One of the most important reasons for a company to move their workloads to Azure is security. In this post, we will talk about the two most known Azure security services, Azure Firewall and NSG’s. With those two services, we can manage a VNet Inbound and Outbound traffic.


Let’s have a quick overview of both Azure services.

Azure Firewall

Azure Firewall is an OSI layer 4 & 7 network security service to protect a VNet with workloads in it. It’s fully managed by Microsoft and we just need to create and configure the rules (NAT rules, Network rules, and Application rules collection), in order to secure the resources.


At the table below we can check all the available features on Azure Firewall service.

Built-in high availabilityThere is no need for any Load Balancer configuration because high availability is built-in
Availability zonesWe can configure Azure Firewall to use availability zones to achieve 99.99% availability
Unrestricted cloud scalabilityAzure Firewall can scale up as much as we need without any restriction or extra cost
Application FQDN filtering rulesTo limit outbound traffic access we can specify the FQDN of the service
Network traffic filtering rulesWe can create allow or deny network filtering rules by source and destination IP address, port, and protocol.
FQDN tagsWe can create FQDN tags to allow to Azure services network traffic through your firewall.
Service tagsWe can create a service tag which represents a group of IP address prefixes to minimize the complexity security rule creation
Threat intelligenceThreat intelligence-based filtering can be enabled on the firewall to alert and deny traffic from/to known malicious IP addresses and domains.
Outbound SNAT supportAzure Firewall uses a Public IP address. The VNet outbound network traffic is translated to this PIP.
Inbound DNAT supportThe Inbound network traffic to the Firewall PIP is translated and filtered to the private IP addresses on the VNet
Multiple public IP addressesWe can associate up to 100 IPs with the Firewall, check for more details this link.
Azure Monitor loggingAll events are integrated with Azure Monitor

Deploy an Azure Firewall

In this section, we will talk about the steps we need to deploy an Azure Firewall.

Step 1. Tab – Basics

The image below shows how we can supplement the tab “Basics

Step 2. Tab – Tags

At the next tab, we can add Tags to better organize the resources and select “Next: Review + create” to move to the next tab.

Step 3. Tab – Review + create

At the final tab, we can make a review of the configuration and just select “Create” to begin the deployment of the firewall.

Azure Network Security Groups (NSG’s)

Azure NSG’s is an OSI layer 3 & 4 network security service to filter traffic from and Azure VNet. A network security group consists of several security rules (allow or deny). The evaluation of these security rules is done using a 5-tuple hash. 5-tuple hash depending on the Source IP,  Source Port, Destination IP, Destination Port, and Protocol Type. NSG’s can be associated with a VNet or with the network interface of a VM.


Security Rules

NameType a unique name for the NSG rule
PriorityType the priority number of a rule. Every rule is processed based on priority order. Lower numbers processed before higher numbers.
Source or destinationSelect the Source or destination this can be Any, IP addresses, Service Tag or Application security group
ProtocolSelect a protocol type between TCP, UDP, ICMP or Any
DirectionWhether the rule applies to inbound, or outbound traffic.
Port rangeWe can specify a single port or a range of ports the second choice enables us to create fewer security rules.
ActionSelect between Allow or Deny


Create a Network Security Group

A few lines above we read about how we can deploy an Azure Firewall and in this section, we can learn how to create an NSG.

Step 1. Tab – Basics

The image below shows which mandatory fields should fill up to begin the NSG deployment.

Step 2. Tab – Review + create

The final tab is about Reviewing the configuration and start the creation of the NSG by clicking the button Create.

Default Azure Network Security Group (NSG) Rules

When an NSG first deployed it contains a set of default security rules for Inbound and Outbound connections. In the image below we can see these rules.

The Conclusion

In this post, we read what is and how to deploy an Azure Firewall and an Azure NSG. The reality is that each service offers security on different network levels, NSGs are responsible to protect Inbound and Outbound network traffic and Firewall can filter network traffic using more intelligence. We can have NSG on a VM and concurrently we can have an Azure Firewall to protect the resources that are running into a VNet. Finally, we should also note that NSG is one more security level for a VM because besides the security provided by the firewall there is extra security on VMs network ports.

See Also

Share This