6.2. Azure Firewall

Your developers need to access Windows Update, GitHub, and Docker Hub—but you can't just allow all outbound traffic. How do you permit specific FQDNs while blocking everything else? NSGs can't help—they don't understand domain names. Azure Firewall operates at Layers 3-7, understanding both network flows AND application protocols.

💡 First Principle: Unlike NSGs (which see only IP/port), Azure Firewall can filter by FQDN, enforce TLS inspection, and apply threat intelligence. Think of it like upgrading from a security desk to a full inspection station—checking not just IDs, but scanning briefcases and cross-referencing against known threat lists.

What breaks without proper design: Legitimate traffic gets blocked because you forgot to allow a dependency. Asymmetric routing causes connection failures when traffic returns via a different path. Logs overwhelm storage without proper retention policies.

Consider when you need Azure Firewall vs. just NSGs: if you need FQDN filtering, TLS inspection, threat intelligence, or centralized logging across VNets, Azure Firewall is required. For simple IP/port filtering within a VNet, NSGs are sufficient and cheaper.