Azure Firewall versus NSGs
NSGs are layer 3 and layer 4 rules - that are also true ALLOW DENY rules, just like in any firewall appliance
Azure Firewall - is Layer 3, 4 and most importantly, Layer 7 ALLOW DENY rules
Azure Firewall supports rules and rule collections. A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Network rule collections are higher priority than application rule collections, and all rules are terminating.
There are three types of rule collections:
- Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.
- Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
- NAT rules: Configure DNAT rules to allow incoming Internet connections.
What about Inbound Traffic Filtering? Does Azure Firewall support those? Do NSGs Support those?
Inbound protection is typically used for non-HTTP/S protocols. For example RDP, SSH, and FTP protocols.
Inbound HTTP/S protection is better accomplished using a web application firewall such as Azure Web Application Firewall (WAF).
Need an experienced Cloud Networking or a Cloud Data Protection Expert? Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.
Leave a Reply