Azure firewall vs Azure network security group Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Come Celebrate our 10 Year Anniversary!Allowing Internet traffic into DMZ using Azure Network Security GroupAzure “firewall” capture VPN trafficWhat is the difference between an Azure network security group and a VNET?How Network Security Groups affect Azure VM IPs?Add Azure SQL Server in to Azure VNETNSG: Block all outbount Internet trafficHow can I log IP addresses of all connections to virtual machines in Azure?How to restrict RDPs to Azure VMs only via VPN?Restrict traffic between peered VNETs in AzureAccess Azure PostgreSQL with S2S VPN
How do I stop a creek from eroding my steep embankment?
What exactly is a "Meth" in Altered Carbon?
How would the world control an invulnerable immortal mass murderer?
Using audio cues to encourage good posture
What is the meaning of the new sigil in Game of Thrones Season 8 intro?
Is it true that "carbohydrates are of no use for the basal metabolic need"?
Why is my conclusion inconsistent with the van't Hoff equation?
Why am I getting the error "non-boolean type specified in a context where a condition is expected" for this request?
Storing hydrofluoric acid before the invention of plastics
51k Euros annually for a family of 4 in Berlin: Is it enough?
Can I cast Passwall to drop an enemy into a 20-foot pit?
3 doors, three guards, one stone
Book where humans were engineered with genes from animal species to survive hostile planets
prime numbers and expressing non-prime numbers
Why is "Consequences inflicted." not a sentence?
What does this icon in iOS Stardew Valley mean?
Bete Noir -- no dairy
How discoverable are IPv6 addresses and AAAA names by potential attackers?
Is there a program I can run on the C64 to speed up booting of a game?
What's the meaning of 間時肆拾貳 at a car parking sign
Can a non-EU citizen traveling with me come with me through the EU passport line?
If a contract sometimes uses the wrong name, is it still valid?
porting install scripts : can rpm replace apt?
Why are there no cargo aircraft with "flying wing" design?
Azure firewall vs Azure network security group
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Allowing Internet traffic into DMZ using Azure Network Security GroupAzure “firewall” capture VPN trafficWhat is the difference between an Azure network security group and a VNET?How Network Security Groups affect Azure VM IPs?Add Azure SQL Server in to Azure VNETNSG: Block all outbount Internet trafficHow can I log IP addresses of all connections to virtual machines in Azure?How to restrict RDPs to Azure VMs only via VPN?Restrict traffic between peered VNETs in AzureAccess Azure PostgreSQL with S2S VPN
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I've been trying to understand the difference between a Azure firewall (https://azure.microsoft.com/en-us/services/azure-firewall/) and the features offered by NSGs/network security groups (https://docs.microsoft.com/en-us/azure/virtual-network/security-overview).
In our designed landscape, we currently have around 5~10 virtual networks within our subscription. Each of these has it's own network security group at the moment. These networks contain a variety of Azure products(web apps, vms, exposed to only trusted locations, exposed to the internet, ...). From my perspective, we can manage the in- & outbound traffic based via the network security groups. The only benefit of the firewall, I see, is that it can be used as a single point for managing traffic rules. But I don't see the cost of the firewall being worth just reducing the management of this. I think I'm missing something painstakingly obvious in the picture about the difference between what a Azure firewall does, and how a network security group operate. But I don't understand what.
To have a concrete question:
- When is it necessary to have a Azure firewall within your architecture?
- What is the difference between an Azure network security group and the Azure firewall to manage traffic rules (HTTPS & RDP)
azure azure-networking network-security-group
asked Apr 11 at 10:07
ReinardReinard
1063
New contributor
Reinard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I've been trying to understand the difference between a Azure firewall (https://azure.microsoft.com/en-us/services/azure-firewall/) and the features offered by NSGs/network security groups (https://docs.microsoft.com/en-us/azure/virtual-network/security-overview).
In our designed landscape, we currently have around 5~10 virtual networks within our subscription. Each of these has it's own network security group at the moment. These networks contain a variety of Azure products(web apps, vms, exposed to only trusted locations, exposed to the internet, ...). From my perspective, we can manage the in- & outbound traffic based via the network security groups. The only benefit of the firewall, I see, is that it can be used as a single point for managing traffic rules. But I don't see the cost of the firewall being worth just reducing the management of this. I think I'm missing something painstakingly obvious in the picture about the difference between what a Azure firewall does, and how a network security group operate. But I don't understand what.
To have a concrete question:
- When is it necessary to have a Azure firewall within your architecture?
- What is the difference between an Azure network security group and the Azure firewall to manage traffic rules (HTTPS & RDP)
azure azure-networking network-security-group
asked Apr 11 at 10:07
ReinardReinard
1063
New contributor
Reinard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I've been trying to understand the difference between a Azure firewall (https://azure.microsoft.com/en-us/services/azure-firewall/) and the features offered by NSGs/network security groups (https://docs.microsoft.com/en-us/azure/virtual-network/security-overview).
In our designed landscape, we currently have around 5~10 virtual networks within our subscription. Each of these has it's own network security group at the moment. These networks contain a variety of Azure products(web apps, vms, exposed to only trusted locations, exposed to the internet, ...). From my perspective, we can manage the in- & outbound traffic based via the network security groups. The only benefit of the firewall, I see, is that it can be used as a single point for managing traffic rules. But I don't see the cost of the firewall being worth just reducing the management of this. I think I'm missing something painstakingly obvious in the picture about the difference between what a Azure firewall does, and how a network security group operate. But I don't understand what.
To have a concrete question:
- When is it necessary to have a Azure firewall within your architecture?
- What is the difference between an Azure network security group and the Azure firewall to manage traffic rules (HTTPS & RDP)
azure azure-networking network-security-group
asked Apr 11 at 10:07
ReinardReinard
1063
New contributor
Reinard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I've been trying to understand the difference between a Azure firewall (https://azure.microsoft.com/en-us/services/azure-firewall/) and the features offered by NSGs/network security groups (https://docs.microsoft.com/en-us/azure/virtual-network/security-overview).
In our designed landscape, we currently have around 5~10 virtual networks within our subscription. Each of these has it's own network security group at the moment. These networks contain a variety of Azure products(web apps, vms, exposed to only trusted locations, exposed to the internet, ...). From my perspective, we can manage the in- & outbound traffic based via the network security groups. The only benefit of the firewall, I see, is that it can be used as a single point for managing traffic rules. But I don't see the cost of the firewall being worth just reducing the management of this. I think I'm missing something painstakingly obvious in the picture about the difference between what a Azure firewall does, and how a network security group operate. But I don't understand what.
To have a concrete question:
- When is it necessary to have a Azure firewall within your architecture?
- What is the difference between an Azure network security group and the Azure firewall to manage traffic rules (HTTPS & RDP)
azure azure-networking network-security-group
azure azure-networking network-security-group
asked Apr 11 at 10:07
ReinardReinard
1063
New contributor
Reinard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 11 at 10:07
ReinardReinard
1063
New contributor
Reinard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 11 at 10:07
ReinardReinard
1063
New contributor
Reinard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked Apr 11 at 10:07
ReinardReinard
1063
asked Apr 11 at 10:07
ReinardReinard
1063
1063
New contributor
Reinard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Reinard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Reinard is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Azure Firewall features
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-capabilities-are-supported-in-azure-firewall
Azure Firewall vs NSG
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups-nsgs-and-azure-firewall
I use NSG to limit access within a vNET and Azure Firewall to limit access to a vNET from the outside. There are some good detailed explanation in the docs articles
answered Apr 12 at 6:46
JarnstromJarnstrom
2843
but there is nothing preventing you from using a vnet to manage access from outside the vnet though? Why go for the firewall and not manage it from nsg? In my case I have 3 types of traffic: RDP from a predefined list of IPs, HTTPS from a predefined list of IPs, and internet HTTPS traffic to a limited amount of vnets/servers/endpoints.
– Reinard
Apr 13 at 8:41
That works fine and I have done that on certain environments also. FW has some extra features for l blocking URLs and so on and MS will add more features in the future. But if you only need to block/allow ports and IPs then skip the FW and use NSG.
– Jarnstrom
Apr 13 at 8:48
add a comment |
Azure security groups is a feature of VNet that describe firewall rules on the subnets in Azure.
Azure firewall is a product for your transit VNet to secure traffic to Azure, across subscriptions and VNets.
Look at the diagrams in the documentation and decide what meets your design.
answered Apr 11 at 13:12
John MahowaldJohn Mahowald
8,9011713
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Reinard is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962585%2fazure-firewall-vs-azure-network-security-group%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Azure Firewall features
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-capabilities-are-supported-in-azure-firewall
Azure Firewall vs NSG
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups-nsgs-and-azure-firewall
I use NSG to limit access within a vNET and Azure Firewall to limit access to a vNET from the outside. There are some good detailed explanation in the docs articles
answered Apr 12 at 6:46
JarnstromJarnstrom
2843
but there is nothing preventing you from using a vnet to manage access from outside the vnet though? Why go for the firewall and not manage it from nsg? In my case I have 3 types of traffic: RDP from a predefined list of IPs, HTTPS from a predefined list of IPs, and internet HTTPS traffic to a limited amount of vnets/servers/endpoints.
– Reinard
Apr 13 at 8:41
That works fine and I have done that on certain environments also. FW has some extra features for l blocking URLs and so on and MS will add more features in the future. But if you only need to block/allow ports and IPs then skip the FW and use NSG.
– Jarnstrom
Apr 13 at 8:48
add a comment |
Azure Firewall features
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-capabilities-are-supported-in-azure-firewall
Azure Firewall vs NSG
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups-nsgs-and-azure-firewall
I use NSG to limit access within a vNET and Azure Firewall to limit access to a vNET from the outside. There are some good detailed explanation in the docs articles
answered Apr 12 at 6:46
JarnstromJarnstrom
2843
but there is nothing preventing you from using a vnet to manage access from outside the vnet though? Why go for the firewall and not manage it from nsg? In my case I have 3 types of traffic: RDP from a predefined list of IPs, HTTPS from a predefined list of IPs, and internet HTTPS traffic to a limited amount of vnets/servers/endpoints.
– Reinard
Apr 13 at 8:41
That works fine and I have done that on certain environments also. FW has some extra features for l blocking URLs and so on and MS will add more features in the future. But if you only need to block/allow ports and IPs then skip the FW and use NSG.
– Jarnstrom
Apr 13 at 8:48
add a comment |
Azure Firewall features
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-capabilities-are-supported-in-azure-firewall
Azure Firewall vs NSG
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups-nsgs-and-azure-firewall
I use NSG to limit access within a vNET and Azure Firewall to limit access to a vNET from the outside. There are some good detailed explanation in the docs articles
answered Apr 12 at 6:46
JarnstromJarnstrom
2843
Azure Firewall features
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-capabilities-are-supported-in-azure-firewall
Azure Firewall vs NSG
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups-nsgs-and-azure-firewall
I use NSG to limit access within a vNET and Azure Firewall to limit access to a vNET from the outside. There are some good detailed explanation in the docs articles
answered Apr 12 at 6:46
JarnstromJarnstrom
2843
answered Apr 12 at 6:46
JarnstromJarnstrom
2843
answered Apr 12 at 6:46
JarnstromJarnstrom
2843
answered Apr 12 at 6:46
JarnstromJarnstrom
2843
2843
but there is nothing preventing you from using a vnet to manage access from outside the vnet though? Why go for the firewall and not manage it from nsg? In my case I have 3 types of traffic: RDP from a predefined list of IPs, HTTPS from a predefined list of IPs, and internet HTTPS traffic to a limited amount of vnets/servers/endpoints.
– Reinard
Apr 13 at 8:41
That works fine and I have done that on certain environments also. FW has some extra features for l blocking URLs and so on and MS will add more features in the future. But if you only need to block/allow ports and IPs then skip the FW and use NSG.
– Jarnstrom
Apr 13 at 8:48
add a comment |
but there is nothing preventing you from using a vnet to manage access from outside the vnet though? Why go for the firewall and not manage it from nsg? In my case I have 3 types of traffic: RDP from a predefined list of IPs, HTTPS from a predefined list of IPs, and internet HTTPS traffic to a limited amount of vnets/servers/endpoints.
– Reinard
Apr 13 at 8:41
That works fine and I have done that on certain environments also. FW has some extra features for l blocking URLs and so on and MS will add more features in the future. But if you only need to block/allow ports and IPs then skip the FW and use NSG.
– Jarnstrom
Apr 13 at 8:48
but there is nothing preventing you from using a vnet to manage access from outside the vnet though? Why go for the firewall and not manage it from nsg? In my case I have 3 types of traffic: RDP from a predefined list of IPs, HTTPS from a predefined list of IPs, and internet HTTPS traffic to a limited amount of vnets/servers/endpoints.
– Reinard
Apr 13 at 8:41
but there is nothing preventing you from using a vnet to manage access from outside the vnet though? Why go for the firewall and not manage it from nsg? In my case I have 3 types of traffic: RDP from a predefined list of IPs, HTTPS from a predefined list of IPs, and internet HTTPS traffic to a limited amount of vnets/servers/endpoints.
– Reinard
Apr 13 at 8:41
That works fine and I have done that on certain environments also. FW has some extra features for l blocking URLs and so on and MS will add more features in the future. But if you only need to block/allow ports and IPs then skip the FW and use NSG.
– Jarnstrom
Apr 13 at 8:48
That works fine and I have done that on certain environments also. FW has some extra features for l blocking URLs and so on and MS will add more features in the future. But if you only need to block/allow ports and IPs then skip the FW and use NSG.
– Jarnstrom
Apr 13 at 8:48
add a comment |
Azure security groups is a feature of VNet that describe firewall rules on the subnets in Azure.
Azure firewall is a product for your transit VNet to secure traffic to Azure, across subscriptions and VNets.
Look at the diagrams in the documentation and decide what meets your design.
answered Apr 11 at 13:12
John MahowaldJohn Mahowald
8,9011713
add a comment |
Azure security groups is a feature of VNet that describe firewall rules on the subnets in Azure.
Azure firewall is a product for your transit VNet to secure traffic to Azure, across subscriptions and VNets.
Look at the diagrams in the documentation and decide what meets your design.
answered Apr 11 at 13:12
John MahowaldJohn Mahowald
8,9011713
add a comment |
Azure security groups is a feature of VNet that describe firewall rules on the subnets in Azure.
Azure firewall is a product for your transit VNet to secure traffic to Azure, across subscriptions and VNets.
Look at the diagrams in the documentation and decide what meets your design.
answered Apr 11 at 13:12
John MahowaldJohn Mahowald
8,9011713
Azure security groups is a feature of VNet that describe firewall rules on the subnets in Azure.
Azure firewall is a product for your transit VNet to secure traffic to Azure, across subscriptions and VNets.
Look at the diagrams in the documentation and decide what meets your design.
answered Apr 11 at 13:12
John MahowaldJohn Mahowald
8,9011713
answered Apr 11 at 13:12
John MahowaldJohn Mahowald
8,9011713
answered Apr 11 at 13:12
John MahowaldJohn Mahowald
8,9011713
answered Apr 11 at 13:12
John MahowaldJohn Mahowald
8,9011713
8,9011713
add a comment |
add a comment |
Reinard is a new contributor. Be nice, and check out our Code of Conduct.
Reinard is a new contributor. Be nice, and check out our Code of Conduct.
Reinard is a new contributor. Be nice, and check out our Code of Conduct.
Reinard is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f962585%2fazure-firewall-vs-azure-network-security-group%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
