GitaraniSharma-MSFT
commented
2 years ago @DumboJet , thank you for your query. We'll review this and get back to you shortly!
Closed DumboJet closed 2 years ago
GitaraniSharma-MSFT
commented
2 years ago @DumboJet , thank you for your query. We'll review this and get back to you shortly!
GitaraniSharma-MSFT
commented
2 years ago @DumboJet , please find the answers below:
As mentioned here, the Azure Firewall service complements network security group functionality. Together, they provide better "defense-in-depth" network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level protection across different subscriptions and virtual networks.
Network security groups are simple, stateful packet inspection devices that use the 5-tuple approach (source IP, source port, destination IP, destination port, and layer 4 protocol) to create allow/deny rules for network traffic. You allow or deny traffic to and from a single IP address, to and from multiple IP addresses, or to and from entire subnets. You can specify an individual or range of ports on a security rule of NSG, which control both inbound and outbound traffic, on a network security group attached to the resource that receives the traffic. Refer : https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works https://docs.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal
Similarly, if you route your network traffic to the Azure firewall, you can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. Azure Firewall supports stateful filtering of Layer 3 and Layer 4 network protocols. Layer 3 IP protocols can be filtered by selecting Any protocol in the Network rule and select the wild-card * for the port. Refer : https://docs.microsoft.com/en-us/azure/firewall/overview https://docs.microsoft.com/en-us/azure/firewall/features#network-traffic-filtering-rules https://docs.microsoft.com/en-us/azure/firewall/rule-processing https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal#configure-a-network-rule
Some best practices docs for your reference: https://docs.microsoft.com/en-us/azure/security/fundamentals/network-best-practices https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/firewall-security-baseline?toc=%2Fazure%2Ffirewall%2Ftoc.json
Q. If both NSGs and the Azure Firewall regulate the open ports, how do those two work together? Is there some cooperation? Or perhaps they are different security measures, on different layers?
A. Each service offers security on different network levels, NSGs are responsible to protect Inbound and Outbound network traffic and Firewall can filter network traffic using more intelligence. We can have NSG on a VM and concurrently we can have an Azure Firewall to protect the resources that are running in a VNet. Refer : https://social.technet.microsoft.com/wiki/contents/articles/53658.azure-security-firewall-vs-nsg.aspx
We are closing this issue for now. If there are further questions regarding this matter, please reply and we will gladly continue the discussion.
I find it hard to understand how NSGs associate with the Azure Firewall. I prepare myself for the AZ-900 exam and there are people suggesting that both NSGs and the Azure Firewall allow opening a port to the internet. E.g. : https://examsnet.com/test/azure-fundamentals-az-900-practice-test-3/q-8-Your-Azure-environment-contains-multiple-Azure-virtual-machines.-You-need-to-ensure-that-a-virtual-machine-named-VM1-is-accessible-from-the-Internet-over-HTTP.-Solution-You-modify-an-Azure-firewall.-Does-this-meet-the-goal?
Now, opening and closing ports is supposedly a firewall operation but NSGs are not firewalls (although, there is no clear explanation what they really are...). Then, the Azure Firewall feels more like an HIPS/HIDS and less like a firewall. Also, I don't see anywhere in the docs a clear mention of the ability to open/close ports from it, except for this tiny part : "Firewall Manager leverages firewall policy to apply a common set of network/application rules and configuration to the firewalls in your tenant". https://docs.microsoft.com/en-us/azure/firewall/overview
If both NSGs and the Azure Firewall regulate the open ports, how do those two work together? Is there some cooperation? Or perhaps they are different security measures, on different layers?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.