Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

5.1.2.2. Design for Network Security Groups (NSGs) and Azure Firewall

šŸ’” First Principle: A layered defense-in-depth approach to network security, combining distributed, granular controls at the resource level with centralized, intelligent threat protection at the network perimeter, is essential for a robust security posture.

Scenario: You are designing the network security for a new enterprise application. It has multiple tiers (web, application, database) in separate subnets. You need to implement strict traffic filtering between these tiers (e.g., web can talk to app, app can talk to DB, but web cannot talk directly to DB). Additionally, all inbound and outbound internet traffic for the entire application must pass through a centralized firewall for advanced threat inspection and FQDN filtering.

Network Security Groups (NSGs) and Azure Firewall are Azure services that provide network-level security by filtering traffic in your Virtual Networks.

Key Design Considerations:
  • Network Security Groups (NSGs):
    • Granular Control: Apply NSGs at the subnet or individual network interface (NIC) level to filter traffic based on IP, port, and protocol.
    • Stateful Filtering: NSGs are stateful; if you allow an inbound request, the outbound response is automatically allowed.
    • Default Rules: Understand and override default NSG rules as needed.
  • Azure Firewall:
    • Centralized Security: A managed, cloud-based network security service that provides highly available threat protection for your VNet resources.
    • Stateful Filtering: Azure Firewall is stateful and provides intelligent network-level protection.
    • Threat Intelligence: Integrates with Microsoft Threat Intelligence to block known malicious IPs and domains.
    • Application and Network Rules: Configure rules based on FQDNs, network protocols, and ports.

āš ļø Common Pitfall: Relying only on NSGs for perimeter security. While essential for micro-segmentation, NSGs lack the advanced threat intelligence, FQDN filtering, and centralized management capabilities of Azure Firewall for protecting network perimeters.

Key Trade-Offs:
  • Distributed (NSG) vs. Centralized (Firewall): NSGs provide distributed, granular control close to the resource. Azure Firewall provides centralized, powerful control at the network level, simplifying policy management for multiple VNets.

Reflection Question: How does designing for a layered network security approach, combining Network Security Groups (NSGs) for internal micro-segmentation and Azure Firewall for centralized perimeter protection, fundamentally ensure authorized communication and protect against cyber threats for your Azure network?