When enterprises run workloads on a cloud service, they need to monitor and manage inbound and outbound network traffic for security purposes.
Microsoft Azure provides two security options to control inbound and outbound traffic:
- Azure Firewall
- Network Security Groups (NSGs)
Both services provide security, but at different network levels. Below, find out what each service is and its main features, as well as how the two compare.
What is Azure Firewall?
Azure Firewall is a cloud-managed network security service. This stateful firewall service deploys to any virtual network and protects Azure Virtual Network (VNet) resources by filtering traffic at the network and application level. Additionally, it allows administrators to create traffic filtering rules, which they can apply across multiple subscriptions and networks.
Azure Firewall has built-in high availability and administrators can configure it to span multiple Availability Zones for 99.99% uptime. Plus, with unlimited cloud scalability, it can scale as inbound and outbound traffic flows change.
Other key Azure Firewall features include:
- application fully qualified domain name (FQDN) filter rules;
- FQDN tags;
- service tags;
- threat intelligence;
- outgoing source network address translation (SNAT);
- inbound destination network address translation (DNAT) support;
- multiple public IP addresses;
- Azure Monitor logging;
- forced digging of tunnels;
- web categories (in preview); and
What is the Network Security Group?
An NSG is Microsoft’s service to simplify the security of virtual networks; it enforces and controls network traffic. NSGs are associated with subnets and network interfaces of an Azure VM.
NSGs contain security rules and allow you to activate a rule or access a control list. Using these rules, IT teams can organize, filter, and route different types of network traffic. These rules, which filter incoming and outgoing traffic, deny or allow traffic based on 5-tuple information:
- The source
- destination port
A comparison of Azure Firewall and NSGs
When comparing Azure Firewall to NSGs, consider what Open Systems Interconnection (OSI) layer of each service. This information helps IT teams understand how data is sent or received over a network. It starts at layer 1, which is the physical layer, and then goes up to 7, which is the application layer. Azure Firewall is OSI L4 and L7, while NSG is L3 and L4.
While Azure Firewall is a comprehensive and robust service with several features to regulate traffic, NSGs act more like a basic firewall that filters traffic at the network layer. Azure Firewall is able to analyze and filter L3, L4 and L7 traffic. Azure Firewall also supports filtering based on threat intelligence, which NSG cannot do.
Both options use service tags to define network access controls. Service tags are groups of IP addresses for particular services, and they protect Azure resources, as well as network isolation. Unlike NSGs, Azure Firewall also supports application FQDN tags, which are used with application rules to allow required outbound traffic through the firewall.
In real-world cases, enterprises typically use Azure Firewall when they need to filter traffic to a virtual network with its threat intelligence-based filtering capabilities. NSGs are typically used to protect traffic entering and leaving a subnet.
These two network security services can work together to provide defense in depth network security in which multiple defensive measures are put in place. This way, if one element fails, another security measure stands in its place.