When it comes to securing your workloads on Azure, we have different options depending on our requirement and budget. But two of the most common services used are Network Security Group and Azure Firewall. In this article, I talk about these two services and which one should you actually use?

Table of contents:

Network Security Group

Network Security Group (NSG) is an service that can be used to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Security rules are evaluated and applied based on the five-tuple (source, source port, destination, destination port, and protocol) information. You can’t create two security rules with the same priority and direction. A flow record is created for existing connections. Communication is allowed or denied based on the connection state of the flow record. The flow record allows a network security group to be stateful. If you specify an outbound security rule to any address over port 80, for example, it’s not necessary to specify an inbound security rule for the response to the outbound traffic. You only need to specify an inbound security rule if communication is initiated externally. The opposite is also true. If inbound traffic is allowed over a port, it’s not necessary to specify an outbound security rule to respond to traffic over the port.

Existing connections may not be interrupted when you remove a security rule that enabled the flow. Traffic flows are interrupted when connections are stopped and no traffic is flowing in either direction, for at least a few minutes.

Azure Firewall

Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It’s a fully stateful, firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.

Azure Firewall is offered in two SKUs: Standard and Premium. Azure Firewall Standard provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. Threat intelligence-based filtering can alert and deny traffic from/to known malicious IP addresses and domains which are updated in real time to protect against new and emerging attacks.

Difference between Azure Firewall & Azure Network Security Group

Azure FirewallAzure Network Security Groups 
Azure Firewall is a robust service and a fully managed firewall.Azure Network Security Group is a basic firewall.
It is loaded with tons of features to ensure maximum protection of your resources.This solution is used to filter traffic at the network layer.
It can analyze and filter L3, L4 traffic, and L7 application traffic.No such facility is available in Azure NSG.
Azure Firewall provides full support to application FQDN tags.This feature is not available in Azure NSG.
It allows you to mask the source and destination network addressesThis feature is missing here.
It offers a threat intelligence-based filtering option.This feature is missing in NSG.