When it comes to protecting your azure resources, a question you may come across is when to use an azure firewall vs network security group. Azure firewalls and network security groups provide similar but different functions.
Typically you would utilize an azure firewall to protect your enterprise network from incoming traffic. This allows you to get a centralized view of logs and rule sets applied across multiple devices.
Network Security groups work like a firewall but they are typically applied at a subnet or network interface level. Both an azure firewall and network security group do allow you to define rules based on ip address, ports, networks and subnets.
In this article we will discuss how to create an apply both in azure.
How to deploy and apply an Azure Firewall
To deploy an azure firewall you can follow these simple steps using either terraform or the azure portal:
Deploy an azure firewall using terraform
resource "azurerm_resource_group" "example" {
name = "corp-network"
location = "eastus"
}
resource "azurerm_virtual_network" "example" {
name = "testvnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "AzureFirewallSubnet"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_public_ip" "example" {
name = "testpip"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
allocation_method = "Static"
sku = "Standard"
}
resource "azurerm_firewall" "example" {
name = "testfirewall"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku_name = "AZFW_VNet"
sku_tier = "Standard"
ip_configuration {
name = "configuration"
subnet_id = azurerm_subnet.example.id
public_ip_address_id = azurerm_public_ip.example.id
}
}How terraform works is that it uses api’s published by Microsoft to allow you to deploy your azure resources a lot quicker and more automated. This code is creating:
- A resource group called
- An azure virtual network called testvnet
- A subnet that has to have the name “AzureFirewallSubnet” for the azure firewall to work
- An Azure Firewall with a single public IP
Once the firewall is deployed in terraform you can add the different types of rules that are needed to block or allow traffic in and out of your network.
Deploy Azure Firewall using Azure Portal
If not familiar with terraform you can utilize the portal to build and azure firewall and policy as well. Following these steps here:
- On the Azure portal menu or from the Home page, select Create a resource.
- Type firewall in the search box and press Enter.
- Select Firewall and then select Create.
- On the Create a Firewall page
- Select your Azure subscription.
- Resource group Select Test-FW-RG.
- Name Enter Test-FW01.
- Region Select the same location that you used previously.
- Firewall management Select Use a Firewall Policy to manage this firewall.
- Firewall policy Select Add new, and enter fw-test-pol.
Select the same region that you used previously. - Choose a virtual network Select Use existing, and then select Test-FW-VN.
- Public IP address Select Add new, and enter fw-pip for the Name.
- Accept the other default values, then select Review + create.
- Review the summary, and then select Create to create the firewall.This will take a few minutes to deploy.
- After deployment completes, go to the Test-FW-RG resource group, and select the Test-FW01 firewall.
- Note the firewall private and public IP addresses. You’ll use these addresses later.
These settings gets you the minimum requirements needed to get an azure firewall up and running.
How to create and attach an Azure Network Security Group
An azure network security group can be attached at the subnet or vm level. Although Azure network security groups function kind of similar to Azure firewalls, the network security groups are easier to setup. With network security groups being more easier to setup, they tend to be used more.
Being that you could find yourself creating more of these to block inbound and outbound access to certain resources, their could be instances where you don’t have a standard security policy applied to all subnets or network interfaces.
To setup an Azure network security group:
- Go to the azure portal and click create resource
- Search for network security group and click create
- Select the desired resource group, name and region
- Select go to resource and click on the subnets tab
- Then choose the subnet association you would like to apply this to.
- If applying to network interfaces, choose the network interface tab
Once the azure network security group is applied you can apply inbound and outbound security rules.
Conclusion
When thinking about the question azure firewall vs network security group, try and think of where you would like to define your network security. When wanting to control your security closer to the edge, its best to go with an azure firewall. At the subnet or nic level of a virtual machine, a network security group can help you get a more granular setup.
Also with when choosing between an azure firewall vs a network security group, the azure firewall comes at a greater cost since it requires a managed service and external ip.
