Best practices regarding use of NSGs versus NextGen Firewall appliances in Azure environments

%3CLINGO-SUB%20id%3D%22lingo-sub-784027%22%20slang%3D%22en-US%22%3EBest%20practices%20regarding%20use%20of%20NSGs%20versus%20NextGen%20Firewall%20appliances%20in%20Azure%20environments%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-784027%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20resources%20are%20shifting%20from%20on-premise%20to%20Azure%2C%20I'm%20looking%20for%20perspectives%20on%20best%20practices%20for%20when%20to%20use%20a%20NextGen%20firewall%20appliance%20in%20addition%20or%20in%20place%20of%20the%20Azure%20NSGs.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20understanding%20is%20that%20the%20NSG%20essentially%20only%20provides%20the%20firewall%20rule%20type%20of%20functionality%20and%20not%20some%20of%20the%20features%20that%20would%20typically%20be%20associated%20with%20a%20NextGen%20firewall%20(intrusion%20prevention%2C%20virus%20prevention%2C%20web%20content%20filtering%2C%20etc.).%26nbsp%3B%20As%20my%20typical%20thinking%20would%20be%20that%20any%20office%20where%20business%20is%20performed%20is%20best%20served%20by%20having%20a%20perimeter%20NGFW%2C%20I%20am%20slow%20to%20understand%20scenarios%20where%20I%20would%20not%20want%20them%20in%20Azure%20as%20well%20and%20am%20looking%20for%20other%20perspectives%20or%20how%20others%20are%20deploying%20in%20their%20environments.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance%20for%20any%20input!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-784027%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Efirewalls%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enetwork%20security%20groups%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-787146%22%20slang%3D%22en-US%22%3ERe%3A%20Best%20practices%20regarding%20use%20of%20NSGs%20versus%20NextGen%20Firewall%20appliances%20in%20Azure%20environments%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-787146%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F385762%22%20target%3D%22_blank%22%3E%40Mike_O%3C%2FA%3E%26nbsp%3BYou%20can%20use%20a%20NGFW%20for%20your%20cloud%20environment%2C%20to%20add%20additional%20security%20and%20have%20more%20advance%20filtering%20and%20detections.%20Azure%20NSG%20provide%20a%20virtual%20firewall%20to%20allow%20or%20deny%20specific%20ports%20or%20protocols.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efor%20NSG%20best%20practice%20follow%20below%20blog%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.msdn.microsoft.com%2Figorpag%2F2016%2F05%2F14%2Fazure-network-security-groups-nsg-best-practices-and-lessons-learned%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.msdn.microsoft.com%2Figorpag%2F2016%2F05%2F14%2Fazure-network-security-groups-nsg-best-practices-and-lessons-learned%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

As resources are shifting from on-premise to Azure, I'm looking for perspectives on best practices for when to use a NextGen firewall appliance in addition or in place of the Azure NSGs.

 

My understanding is that the NSG essentially only provides the firewall rule type of functionality and not some of the features that would typically be associated with a NextGen firewall (intrusion prevention, virus prevention, web content filtering, etc.).  As my typical thinking would be that any office where business is performed is best served by having a perimeter NGFW, I am slow to understand scenarios where I would not want them in Azure as well and am looking for other perspectives or how others are deploying in their environments.  

 

Thank you in advance for any input!

1 Reply

@Mike_O You can use a NGFW for your cloud environment, to add additional security and have more advance filtering and detections. Azure NSG provide a virtual firewall to allow or deny specific ports or protocols. 

 

for NSG best practice follow below blog

https://blogs.msdn.microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices...