1. I am trying to evaluate AzureFirewall premium as an NGFW for use in an Intranet vnet. I have set the AZFW in forced tunnel mode. But since we can't avoid using the public ip for the firewall management, we are trying to apply NSG to "AzureFirewallManagementSubnet" and justify allowing to us public ip address for use in the intranet hub zone (but we wanted to justify it by using NSG to protect the subnet and allow the PIP to access). But I noticed the NSG doesn't get applied and shows error.
Is this an expected behaviour?
2. Is Azure Firewall Premium a recommended NGFW solution for use in an Intranet hub zone from a security governance aspect, whereby we don't wish to have a public ip? If we end up having to use a public ip, we were trying to see if NSG can be used to control traffic via the public ip
1. Yes. It is common not to be allowed to apply NSG or custom routes to system-managed subnets such as AzureFirewallManagementSubnet and GatewaySubnet, for example.
2. Yes. Azure Firewall is a great NGFW option for most scenarios, but you can also leverage third party NVAs if you need.
The public IP address is required only for the ManagementSubnet, which is a separate subnet for operational purposes. In addition, by default, Azure Firewall denies all traffic, until rules are manually configured to allow traffic, i.e. no traffic will be allowed through the public addresses until someone allows it.