An important security measure when running workloads in Azure or any Cloud service is to control the type of traffic that flows in and out of resources. The resources can be virtual machines running a SQL database, web applications or domain services. In Azure, the two security features that can be used to manage both inbound and outbound traffic to resources are Azure Firewall and Network Security Groups (NSGs).
Both solutions are integrated into Azure Monitor for diagnostic logging. You can access some of these logs through the portal. Logs can be sent to Azure Monitor logs, Storage, and Event Hubs and analysed in Azure Monitor logs or by different tools such as Excel and Power BI.
NSGs and Azure Firewall work very well together and are not mutually exclusive or redundant. You typically want to use NSGs when you are protecting network traffic in or out of a subnet. An example would be a subnet that contains VMs that require RDP access (TCP over 3389) from a Jumpbox. Azure Firewall is the solution for filtering traffic to a VNet from the outside. For this reason, it should be deployed in its own VNet and isolated from other resources. It is a highly available solution that automatically scales based on its workload.
Do you need packet inspection?
Typically smaller SMEs with limited budgets and do not have the need for a full Azure Firewall will go for an NSG. And this will work perfectly fine and will cover the security needs alongside other services such as Azure Monitor, Azure Security Center and more.
Live Instructor LED online Training