Last Updated: March 2026

One of the most common questions engineers ask when designing secure cloud environments is:

Should I use Azure NSG, Azure Firewall, or Application Gateway?

While all three services are used to control and secure network traffic in Microsoft Azure, they operate at different layers of the network stack and solve very different problems.

In real-world Azure deployments, these technologies are often used together, not as replacements for each other. However, confusion frequently arises because they all appear to perform similar functions: filtering traffic and protecting applications.

The reality is that:

• Network Security Groups (NSGs) provide basic network-level filtering
• Azure Firewall delivers centralised network security and threat protection
• Application Gateway protects web applications at the application layer

Understanding how these components work together is essential for designing secure, scalable Azure architectures.

In this guide, we’ll explain:

• The core differences between NSG, Azure Firewall, and Application Gateway
• When to use each service
• Real-world architecture patterns used in enterprise environments
• Common mistakes IT teams make when deploying Azure network security

Quick Fix Summary

If you’re deciding which Azure security component to use:

• Use NSG for basic subnet or NIC traffic filtering
• Use Azure Firewall for centralized network security and outbound control
• Use Application Gateway when protecting web applications with WAF
• Most enterprise environments use all three together

Understanding the Azure Network Security Layers

Before comparing these services, it helps to understand where each one operates within the Azure networking stack.

Azure security can be broadly divided into three layers:

Each component addresses different security requirements.

What is an Azure Network Security Group (NSG)?

An Azure Network Security Group (NSG) is the most fundamental network security component in Azure.

NSGs act as virtual firewalls that control inbound and outbound traffic at the subnet or network interface level.

Key Features

• Layer 3 and Layer 4 filtering
• Allows or denies traffic based on:
  • Source IP
  • Destination IP
  • Port
  • Protocol
• Can be applied to:
  • Subnets
  • Individual virtual machine NICs

Example NSG Rule

Allow HTTPS traffic to a web server:

Source: Internet
Destination Port: 443
Protocol: TCP
Action: Allow

Real-World Usage

In most Azure environments, NSGs are used to:

• Restrict subnet traffic
• Protect backend servers
• Control internal network segmentation

Limitations

NSGs cannot perform advanced filtering, such as:

• Application inspection
• URL filtering
• Threat intelligence detection

For those capabilities, you need Azure Firewall or Application Gateway.

What is Azure Firewall?

Azure Firewall is a fully managed, stateful network firewall service designed to provide centralized network protection across Azure environments.

Unlike NSGs, Azure Firewall operates as a dedicated network security appliance.

Key Features

• Stateful packet inspection
• Application rule filtering
• FQDN filtering
• Threat intelligence filtering
• Centralised logging and monitoring
• Integration with Azure Security Center

Common Use Cases

Azure Firewall is typically deployed when organisations need:

• Centralised outbound internet control
• Network traffic inspection
• Protection across multiple VNets
• Hub-and-spoke network architectures

Example Rule

Allow outbound traffic to Microsoft services:

Allow HTTPS traffic to *.microsoft.com

Real-World Architecture

In many enterprise environments, Azure Firewall sits inside a hub virtual network and routes traffic from spoke networks through the firewall.

This allows IT teams to monitor and control all outbound internet access.

What is Azure Application Gateway?

Azure Application Gateway is a Layer 7 load balancer designed specifically for web applications.

Unlike NSGs and Azure Firewall, Application Gateway understands HTTP and HTTPS traffic.

Key Features

• Web application firewall (WAF)
• Layer 7 load balancing
• SSL termination
• URL-based routing
• Cookie-based session affinity

Example Scenario

A company hosting multiple websites might configure Application Gateway to:

• Route /api traffic to backend API servers
• Route /app traffic to application servers
• Block malicious web requests using WAF

Web Application Firewall (WAF)

When WAF is enabled, Application Gateway can detect and block:

• SQL injection attacks
• Cross-site scripting (XSS)
• Malicious HTTP requests

This protection is critical for public-facing applications.

Comparing Azure NSG vs Azure Firewall vs Application Gateway

Real-World Azure Security Architecture

In production environments, these components are usually combined.

A typical enterprise architecture might look like this:

Internet
   ↓
Application Gateway (WAF)
   ↓
Azure Firewall
   ↓
Virtual Network
   ↓
NSG-protected subnets

This layered approach ensures:

• Application protection
• Network security
• Traffic segmentation

This architecture is widely used in large-scale Azure deployments.

Common Mistakes Engineers Make

Assuming NSGs Replace Firewalls

NSGs are not full firewalls. They lack deep packet inspection and application filtering.

Not Using WAF for Web Applications

Public-facing web applications should always be protected by a WAF.

Allowing Unrestricted Outbound Traffic

Many Azure environments allow unrestricted outbound internet traffic.

Azure Firewall allows organisations to control and audit outbound connections.

Additional Best Practices

When designing Azure network security:

• Use NSGs for segmentation
• Use Azure Firewall for centralized control
• Use Application Gateway with WAF for web apps
• Enable Azure Monitor logging
• Implement least privilege network rules

FAQ

What is the difference between Azure NSG and Azure Firewall?

An NSG provides basic Layer 3 and Layer 4 traffic filtering, while Azure Firewall provides advanced centralized security including application rules, threat intelligence, and logging.

Do I need both NSG and Azure Firewall?

Yes. Most Azure architectures use both. NSGs provide subnet-level security, while Azure Firewall provides centralized network protection.

Is Azure Application Gateway a firewall?

Application Gateway includes a Web Application Firewall (WAF), but it only protects web traffic. It does not replace a network firewall.

Can Azure Firewall replace Application Gateway?

No. Azure Firewall cannot perform Layer 7 load balancing or advanced web traffic routing.

When should I use Application Gateway?

Use Application Gateway when hosting web applications that require load balancing, SSL termination, or web application firewall protection.

Conclusion

Azure NSG, Azure Firewall, and Application Gateway each play an important role in securing cloud environments. Rather than competing solutions, they form a layered security model designed to protect Azure infrastructure from multiple threat vectors.

From real-world enterprise deployments, the most effective approach is to combine these services:

• NSGs for internal segmentation
• Azure Firewall for centralized network security
• Application Gateway with WAF for web application protection

By implementing these components together, organizations can build secure, scalable, and resilient Azure architectures that meet modern cloud security requirements.

Last Updated

Last Updated: March 2026
This guide reflects the latest Microsoft Azure networking architecture and security best practices.

Daniel Lutton

From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.