Forum Discussion

Chipperchoi79's avatar
Chipperchoi79
Copper Contributor
Feb 17, 2024

Question about Azure firewall

Hey all,

I have a few servers that are migrated to Azure and connected back to On Prem via S2S VPN.

None of the servers in Azure have any public IPs associated with it and only protected via NSGs to only allow traffic from other VNET and the VPN connection is configured to only allow the on prem IP range. 


With a scenario like this, where none of VMs have public IPs assigned, I figured NSG is sufficient.

 

The question I have is, that these VMs still have HTTP/S access as you can reach websites from them. If this is the case, is a firewall required?

 

Are the default routes out to the internet for HTTP/S connectivity, not protected at all?

virtual machine

3 Replies

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Feb 17, 2024

    Chipperchoi79 

     

    NSG covered layer 3 and 4 while Azure firewall to layer 7, Azure Firewall also offers next-generation firewall capabilities such as packet inspection and intrusion detection, please consider on above

    • Chipperchoi79's avatar
      Chipperchoi79
      Copper Contributor
      Feb 17, 2024
      Thanks for the reply but the question is really about needing the firewall if the servers are not public facing. They don't have any public IPs or all inbound traffic to them is blocked on the NSG so there is really no traffic to inspect but other than the http/s traffic mentioned.

      The way I understand it is since the only https traffic coming in is in response to the request beings submitted by the server, it doesn't need to be inspect but please correct me if I am way off base here.
      • Matthias-Braun's avatar
        Matthias-Braun
        Brass Contributor
        Jun 25, 2024

        Hi Chipperchoi79 

         

        If an Azure Windows VM is accessible via the Internet but does not have a public IP address, it is not directly accessible from the outside by default.

         

        Here are some reasons why an attacker cannot simply access the VM via HTTPS:

        • Network Security Groups (NSGs): By default, NSGs allow outbound traffic, but block inbound traffic. So an attacker cannot initiate a connection.
        • No public IP address: Without a public IP address, the VM cannot be directly accessed from the outside.

        A firewall is therefore not necessary, as this can be controlled more easily and cost-effectively via NSG.

         

        If requirements change, such as external access to certain applications, this could be protected by an application firewall.

         

        I hope this answers your question.

         

        Regards,

        Matthias

Resources