CAMPUX Cloud Bootcamp
Field notes · Networking
NSG vs Azure Firewall

NSG vs Azure Firewall: the difference, and why you often want both

By Victor Thomson16 July 20265 min read

A network security group is a free packet filter that reasons about IP addresses and ports. Azure Firewall is a managed service that reasons about names and threats. They are not rivals — they work at different altitudes, and mature networks run both.

Newcomers treat "NSG" and "Azure Firewall" as two answers to one question — how do I control traffic? — and then agonise over picking one. That framing is the mistake. They control different things, at different layers, for different reasons. Understanding where each operates makes the "which one" question mostly dissolve.

The NSG: a free, fast filter on the five-tuple

A network security group is a basic packet filter you attach to a subnet or a network interface. It holds allow/deny rules, and each rule is evaluated on what Microsoft calls the five-tuple: source IP, source port, destination IP, destination port, and protocol. Rules run in priority order (lower number wins); the first match decides, and processing stops.

Two properties matter most. First, an NSG is stateful: allow an inbound flow and the return traffic is automatically permitted, so you do not write mirror-image rules for responses. Second, it is free and built into the network fabric, so there is no reason not to use them liberally. What an NSG cannot do is just as important: it works at layers 3 and 4 only. It has no idea what a domain name is, cannot allow "traffic to github.com," and does no application-layer inspection. It sees addresses and ports, nothing more.

Azure Firewall: a managed service that understands names and threats

Azure Firewall is a different class of thing. The docs define it as "a cloud-native, intelligent network firewall security service" — and crucially, "a fully stateful firewall as a service, featuring built-in high availability and unlimited cloud scalability." You do not patch it, scale it, or babysit its uptime; it is a managed appliance you deploy centrally, usually in a hub network that all your other networks route through. Its Standard SKU brings the capabilities an NSG structurally cannot:

All of that is why Azure Firewall costs money (billed by deployment and data processed) while an NSG is free. You are paying for a managed, intelligent, centralised control point — not a per-subnet rule list.

Network security groupAzure Firewall
What it isBuilt-in packet filterManaged firewall service
LayersL3 / L4 (five-tuple)L3–L7
Filter by domain name?NoYes (FQDN / app rules)
Threat intelligenceNoYes
StatefulYesYes
Attaches toSubnet or NICCentral hub network
CostFreePaid

An NSG asks "which address and port?" A firewall asks "which name, and is it dangerous?"

Why real networks run both

Because they operate at different altitudes, the grown-up pattern is defence in depth: Azure Firewall in a central hub controls what enters and leaves the environment — the coarse, intelligent, name-aware perimeter — while NSGs do fine-grained segmentation deep inside, saying which subnets and which specific ports may talk to each other. The firewall keeps malicious domains and unapproved egress out at the edge; the NSGs make sure that even inside the walls, the web subnet can only reach the database subnet on the one port it needs.

You can absolutely run a perfectly secure small environment on NSGs alone — many do, and it is the right, thrifty call when you do not need name-based rules or centralised egress control. But the instant a requirement appears like "we must restrict outbound traffic to an approved list of domains" or "block anything talking to known-bad IPs," you have hit the ceiling of what an NSG can express, and that is Azure Firewall's job.

The one-line interview answer

"An NSG is a free, stateful layer 3/4 filter on the five-tuple, attached to subnets and NICs for segmentation. Azure Firewall is a managed, stateful L3–L7 service with FQDN filtering and threat intelligence, deployed centrally for perimeter control. They are complementary — I use NSGs for internal segmentation and a firewall for the intelligent edge."

The takeaway

Stop asking which one and start asking what am I trying to control? If the answer is "which internal subnet reaches which port," that is an NSG, and it is free — use them everywhere. If the answer involves domain names, centralised egress, or threat feeds, that is Azure Firewall. Most serious environments end up with both, each doing the job the other cannot, and that is not redundancy — it is layers.

Further reading — the Microsoft docs
Drilled in Class 10 (Networking) and Class 31 (Security). Next note: KQL for beginners →