Opsio - Cloud and AI Solutions
AI4 min read· 820 words

Azure NSG vs WAF: Key Differences Explained

Praveena Shenoy
Praveena Shenoy

Country Manager, India

Published: ·Updated: ·Reviewed by Opsio Engineering Team

Quick Answer

An Azure Network Security Group (NSG) is a stateful packet filter that controls traffic at the network layer (Layers 3 and 4) based on IP, port, and protocol. An Azure Web Application Firewall (WAF) is an application-layer (Layer 7) firewall that inspects HTTP and HTTPS requests for attacks such as SQL injection, cross-site scripting, and OWASP Top 10 threats. They solve different problems and are normally deployed together, not as alternatives. What each service actually does An NSG sits on a subnet or a network interface and decides whether a packet is allowed to enter or leave based on five-tuple rules: source IP, source port, destination IP, destination port, and protocol. It cannot see inside the packet payload. If a request is allowed through port 443 to your web server, the NSG has done its job, regardless of whether that request contains a SQL injection payload.

Key Topics Covered

An Azure Network Security Group (NSG) is a stateful packet filter that controls traffic at the network layer (Layers 3 and 4) based on IP, port, and protocol. An Azure Web Application Firewall (WAF) is an application-layer (Layer 7) firewall that inspects HTTP and HTTPS requests for attacks such as SQL injection, cross-site scripting, and OWASP Top 10 threats. They solve different problems and are normally deployed together, not as alternatives.

What each service actually does

An NSG sits on a subnet or a network interface and decides whether a packet is allowed to enter or leave based on five-tuple rules: source IP, source port, destination IP, destination port, and protocol. It cannot see inside the packet payload. If a request is allowed through port 443 to your web server, the NSG has done its job, regardless of whether that request contains a SQL injection payload.

A WAF operates one layer higher. It terminates or proxies HTTP traffic and inspects the request body, headers, URI, and parameters against a rule set, typically the OWASP Core Rule Set. It blocks malicious patterns such as UNION SELECT attacks, path traversal, malicious bot signatures, and known CVE exploit attempts. In Azure, WAF is delivered through Azure Application Gateway, Azure Front Door, or Azure CDN.

NSG vs WAF side by side

CapabilityNetwork Security Group (NSG)Web Application Firewall (WAF)
OSI layerLayers 3 and 4 (network and transport)Layer 7 (application)
Inspection targetIP, port, protocolHTTP request content, headers, body
StatefulYes, tracks connectionsYes, proxies HTTP sessions
Protects againstUnauthorized network access, port scanningSQL injection, XSS, OWASP Top 10, bots
Deployment scopeSubnet or NIC inside a VNetApplication Gateway, Front Door, or CDN
Rule typeAllow or deny by five-tupleManaged rule sets plus custom rules
LoggingNSG flow logs to Storage or Log AnalyticsWAF logs with matched rules and request detail
Pricing modelFree, included with VNetPer gateway hour plus data processed
Free Expert Consultation

Need help with cloud?

Book a free 30-minute meeting with one of our cloud specialists. We'll analyse your situation and provide actionable recommendations — no obligation, no cost.

Solution ArchitectAI ExpertSecurity SpecialistDevOps Engineer
50+ certified engineersAWS Advanced Partner24/7 support
Completely free — no obligationResponse within 24h

When to use each, and when to use both

For any internet-facing web application, you should run a WAF in front of the application and NSGs around the application's network segments. The WAF blocks malicious HTTP payloads at the edge. The NSGs enforce that only the Application Gateway or Front Door subnet can reach the application backend, that databases are reachable only from app subnets, and that management ports are closed to the public internet.

  • Use NSGs for: subnet-level segmentation, blocking RDP and SSH from the internet, restricting database access to application subnets, and enforcing east-west traffic boundaries.
  • Use WAF for: protecting any public HTTP endpoint, blocking OWASP Top 10 attacks, rate limiting, geo-blocking, and bot mitigation.
  • Use both for: any production web workload. NSGs alone cannot stop application attacks. WAF alone cannot stop network-level lateral movement.

For a broader security model that ties these together, see our guides to cloud security best practices and zero trust security.

How Opsio helps

Opsio's Managed Azure Services and Cybersecurity Services teams design layered Azure network architectures using NSGs, Application Security Groups, Azure Firewall, and WAF policies as a coordinated control set. We tune WAF rule sets to reduce false positives, build NSG baselines aligned to CIS benchmarks, and integrate flow and WAF logs into Microsoft Sentinel for unified detection.

Frequently Asked Questions

Can a WAF replace an NSG?

No. A WAF only inspects HTTP and HTTPS traffic and only protects what sits behind it. It does not control SSH, RDP, database protocols, or east-west traffic between subnets. NSGs remain the primary mechanism for network segmentation inside Azure VNets, and they are free.

Do I still need NSGs if I use Azure Firewall?

Yes, in most designs. Azure Firewall is a centralized, managed Layer 3 to Layer 7 firewall ideal for north-south traffic and hub-and-spoke topologies. NSGs remain useful for micro-segmentation at the subnet or NIC level and for enforcing least-privilege rules inside each spoke. Many enterprises use both.

What is the difference between Application Gateway WAF and Front Door WAF?

Both run the same Azure WAF engine but deploy at different scopes. Application Gateway WAF is a regional Layer 7 load balancer suited for VNet-integrated workloads. Front Door WAF is global, runs at the edge of Microsoft's network, and is better for multi-region applications, anycast routing, and global DDoS posture.

Does Azure WAF include DDoS protection?

The WAF protects against application-layer (Layer 7) DDoS attacks such as HTTP floods. For volumetric Layer 3 and Layer 4 attacks, you need Azure DDoS Protection Standard, which is a separate service that applies to public IP addresses across your subscription.

How are NSG and WAF rules logged?

NSGs emit flow logs to a Storage Account and can be analyzed through Traffic Analytics in Log Analytics. WAF emits per-request logs showing the matched rule, action taken, request URI, and source IP through Azure Monitor diagnostic settings. Both should be forwarded to Microsoft Sentinel or your SIEM for correlated alerting.

Related Guides

What Is an Azure SLA and Why Is It Important?What Is a Microsoft Cloud Solution Provider (CSP)?AWS vs Azure vs GCP: The Complete Cloud Comparison for 2026Advantages of Azure Cloud MigrationWhat Is Azure Consulting?Are MDR and XDR the Same? Key Differences ExplainedWhat Is BCP and Disaster Recovery (DR)? Key Differences ExplainedRiskOps Explained
Azure Cloud

Written By

Praveena Shenoy
Praveena Shenoy

Country Manager, India at Opsio

Praveena leads Opsio's India operations, bringing 17+ years of cross-industry experience spanning AI, manufacturing, DevOps, and managed services.

View all articles →LinkedIn

Editorial standards: This article was written by cloud practitioners and peer-reviewed by our engineering team. We update content quarterly for technical accuracy. Opsio maintains editorial independence.