{"id":3617,"date":"2026-01-14T15:27:38","date_gmt":"2026-01-14T21:27:38","guid":{"rendered":"https:\/\/microsoftgeek.com\/?p=3617"},"modified":"2026-01-14T15:27:38","modified_gmt":"2026-01-14T21:27:38","slug":"azure-firewall-vs-network-security-group","status":"publish","type":"post","link":"https:\/\/microsoftgeek.com\/?p=3617","title":{"rendered":"Azure Firewall vs Network Security Group"},"content":{"rendered":"\n

When it comes to protecting your azure resources, a question you may come across is when to use an azure firewall vs network security group. Azure firewalls and network security groups provide similar but different functions.<\/p>\n\n\n\n

Typically you would utilize an azure firewall to protect your enterprise network from incoming traffic. This allows you to get a centralized view of logs and rule sets applied across multiple devices.<\/p>\n\n\n\n

Network Security groups work like a firewall but they are typically applied at a subnet or network interface level. Both an azure firewall and network security group do allow you to define rules based on ip address, ports, networks and subnets.<\/p>\n\n\n\n

In this article we will discuss how to create an apply both in azure.<\/p>\n\n\n\n

How to deploy and apply an Azure Firewall<\/h2>\n\n\n\n

To deploy an azure firewall you can follow these simple steps using either terraform or the azure portal:<\/p>\n\n\n\n

Deploy an azure firewall using terraform<\/h3>\n\n\n\n
resource \"azurerm_resource_group\" \"example\" {\n  name     = \"corp-network\"\n  location = \"eastus\"\n}\n\nresource \"azurerm_virtual_network\" \"example\" {\n  name                = \"testvnet\"\n  address_space       = [\"10.0.0.0\/16\"]\n  location            = azurerm_resource_group.example.location\n  resource_group_name = azurerm_resource_group.example.name\n}\n\nresource \"azurerm_subnet\" \"example\" {\n  name                 = \"AzureFirewallSubnet\"\n  resource_group_name  = azurerm_resource_group.example.name\n  virtual_network_name = azurerm_virtual_network.example.name\n  address_prefixes     = [\"10.0.1.0\/24\"]\n}\n\nresource \"azurerm_public_ip\" \"example\" {\n  name                = \"testpip\"\n  location            = azurerm_resource_group.example.location\n  resource_group_name = azurerm_resource_group.example.name\n  allocation_method   = \"Static\"\n  sku                 = \"Standard\"\n}\n\nresource \"azurerm_firewall\" \"example\" {\n  name                = \"testfirewall\"\n  location            = azurerm_resource_group.example.location\n  resource_group_name = azurerm_resource_group.example.name\n  sku_name            = \"AZFW_VNet\"\n  sku_tier            = \"Standard\"\n\n  ip_configuration {\n    name                 = \"configuration\"\n    subnet_id            = azurerm_subnet.example.id\n    public_ip_address_id = azurerm_public_ip.example.id\n  }\n}<\/code><\/pre>\n\n\n\n
How terraform works is that it uses api\u2019s published by Microsoft to allow you to deploy your azure resources a lot quicker and more automated. This code is creating:<\/p>\n\n\n\n
    \n
  • A resource group called<\/li>\n\n\n\n
  • An azure virtual network called testvnet<\/li>\n\n\n\n
  • A subnet that has to have the name \u201cAzureFirewallSubnet\u201d for the azure firewall to work<\/li>\n\n\n\n
  • An Azure Firewall with a single public IP<\/li>\n<\/ul>\n\n\n\n
    Once the firewall is deployed in terraform you can add the different types of rules that are needed to block or allow traffic in and out of your network.<\/p>\n\n\n\n
    Deploy Azure Firewall using Azure Portal<\/h3>\n\n\n\n
    If not familiar with terraform you can utilize the portal to build and azure firewall and policy as well. Following these steps here:<\/p>\n\n\n\n
      \n
    1. On the Azure portal menu or from the\u00a0Home<\/strong>\u00a0page, select\u00a0Create a resource<\/strong>.<\/li>\n\n\n\n
    2. Type\u00a0firewall<\/strong>\u00a0in the search box and press\u00a0Enter<\/strong>.<\/li>\n\n\n\n
    3. Select\u00a0Firewall<\/strong>\u00a0and then select\u00a0Create<\/strong>.<\/li>\n\n\n\n
    4. On the\u00a0Create a Firewall<\/strong>\u00a0page\n
        \n
      1. Select your Azure subscription.<\/li>\n\n\n\n
      2. Resource group Select\u00a0Test-FW-RG<\/strong>.<\/li>\n\n\n\n
      3. Name Enter\u00a0Test-FW01<\/em>.<\/li>\n\n\n\n
      4. Region Select the same location that you used previously.<\/li>\n\n\n\n
      5. Firewall management Select\u00a0Use a Firewall Policy to manage this firewall<\/strong>.<\/li>\n\n\n\n
      6. Firewall policy Select\u00a0Add new<\/strong>, and enter\u00a0fw-test-pol<\/em>.
        Select the same region that you used previously.<\/li>\n\n\n\n
      7. Choose a virtual network Select\u00a0Use existing<\/strong>, and then select\u00a0Test-FW-VN<\/strong>.<\/li>\n\n\n\n
      8. Public IP address Select\u00a0Add new<\/strong>, and enter\u00a0fw-pip<\/em>\u00a0for the\u00a0Name<\/strong>.<\/li>\n<\/ol>\n<\/li>\n\n\n\n
      9. Accept the other default values, then select\u00a0Review + create<\/strong>.<\/li>\n\n\n\n
      10. Review the summary, and then select\u00a0Create<\/strong>\u00a0to create the firewall.This will take a few minutes to deploy.<\/li>\n\n\n\n
      11. After deployment completes, go to the\u00a0Test-FW-RG<\/strong>\u00a0resource group, and select the\u00a0Test-FW01<\/strong>\u00a0firewall.<\/li>\n\n\n\n
      12. Note the firewall private and public IP addresses. You\u2019ll use these addresses later.<\/li>\n<\/ol>\n\n\n\n
        These settings gets you the minimum requirements needed to get an azure firewall up and running.<\/p>\n\n\n\n
        How to create and attach an Azure Network Security Group<\/h2>\n\n\n\n
        An azure network security group can be attached at the subnet or vm level. Although Azure network security groups function kind of similar to Azure firewalls, the network security groups are easier to setup. With network security groups being more easier to setup, they tend to be used more.<\/p>\n\n\n\n
        Being that you could find yourself creating more of these to block inbound and outbound access to certain resources, their could be instances where you don\u2019t have a standard security policy applied to all subnets or network interfaces.<\/p>\n\n\n\n
        To setup an Azure network security group:<\/p>\n\n\n\n
          \n
        1. Go to the azure portal and click create resource<\/li>\n\n\n\n
        2. Search for network security group and click create<\/li>\n\n\n\n
        3. Select the desired resource group, name and region<\/li>\n\n\n\n
        4. Select go to resource and click on the subnets tab<\/li>\n\n\n\n
        5. Then choose the subnet association you would like to apply this to.<\/li>\n\n\n\n
        6. If applying to network interfaces, choose the network interface tab<\/li>\n<\/ol>\n\n\n\n
          Once the azure network security group is applied you can apply inbound and outbound security rules.<\/p>\n\n\n\n
          Conclusion<\/h2>\n\n\n\n
          When thinking about the question azure firewall vs network security group, try and think of where you would like to define your network security. When wanting to control your security closer to the edge, its best to go with an azure firewall. At the subnet or nic level of a virtual machine, a network security group can help you get a more granular setup.<\/p>\n\n\n\n
          Also with when choosing between an azure firewall vs a network security group, the azure firewall comes at a greater cost since it requires a managed service and external ip.<\/p>\n","protected":false},"excerpt":{"rendered":"
          When it comes to protecting your azure resources, a question you may come across is when to use an azure firewall vs network security group. Azure firewalls and network security groups provide similar but different functions. Typically you would utilize an azure firewall to protect your enterprise network from incoming traffic. This allows you to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69,35,77,85,84],"tags":[],"class_list":["post-3617","post","type-post","status-publish","format-standard","hentry","category-azure","category-cloud-computing","category-devops","category-iac","category-terraform"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3617","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3617"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3617\/revisions"}],"predecessor-version":[{"id":3618,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/3617\/revisions\/3618"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}