Skip to content

Azure Security Basics Network Security Groups, Firewalls, and Defender for Cloud

Tags:

In today’s cloud-first world, securing your network infrastructure is no longer optional — it’s foundational. For organizations using Microsoft Azure, understanding the tools available to protect workloads, control traffic flow, and maintain visibility is essential.

In this article, we’ll walk through three core pillars of Azure network security:

  1. Network Security Groups (NSGs)
  2. Azure Firewall
  3. Microsoft Defender for Cloud

By the end, you should have a clearer grasp of what each offers, when to use them, and how they complement one another.

1. Network Security Groups (NSGs)

An NSG is often your first line of defense in Azure networking. It’s a lightweight but effective way to filter traffic at the subnet or network-interface level.

What is an NSG?

A Network Security Group defines rules that allow or deny inbound and outbound network traffic based on parameters such as source, destination, port, and protocol. Each rule has a priority number (lower means higher priority) — the first matching rule is applied and then processing stops.

How NSGs Work

  • NSGs operate at OSI layers 3 and 4 (network and transport).
  • Rules specify: source, destination, protocol (TCP/UDP/Any), port range, direction (inbound/outbound), and action (Allow or Deny).
  • Default rules are created automatically — for example, allowing internal virtual network traffic, load-balancer inbound traffic, and a default deny-all inbound rule.
  • NSGs can be associated either with subnets (so they affect multiple virtual machines or interfaces) or directly with network interfaces for finer granularity.

Use Cases and Best Practices

  • Use NSGs to segment your network. For instance, you might have a management subnet, front-end subnet, and data subnet, each with its own NSG.
  • Use NSGs to restrict traffic tightly. For example, deny inbound internet traffic except through a bastion or jump host.
  • Use service tags or application security groups to simplify management instead of creating individual IP-based rules.
  • Avoid overly permissive rules. An inbound rule allowing “Any source / Any port / Internet” is a red flag. Azure Defender often flags these as high-severity risks.

Limitations

  • NSGs provide basic traffic filtering but do not inspect traffic at the application layer (OSI layer 7).
  • They lack deep packet inspection and threat-intelligence capabilities.
  • NSGs alone are not sufficient for advanced threats and should form part of a layered strategy.

2. Azure Firewall

When your network needs enterprise-grade protection, including traffic inspection, threat intelligence, and centralized policy enforcement, Azure Firewall becomes essential.

What is Azure Firewall?

Azure Firewall is a fully managed, cloud-native network security service that provides stateful packet inspection, unlimited scalability, and protection for both internal (east-west) and internet (north-south) traffic. It supports OSI layers 3 through 7, offering a more comprehensive layer of defense compared to NSGs.

Key Features

  • Threat intelligence-based filtering: Azure Firewall can block traffic flagged as malicious based on Microsoft’s threat intelligence feeds.
  • FQDN tags: You can author rules based on domain names instead of IP addresses.
  • SNAT and DNAT support: Source and destination network address translation for inbound and outbound internet traffic.
  • Premium SKU: Adds intrusion detection, TLS inspection, URL filtering, and advanced threat protection.
  • Centralized logging: All traffic and activity can be logged to Azure Monitor or Sentinel for auditing and incident response.

When to Use Azure Firewall

  • When you need a centralized gateway that inspects all inbound and outbound traffic and enforces company-wide security policies.
  • When you need application-layer filtering or threat intelligence.
  • When you have a large-scale environment with many virtual networks and need unified management and visibility.

Azure Firewall vs NSG

Both are crucial but serve different purposes.

  • Use NSGs for local segmentation and simple allow/deny filtering at the subnet or interface level.
  • Use Azure Firewall at the network perimeter or central hub for deep packet inspection, logging, and advanced threat protection.

In practice, the best approach is to use both together in a layered security model.

3. Microsoft Defender for Cloud

Once you’ve secured your network with NSGs and Firewalls, you still need visibility, assessment, and threat detection. Microsoft Defender for Cloud provides that visibility and continuous monitoring.

What is Defender for Cloud?

Defender for Cloud is a unified cloud-security posture management and workload protection platform. It continuously analyzes your Azure resources, provides security recommendations, and alerts you about vulnerabilities or misconfigurations.

For networking, Defender for Cloud evaluates your NSGs, Firewall configurations, inbound/outbound permissions, and flags overly permissive or risky rules.

Why It Matters for Network Security

  • Actionable recommendations: It highlights misconfigurations such as open ports, overly permissive NSG rules, or exposed public IPs.
  • Visibility: Defender for Cloud provides a holistic view of your entire Azure network, helping you identify weak spots and potential exposures.
  • Automated remediation: The platform guides you through remediation steps or automates certain fixes.
  • Integration: It integrates with Microsoft Sentinel, Azure Policy, and third-party SIEM tools for extended monitoring.

Best Practices

  • Enable Defender for Cloud as soon as you set up your Azure environment — even the free tier provides valuable posture assessment.
  • Review the Networking Recommendations dashboard regularly and prioritize high-severity alerts.
  • Use Defender for Cloud to cross-check your Firewall and NSG rules to ensure they align with organizational security policies.
  • Combine with Azure Monitor or Log Analytics for deeper analysis and proactive alerting.

4. Bringing It All Together: A Layered Approach

To secure your Azure network effectively, you should adopt a layered defense strategy, also known as defense in depth.

Step 1: Baseline Filtering with NSGs

Use NSGs at the subnet or NIC level to control inbound and outbound traffic between different segments of your virtual network.

Step 2: Advanced Inspection with Azure Firewall

Deploy Azure Firewall at key boundaries (e.g., internet ingress/egress, hub-spoke architecture gateways) to inspect, log, and enforce application-level policies.

Step 3: Continuous Assessment with Defender for Cloud

Use Defender for Cloud to continuously monitor your environment, detect misconfigurations, and help you remediate security risks in real time.

Example Architecture

Imagine a hub-and-spoke Azure architecture:

  • The hub network hosts the Azure Firewall, which manages all external and inter-spoke communication.
  • Each spoke network has its own NSGs to isolate resources and prevent unauthorized lateral movement.
  • Defender for Cloud continuously monitors configurations and provides alerts for any potential exposure.

Benefits of This Approach

  • Reduced attack surface: NSGs limit unnecessary exposure, and Azure Firewall blocks malicious traffic.
  • Defense in depth: Multiple layers of protection ensure that even if one control fails, others still protect your environment.
  • Continuous visibility: Defender for Cloud gives a real-time view of your network security posture, helping you stay compliant.

5. Quick Setup Checklist

  1. Create or review your NSGs; ensure “deny all inbound” is active by default.
  2. Associate NSGs at the subnet or NIC level.
  3. Deploy Azure Firewall (Standard or Premium) for centralized traffic control.
  4. Enable Microsoft Defender for Cloud across your subscriptions.
  5. Review security recommendations regularly.
  6. Use Just-in-Time (JIT) VM access for management ports (RDP/SSH).
  7. Log and audit all changes through Azure Monitor or Sentinel.
  8. Revisit your configurations quarterly to adapt to evolving threats.

Securing your Azure environment doesn’t have to be complicated. By leveraging Network Security Groups for baseline control, Azure Firewall for advanced traffic inspection, and Microsoft Defender for Cloud for continuous monitoring, you can establish a strong, layered defense against both external and internal threats.

A well-planned Azure network security strategy ensures not only compliance but also peace of mind — knowing your applications and data are protected by some of the most advanced cloud security tools available today.

Extra posts:

How Azure Organizes Resources Subscriptions, Resource Groups, and Management Groups How Microsoft Keeps Your Data Safe in the Cloud – A Deep Dive into Cloud Security Practices Understanding Azure AD Tenants, Users, Groups, and Roles: A Practical Guide Microsoft Defender for 365 Your All-in-One Security Shield for Modern Threats Unleash the Power of Windows Security: A Simple Guide to Using Defender Effectively The Hybrid Cloud Playbook Mastering Azure Stack