Well, both are the key features of your network security and together they provide “defense in depth” security strategy, in this strategy – Azure Firewall configured at the network level to control inbound/outbound traffic where NSG can configured to control inbound/outbound traffic within your Vnet on a Virtual Machine-level or subnet level.

What is Azure Firewall?

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It’s a fully stateful firewall-as-a-service with built-in high availability and unrestricted cloud scalability. You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

What capabilities are supported in Azure Firewall?

  • Stateful firewall as a service
  • Built-in high availability with unrestricted cloud scalability
  • FQDN filtering
  • FQDN tags
  • Network traffic filtering rules
  • Outbound SNAT support
  • Inbound DNAT support
  • Centrally create, enforce, and log application and network connectivity policies across Azure subscriptions and VNETs
  • Fully integrated with Azure Monitor for logging and analytics

NSG:

Network Security Groups provide control over network traffic flowing in and out of your services running in Azure. Network Security Groups can also be applied to a subnet in a Virtual network thus they provide an efficient mechanism to administer access control rule updates across multiple VMs. Access control rules on hundreds or even thousands of machines can be changed in seconds, without any update or changes in the VM. In addition to segmenting Intranet traffic, Network Security Groups can also be used to control traffic going to and coming from the Internet. Using a single access control rule, users can deny connectivity to the Internet for an entire subnet.  

 Azure WAFNSG
Firewall levelL4 and L7L4
StateState fullStateless
ScalabilityPAAS as a service (scale sets)Limited
Built-in Threat IntelligenceYesNO
SNAT and DNAT SupportYESNO
Implementation LevelCentralizedSubnet and NIC level
FQDN Tag SupportYESNO

Hope this article will help you!

Happy Azure

Feel free to connect me

I hope you like this article, feel free to connect me on
twitter https://twitter.com/sitecore_ashish

Leave a Reply

Your email address will not be published. Required fields are marked *