Network Security & Performance
NSGs, Azure Firewall, WAF, DDoS Protection, and Azure Bastion β design network security that protects at every layer without sacrificing performance.
Network security and performance design
Network security is a layered defence. No single control stops everything β you need multiple layers:
NSGs: Firewall rules on subnets and NICs (L3/L4 β IP and port filtering).
Azure Firewall: Central firewall with FQDN filtering, threat intelligence, and TLS inspection (Premium tier) (L3-L7).
WAF: Web Application Firewall protecting against OWASP attacks (SQL injection, XSS) (L7).
DDoS Protection: Absorbs massive volumetric attacks before they reach your resources.
Bastion: Secure RDP/SSH access to VMs without public IPs.
Network security layers
| Service | OSI Layer | Scope | Key Feature | Best For |
|---|---|---|---|---|
| NSG | L3/L4 | Subnet or NIC | IP/port allow/deny rules | Micro-segmentation between subnets |
| ASG | L3/L4 | Grouped resources | Tag-based rules (no IP management) | Dynamic rules based on application groups |
| Azure Firewall | L3-L7 | Central (hub VNet) | FQDN filtering, threat intel, TLS inspection (Premium only) | Centralised egress control, network-level security |
| WAF | L7 | Edge (Front Door / App GW) | OWASP protection, custom rules, bot protection | Web application protection (SQL injection, XSS) |
| DDoS Network Protection | L3/L4 | VNet-level | Volumetric attack mitigation, adaptive tuning | Protecting public endpoints from DDoS attacks |
| Azure Bastion | L7 | Per-VNet | Browser-based RDP/SSH, no public IP needed | Secure VM management access |
Azure Firewall tiers
| Feature | Basic | Standard | Premium |
|---|---|---|---|
| Throughput | Up to 250 Mbps | Up to 30 Gbps | Up to 100 Gbps |
| FQDN filtering | Yes | Yes | Yes |
| Threat intelligence | Alert only | Alert and deny | Alert and deny |
| DNS proxy | No | Yes | Yes |
| TLS inspection | No | No | Yes β decrypt, inspect, re-encrypt |
| IDPS | No | No | Yes β signature-based intrusion detection |
| URL filtering | No | No | Yes β full URL path, not just FQDN |
| Web categories | No | Yes | Yes |
| Best for | Small environments, SMBs, cost-sensitive | Most production workloads | Regulated industries needing deep packet inspection |
Exam tip: Know which features require Premium
Three features are Premium-only: TLS inspection (decrypt and inspect encrypted traffic), IDPS (intrusion detection and prevention), and URL filtering (inspect full URL path, not just domain). If a scenario mentions inspecting encrypted traffic or detecting intrusion signatures, the answer is Azure Firewall Premium.
NSG vs Azure Firewall β when to use each
| Scenario | Use NSG | Use Azure Firewall | Use Both |
|---|---|---|---|
| Simple subnet isolation | β | Overkill | β |
| FQDN-based egress filtering | Canβt do this | β | β |
| Centralised logging of all traffic | Limited | β | β |
| TLS inspection | No | β (Premium) | β |
| Hub-spoke network | Spoke subnets | Hub firewall | β Both |
π¦ Elenaβs defence-in-depth:
- DDoS Network Protection on VNet β absorbs volumetric attacks
- Front Door WAF β blocks OWASP attacks at the edge
- Azure Firewall Premium in hub VNet β FQDN filtering, TLS inspection, threat intelligence
- NSGs on every subnet β micro-segmentation between application tiers
- Azure Bastion β no public IPs on any VM, RDP/SSH through browser
Network performance optimisation
| Technique | What It Does | When to Use |
|---|---|---|
| Accelerated Networking | Bypasses host networking stack (SR-IOV) | All production VMs that support it (free) |
| ExpressRoute Global Reach | Connect on-prem sites through ExpressRoute backbone | Branch-to-branch traffic via Microsoft network |
| Azure CDN / Front Door | Cache content at edge POP locations | Static content, global user base |
| Proximity Placement Groups | Co-locate VMs in same data centre | Ultra-low latency between VMs (HPC, trading) |
Well-Architected Framework connection
Security pillar: Defence-in-depth β multiple layers, each catching what the previous missed. NSGs at the network level, WAF at the application level, DDoS at the perimeter.
Performance Efficiency: Accelerated Networking should be enabled on all VMs that support it β itβs free and reduces latency. Proximity Placement Groups for latency-sensitive workloads.
Cost Optimisation: Azure Firewall Basic tier for small networks. DDoS Network Protection is per protected public IP β covers all resources in a VNet with one plan.
Knowledge check
π¦ Elena needs to protect FinSecure Bank's web applications from SQL injection and XSS attacks at the edge, while also filtering all outbound traffic from VMs through a central firewall with FQDN rules. Which combination should she recommend?
ποΈ GlobalTech's public-facing web app in Southeast Asia serves customers across Asia-Pacific. Users in Japan and Australia report slow page loads. The app also experienced a DDoS attack last month that caused 2 hours of downtime. Which combination should Priya recommend to solve both performance and protection issues?
Next up: The final piece β routing traffic efficiently β Load Balancing & Routing.