One of the most important reasons for a company to move their workloads to Azure is security. In this post, we will talk about the two most known Azure security services, Azure Firewall and NSG’s. With those two services, we can manage a VNet Inbound and Outbound traffic.
Overview
Let’s have a quick overview of both Azure services.
Azure Firewall
Azure Firewall is an OSI layer 4 & 7 network security service to protect a VNet with workloads in it. It’s fully managed by Microsoft and we just need to create and configure the rules (NAT rules, Network rules, and Application rules collection), in order to secure the resources.
Features
At the table below we can check all the available features on Azure Firewall service.
| Name | Description |
| Built-in high availability | There is no need for any Load Balancer configuration because high availability is built-in |
| Availability zones | We can configure Azure Firewall to use availability zones to achieve 99.99% availability |
| Unrestricted cloud scalability | Azure Firewall can scale up as much as we need without any restriction or extra cost |
| Application FQDN filtering rules | To limit outbound traffic access we can specify the FQDN of the service |
| Network traffic filtering rules | We can create allow or deny network filtering rules by source and destination IP address, port, and protocol. |
| FQDN tags | We can create FQDN tags to allow to Azure services network traffic through your firewall. |
| Service tags | We can create a service tag which represents a group of IP address prefixes to minimize the complexity security rule creation |
| Threat intelligence | Threat intelligence-based filtering can be enabled on the firewall to alert and deny traffic from/to known malicious IP addresses and domains. |
| Outbound SNAT support | Azure Firewall uses a Public IP address. The VNet outbound network traffic is translated to this PIP. |
| Inbound DNAT support | The Inbound network traffic to the Firewall PIP is translated and filtered to the private IP addresses on the VNet |
| Multiple public IP addresses | We can associate up to 100 IPs with the Firewall, check for more details this link. |
| Azure Monitor logging | All events are integrated with Azure Monitor |
Deploy an Azure Firewall
In this section, we will talk about the steps we need to deploy an Azure Firewall.
Step 1. Tab – Basics
The image below shows how we can supplement the tab “Basics”
Step 2. Tab – Tags
At the next tab, we can add Tags to better organize the resources and select “Next: Review + create” to move to the next tab.
Step 3. Tab – Review + create
At the final tab, we can make a review of the configuration and just select “Create” to begin the deployment of the firewall.
Azure Network Security Groups (NSG’s)
Azure NSG’s is an OSI layer 3 & 4 network security service to filter traffic from and Azure VNet. A network security group consists of several security rules (allow or deny). The evaluation of these security rules is done using a 5-tuple hash. 5-tuple hash depending on the Source IP, Source Port, Destination IP, Destination Port, and Protocol Type. NSG’s can be associated with a VNet or with the network interface of a VM.
Security Rules
| Property | Explanation |
| Name | Type a unique name for the NSG rule |
| Priority | Type the priority number of a rule. Every rule is processed based on priority order. Lower numbers processed before higher numbers. |
| Source or destination | Select the Source or destination this can be Any, IP addresses, Service Tag or Application security group |
| Protocol | Select a protocol type between TCP, UDP, ICMP or Any |
| Direction | Whether the rule applies to inbound, or outbound traffic. |
| Port range | We can specify a single port or a range of ports the second choice enables us to create fewer security rules. |
| Action | Select between Allow or Deny |
Create a Network Security Group
A few lines above we read about how we can deploy an Azure Firewall and in this section, we can learn how to create an NSG.
Step 1. Tab – Basics
The image below shows which mandatory fields should fill up to begin the NSG deployment.
Step 2. Tab – Review + create
The final tab is about Reviewing the configuration and start the creation of the NSG by clicking the button Create.
Default Azure Network Security Group (NSG) Rules
When an NSG first deployed it contains a set of default security rules for Inbound and Outbound connections. In the image below we can see these rules.
The Conclusion
In this post, we read what is and how to deploy an Azure Firewall and an Azure NSG. The reality is that each service offers security on different network levels, NSGs are responsible to protect Inbound and Outbound network traffic and Firewall can filter network traffic using more intelligence. We can have NSG on a VM and concurrently we can have an Azure Firewall to protect the resources that are running into a VNet. Finally, we should also note that NSG is one more security level for a VM because besides the security provided by the firewall there is extra security on VMs network ports.