Azure Firewall is a highly available, managed firewall service that filters network and application level traffic. It has the ability to process traffic across subscriptions and VNets that are deployed in a hub-spoke model. It has the following rule types:
- Application Rules can be used to restrict/allow traffic to certain websites using the FQDN. (example: some businesses can decide to block traffic to amazon.com)
- Network rules do the same but using IP/Port (you can decide to block traffic to a certain IP range)
- NAT rules can be used to implement Destination NAT rules or SNAT rules for example you can setup a destination NAT rule for RDP port 3389 to be translated from firewall public IP to the private VM on the same port This will let you RDP into the private VM on the given port using the firewalls public IP. Example as given here..
- Here is a use case for Azure firewall as given in the Azure blogs.
Azure NSG rules are basic network layer filtering used to allow/restrict traffic to/from Azure resources.
- If you are looking to allow/deny traffic to/from certain IPs/Ports.
- You can implement NSGs to allow traffic from vnets whereas block all internet traffic (A lot of customers implement this setup for a private VNET)
- You can also implement it to allow traffic to your web applications access to only a certain number of users using their IPs or IP ranges and block all others.
- Here is a use case for NSGs given in the Azure Blog for your reference.
Here is an article on Azure Firewall vs Azure NSGs that explain the different features of both of them and how/when they can be used.
Hope this clears up some questions that you have. If you need any further assistance, please let us know and we will be glad to assist further. Thank you!