An important Security measure when running workloads in Azure or any Cloud service is to control the type of traffic that flows in and out of resources. The resources can be virtual machines running a SQL database, web applications or domain services.
In Azure, there are two security features that can be used to manage both inbound and outbound traffic to resources: Azure Firewall and Network Security Groups (NSGs). In this article, I’m going to show how the two compare to each other and can be used together to protect traffic to resources in Azure.
Azure Firewall and NSG Overview
Lets start with Network Security Groups. An NSG filters traffic at the network layer and consists of security rules that allows or denies traffic based on 5-tuple information:
1. Protocol – such as TCP, UDP, ICMP
2. Source – IP address,
3. Source port
5. Destination port
You can associate an NSG with a subnet or the network interface of an Azure VM. Fun fact – in your mother’s Azure (the old classic model), it was possible to link an NSG to a VM as well as subnet. In accordance with Best practices, it’s recommended to scope NSGs at the subnet level or network interface, not both. This can make it complicated when having to troubleshoot network issues. Also, the same NSG can be applied to multiple subnets.
You can probably imagine how NSG rules can become difficult to manage in large environments that contain multiple subnets and virtual machines. Who wants to manually input rules allowing traffic to individual IP addresses? This is where Application Security Groups (ASGs) come to the rescue. An ASG is a logical grouping of virtual machines that allows you to apply security rules at scale. For example, if you have a group of VM’s serving a web application, the VM’s can be placed in an ASG called “webappvms”. The webappvms group can then be added to a rule within an NSG allowing HTTP (TCP) traffic over port 80. This alleviates the need to add individual IP addresses to the security rule.
Azure Firewall is a highly available, managed firewall service that filters network and application level traffic. It has the ability to process traffic across subscriptions and VNets that are deployed in a hub-spoke model. Azure Firewall is priced in two ways: 1) $1.25/hour of deployment, regardless of scale and 2) $0.016/GB of data processed.
Azure Firewall and NSG Comparison
An NSG is a firewall, albeit a very basic one. It’s a software defined solution that filters traffic at the Network layer. However, Azure Firewall is more robust. It’s a managed firewall service that can filter and analyze L3-L4 traffic, as well as L7 application traffic. Azure Firewall provides the same capabilities as an NSG, plus more. The following chart offers a comparative illustration of each solution: