1. I am trying to evaluate AzureFirewall premium as an NGFW for use in an Intranet vnet. I have set the AZFW in forced tunnel mode. But since we can't avoid using the public ip for the firewall management, we are trying to apply NSG to "AzureFirewallManagementSubnet" and justify allowing to us public ip address for use in the intranet hub zone (but we wanted to justify it by using NSG to protect the subnet and allow the PIP to access). But I noticed the NSG doesn't get applied and shows error.
Is this an expected behaviour?
2. Is Azure Firewall Premium a recommended NGFW solution for use in an Intranet hub zone from a security governance aspect, whereby we don't wish to have a public ip? If we end up having to use a public ip, we were trying to see if NSG can be used to control traffic via the public ip