Forum Discussion
Question about Azure firewall
Hey all, I have a few servers that are migrated to Azure and connected back to On Prem via S2S VPN. None of the servers in Azure have any public IPs associated with it and only protected via NSGs t...
NSG covered layer 3 and 4 while Azure firewall to layer 7, Azure Firewall also offers next-generation firewall capabilities such as packet inspection and intrusion detection, please consider on above
Thanks for the reply but the question is really about needing the firewall if the servers are not public facing. They don't have any public IPs or all inbound traffic to them is blocked on the NSG so there is really no traffic to inspect but other than the http/s traffic mentioned.
The way I understand it is since the only https traffic coming in is in response to the request beings submitted by the server, it doesn't need to be inspect but please correct me if I am way off base here.
The way I understand it is since the only https traffic coming in is in response to the request beings submitted by the server, it doesn't need to be inspect but please correct me if I am way off base here.
If an Azure Windows VM is accessible via the Internet but does not have a public IP address, it is not directly accessible from the outside by default.
Here are some reasons why an attacker cannot simply access the VM via HTTPS:
- Network Security Groups (NSGs): By default, NSGs allow outbound traffic, but block inbound traffic. So an attacker cannot initiate a connection.
- No public IP address: Without a public IP address, the VM cannot be directly accessed from the outside.
A firewall is therefore not necessary, as this can be controlled more easily and cost-effectively via NSG.
If requirements change, such as external access to certain applications, this could be protected by an application firewall.
I hope this answers your question.
Regards,
Matthias
