Also read A Reusable Hub Spoke Network Design on Azure

NSGs at instance level and at Subnet Level

NSG rules can become difficult to manage in larger VNETs with multiple subnets and lots of VMs.

Manually assigning NSGs to VMs can be a chore.

Application Security Groups (ASGs) and NSGs

An ASG is a logical grouping of virtual machines that allows you to apply NSGs to the unit.

If all your VMs are part of a SQL Server backend, the VM’s can be placed in an ASG called “db_vms”.  The db_vms group can then be added to a rule within an NSG allowing TCP traffic over port 1433.

Why Azure Firewall?

  • Azure Firewall addresses Layer 3,4 and 7 traffic. It is a managed firewall service that filters both at the network level and application level.
  • AAD Integration  - Since it is an Azure Native Service, it's access can be managed within AAD.
  • Advanced Threat Intelligence - Built into the product.

Where should Azure FW be deployed?

It should be deployed in it’s own VNet  (see hub spoke design)

Does Azure FW support Service Tags (IP Address Range Labels)

Both Azure Firewall and NSG support service tags  ( labels that represent a range of IP addresses for particular services such as Azure Key Vault, Azure Data Lake, azure Container Registry).

Does Azure FW support FQDN Tags (Tags)?

Only Azure Firewall supports FQDN Tags. They represent a group of fully qualified domain names of Microsoft services such as Windows Update or Azure Backup. Like service tags, they are managed by Microsoft, one tag to rule them all 🙂

What about hosting PCI Compliant workloads on Azure?

For the Hub Spoke Model on Azure, the spokes only get ingress traffic via the HUB (no direct public facing instances). This means the traffic FROM the HUB to the SPOKE needs to have Layer 7 filtering, which is available in Azure Firewall (or Application Gateway), but not using just plain NSGs.

What about protecting  multiple VNETs? Example - all the VNETs in a Hub Spoke Model VNETs? 

Azure Firewall has the ability to process traffic across  VNets (even if they are in different subscriptions) that are deployed in a hub-spoke model.

These are managed by Microsoft and cannot be customized.

Does Azure FW Support SNAT (Address Translation) ?

Only Azure Firewall supports Source Network Address Translation (SNAT). It’s possible to configure Azure Firewall with a public IP address that can be used to masked the IP address of Azure resources that are sending out via the Firewall.

Does Azure FW Support DNAT (Address Translation) ?

Only Azure Firewall supports Source Destination Address Translation (DNAT) which is used to translate incoming traffic to the firewall’s public IP address to the private IP addresses of a VNet.

When to use which?

NSGs and Azure Firewall work great together and should be used complimentary.

Use NSGs for protecting incoming and outgoing traffic of a subnet.

Use Azure Firewall for filtering traffic to a VNet from the outside-world.

Pricing for Azure Firewall

Azure Firewall is priced in two ways: 1) $1.25/hour of deployment and 2) $0.016/GB of data processed.

Summary

Your Azure Network Security strategy should include Azure Firewall along with the standard NSGs.





Need an experienced Cloud Networking or a Cloud Data Protection Expert?  Anuj has successfully delivered over a dozen deployments on each of the public clouds (AWS/GCP/Azure) including several DevSecOps engagements. Set up a time with Anuj Varma.