perspective, we can manage the in- & outbound traffic based via the network security groups. The only benefit of the firewall, I see, is that it can be used as a single point for managing traffic rules. But I don't see the cost of the firewall being worth just reducing the management of this. I think I'm missing something painstakingly obvious in the picture about the difference between what a Azure firewall does, and how a network security group operate. But I don't understand what.
To have a concrete question:
- When is it necessary to have a Azure firewall within your architecture?
- What is the difference between an Azure network security group and the Azure firewall to manage traffic rules (HTTPS & RDP)
Best Answer
Azure Firewall features https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-capabilities-are-supported-in-azure-firewall
Azure Firewall vs NSG https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups-nsgs-and-azure-firewall
I use NSG to limit access within a vNET and Azure Firewall to limit access to a vNET from the outside. There are some good detailed explanation in the docs articles