Reputation: 40939
What can I achieve with Azure Firewall networking rule that cannot be done by Azure Virtual Manager security admin rules
We can create Security Admin Rules in Virtual Network Manager
Security admin rules are global network security rules that enforce security policies defined in the rule collection on virtual networks. These rules can be used to Allow, Always Allow, or Deny traffic across virtual networks within your targeted network groups. These network groups can only consist of virtual networks within the scope of your virtual network manager instance. Security admin rules can't apply to virtual networks not managed by a virtual network manager.
Network rule collection in Azure Firewall
- is used to allow or block network traffic based on the source or destination IP address, port, and protocol.
- it operates at layer 4 (transport layer) of the OSI model and can be used to filter traffic based on IP address, port, and protocol.
For me this sounds like similar concepts. Of course Azure Firewall is more comprehensive as it offer DNAT, networking and application rules. But if we compare only Networking rules to Security admin rules they appears to be very similar.
What can be achieved by Azure Firewall networking rules that is not possible to achieve using Security admin rules?
Upvotes: 0
Views: 397
Answers (1)
Reputation: 3851
As discussed over comments, comparing Azure Firewall's Networking Rules and Azure Virtual Manager security admin rules is like comparing oranges and apples. If we only focus on the difference in terms of Network Rules of Firewall and Security admin rules:
- Security admin rules can explicitly support ESP and AH protocols while Firewall Rules don't
- You can have FQDN and IP Group as additional Destination type with Firewall Rules while security admin rules only support IP addresses and Service Tag.
Again, they serve different scenarios - for example,
- With Security admin rules, you have an option to terminate traffic evaluation without ever checking NSG
- But with Firewall network rules, the originating traffic first has to go through it's associated NSG (either NIC or subnet) before being processed by the Firewall's network Rules.
If you have a specific requirement/use case, please do let me know and I can probably suggest if Azure Firewall or Virtual Network Manager suits your requirement best.
Upvotes: 0
Related Questions
- How can I help Azure Network Security Group rules recognize Service Tags for Azure DevOps
- Azure Firewall: Most common Azure Firewall Policy Rule Collection Rules
- How do I remove Azure network security config rules that blocked RDP and all SQL Server access on Azure VM?
- Configure and verify Vnet in Azure
- Azure Ubuntu VM, cannot access port 8080 even with ufw disabled and inbound rule added for this port
- Achieve country level blocking while using azure traffic manager and azure application gateway with WAF
- How to setup Azure virtual machine port rules to allow PsExec traffic?
- Azure CLI: associate network security group (NSG) with Virtual Network subnet