Azure Firewall vs NSGs vs Azure Firewall Premium — AzureNetSec
Home/Articles/Azure Firewall
Azure Firewall

Azure Firewall vs NSGs vs Azure Firewall Premium: What Actually Controls Your Traffic

Most Azure engineers aren't sure when to use NSGs vs Azure Firewall vs Firewall Premium. This guide cuts through the Microsoft docs with a plain-English breakdown and a decision framework you can use today.

AzureNetSec 12 min read March 2025 FirewallNSGZero Trust

The Short Answer

  • NSGs — Layer 4 traffic filtering at the subnet or NIC level. Think of them as your basic access control lists (ACLs).
  • Azure Firewall Standard — A fully managed, stateful Layer 4/7 firewall for centralized traffic control across your VNet or hub-spoke topology.
  • Azure Firewall Premium — Everything in Standard, plus TLS inspection, IDPS, and URL filtering. Built for regulated industries and high-security environments.

They're not competing tools — they work together. But knowing how changes everything about your architecture.

Network Security Groups (NSGs): Your Traffic ACLs

NSGs are the foundation of Azure network security. Every network engineer working in Azure needs to understand them cold.

An NSG is a set of inbound and outbound security rules that filter traffic based on source/destination IP address or range, port, and protocol (TCP, UDP, Any). You can apply NSGs at two levels:

  • Subnet level — applies to all resources within that subnet
  • NIC level — applies to a specific VM's network interface

What NSGs Do Well

  • Fast, low-cost traffic filtering — no additional hourly charge
  • Straightforward allow/deny rules with Service Tags like AzureLoadBalancer, Internet, and VirtualNetwork
  • Application Security Groups (ASGs) for logical VM grouping without managing IP lists

What NSGs Cannot Do

  • No FQDN-based filtering — you can't block malware.example.com
  • No application-layer awareness or threat intelligence integration
  • No centralized logging without extra configuration
  • No outbound internet traffic control based on domain names
Common Mistake

NSG rule priority is the #1 misconfiguration. Rules are processed from lowest number to highest (100 before 200) — the first matching rule wins. Placing a broad Allow Any rule at priority 100 is the most frequent issue we see in Azure environments.

Example NSG rule set (inbound)
Priority | Name | Source | Dest | Port | Action ---------|-------------------|----------------|----------------|------|------- 100 | Allow-HTTPS-In | 10.0.1.0/24 | 10.0.2.0/24 | 443 | Allow 200 | Allow-SSH-Mgmt | 10.0.3.10/32 | Any | 22 | Allow 1000 | Deny-All-Inbound | Any | Any | Any | Deny

Azure Firewall Standard: Centralized, Stateful Control

Azure Firewall is a managed, cloud-native firewall service that sits at the hub of your network architecture. Unlike NSGs — distributed across subnets and NICs — Azure Firewall gives you one place to control and log all traffic flowing in, out, and across your VNets.

FQDN Filtering

You can allow or deny traffic based on fully qualified domain names. Instead of managing IP lists that change constantly, you write rules like: allow outbound to *.windowsupdate.com or deny outbound to *.torrent.com.

Threat Intelligence

Azure Firewall Standard includes Microsoft's threat intelligence feed. Traffic to/from known malicious IPs and domains gets flagged or denied automatically — no extra configuration needed.

Centralized Logging

All traffic flows through one point, making logging and monitoring in Microsoft Sentinel or Log Analytics far simpler than stitching together NSG flow logs from dozens of subnets.

Architecture Note

Azure Firewall always deploys into a dedicated subnet called AzureFirewallSubnet — this name is not optional, Azure requires it exactly. For most organizations, it sits in a hub VNet with User Defined Routes (UDRs) forcing all spoke traffic through it.

Internet Inbound / Outbound Azure Firewall (Standard or Premium) Hub VNet — AzureFirewallSubnet — UDRs force all spoke traffic here Spoke VNet A + NSGs on every subnet Spoke VNet B + NSGs on every subnet On-Premises (ExpressRoute / VPN Gateway) UDR → ← UDR

Azure Firewall Premium: When Standard Isn't Enough

Azure Firewall Premium builds on Standard with three major capabilities that matter in regulated or high-security environments:

1. TLS Inspection

Standard Azure Firewall can see that traffic is going to *.example.com but cannot inspect the payload of encrypted HTTPS sessions. Premium decrypts, inspects, and re-encrypts TLS traffic — meaning threats hiding inside HTTPS connections become visible. This requires deploying an intermediate CA certificate distributed to your clients so they trust the firewall's re-signed certificates.

2. Intrusion Detection and Prevention (IDPS)

Premium includes a signature-based IDPS engine with 58,000+ signatures updated in real time. You can run it in Alert mode (logs matches, doesn't block) or Alert and Deny mode (actively blocks matched signatures). This is the closest Azure-native equivalent to a traditional NGFW like Palo Alto or Fortinet — without deploying a third-party NVA.

3. URL Filtering

Standard gives you FQDN filtering. Premium adds full URL path filtering — so you can allow microsoft.com but block microsoft.com/downloads/specificfile.exe. Granular control that matters for compliance requirements like PCI-DSS and HIPAA.

Pricing Reality Check

Azure Firewall Premium runs approximately $1.25/hour for the deployment plus data processing charges — roughly $900–$1,300+/month before traffic volume. For enterprises this is easily justified. For smaller deployments, Standard is usually the right call.

Decision Framework: Which One Do You Actually Need?

Work through this in order:

Step 1 — You always need NSGs. No scenario where NSGs are optional. Deploy them on every subnet as your baseline layer of defense. They're free and add defense-in-depth even when you have a firewall in place.

Step 2 — Do you need centralized control and FQDN filtering? If yes → deploy Azure Firewall Standard. Right choice for most Azure environments with multiple VNets, hub-spoke topologies, or any requirement for outbound internet filtering by domain name.

Step 3 — Do you have any of these requirements? TLS inspection for encrypted traffic, signature-based IDPS, compliance requirements (PCI-DSS, HIPAA, FedRAMP), or URL-level filtering. If yes → Azure Firewall Premium is warranted.

Quick Reference Comparison

FeatureNSGFirewall StandardFirewall Premium
Layer 4 filtering
FQDN filtering
Threat intelligence
Application rules
TLS inspection
IDPS (58k+ signatures)
URL path filtering
Centralized logging
Approx. monthly costFree~$900/mo base~$1,300/mo base
Deployment scopeSubnet / NICVNet / HubVNet / Hub
Key Takeaways

What to remember from this article

  • NSGs are not optional — use them everywhere as your baseline, even when Azure Firewall is deployed
  • Azure Firewall Standard is the right choice for most organizations needing centralized control and FQDN filtering
  • Azure Firewall Premium is justified when you need TLS inspection, IDPS, or PCI-DSS / HIPAA / FedRAMP compliance
  • They complement each other — running Firewall without NSGs leaves east-west traffic between subnets uncontrolled
  • Rule priority is the most common NSG misconfiguration — always audit rule order before going to production
Up next →
Azure Virtual Network Security: A Practical Guide for Network Engineers
Read article →