CloudBolt
software
CloudBolt Software is the enterprise cloud management leader. Our comprehensive solutions for IT automation,
orchestration, self-service IT, cost optimization, and security help enterprises simplify complexity and achieve
rapid time-to-value anywhere on their hybrid cloud, multicloud journey. Our award-winning cloud management
platform and infrastructure integration services are deployed and loved by enterprises worldwide. Backed by
Insight Partners, CloudBolt Software has been named one of the fastest-growing private companies on the
Deloitte Fast 500 and Inc. 5000 lists. In addition, CloudBolt is 2020 CODiE award winner for best cloud
management and featured in Gartner's Magic Quadrant for Cloud Management Platforms.
W W W . C L O U D B O L T . I O I N F O @ C L O U D B O L T . I O 7 0 3 . 6 6 5 . 1 0 6 0
J O I N T H E C O N V E R S A T I O N
69
CloudBolt Industry Insights Report:
The DevOps Guide to Azure Costs
When you need to manage multiple objects, you can leverage virtual network service tags. These Azure resources
represent a group of IP address prefixes that relate to a particular Azure service. For example, "VirtualNetwork"
represents the entire VNet address range, and "Internet" indicates all external IP addresses that are publicly routable.
Therefore, using the tags in your source and destination fields enhances the readability of your NSG rules.
Use Tags to Improve Readability
Although Azure NSGs offer adequate security, they do have some limitations. Microsoft offers Azure Firewall, a highly
available, managed service providing additional security features relevant to some use cases. The table below details
the functionality available for both security products.
Azure NSG Shortcomings and Limitations
Feature
Azure NSG Azure Firewall
Filters traffic on Layer 3 (network) and Layer 4 (session).
OSI Layers
Filters traffic on Layer3 (network), Layer 4 (session), and
Layer 7 (application).
Yes
Protocol-based traffic filtering
Yes
Yes Service Tag support Yes
No
Fully Qualified Domain Name (FQDN) Tag
support
Yes – With Azure Firewall, you can tag a group of fully
qualified domain names, like Windows Updates or Microsoft
365 services.
No
Source Network Address Translation (SNAT)
Yes – Azure Firewall allows you to configure a public IP to
mask an internal IP.
No
Destination Network Address Translation
(DNAT)
Yes – Azure Firewall supports DNAT, which you can use to
translate incoming traffic to the private IP address of your
virtual network.
Yes – However, Flow Logs with Traffic Analysis is not
enabled by default.
Integrated with Azure Monitor
Yes – However, diagnostic logging is not enabled by
default.
No
Threat Intelligence
Yes – Azure Firewall gives you the ability to block traffic
based on Microsoft threat analytics data.