NSGs are layer 3 and layer 4 rules - that are also true ALLOW DENY rules, just like in any firewall appliance

Azure Firewall - is Layer 3, 4 and most importantly, Layer 7 ALLOW DENY rules

Azure Firewall supports rules and rule collections. A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Network rule collections are higher priority than application rule collections, and all rules are terminating.

There are three types of rule collections:

  • Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.
  • Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
  • NAT rules: Configure DNAT rules to allow incoming Internet connections.

What about Inbound Traffic Filtering? Does Azure  Firewall support those? Do NSGs Support those?

Inbound protection is typically used for non-HTTP/S protocols. For example RDP, SSH, and FTP protocols.

Inbound HTTP/S protection is better accomplished using a web application firewall such as Azure Web Application Firewall (WAF).




Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.