Advertisement
Hey all,<\/p>\n
I have a few clients that we have migrated to Azure to host their servers, DC, file server, and a phone app server.<\/p>\n
We simply spun up a simple vnet and connected it back to on prem with a S2S VPN.<\/p>\n
None of these VMs have public IPs assigned and we wanted to treat it as a simple setup to a private DC like we would do with any other providers.<\/p>\n
While setting this up and researching, I came to the conclusion that since none of the servers are internet facing, NSGs were sufficient to block everything except the VNET to VNET traffic.<\/p>\n
One that I did notice is that these VMs are allowed internet outbound access, as in I can reach all the websites.<\/p>\n
In this scenario, do I need to put in an Azure firewall? I know the basic SKUs are not that expensive any more but I am not sure if it is really needed or not.<\/p>","upvoteCount":9,"answerCount":4,"datePublished":"2024-02-18T05:08:03.000Z","author":{"@type":"Person","name":"chipperchoi","url":"https://community.spiceworks.com/u/chipperchoi"},"suggestedAnswer":[{"@type":"Answer","text":"
Hey all,<\/p>\n
I have a few clients that we have migrated to Azure to host their servers, DC, file server, and a phone app server.<\/p>\n
We simply spun up a simple vnet and connected it back to on prem with a S2S VPN.<\/p>\n
None of these VMs have public IPs assigned and we wanted to treat it as a simple setup to a private DC like we would do with any other providers.<\/p>\n
While setting this up and researching, I came to the conclusion that since none of the servers are internet facing, NSGs were sufficient to block everything except the VNET to VNET traffic.<\/p>\n
One that I did notice is that these VMs are allowed internet outbound access, as in I can reach all the websites.<\/p>\n
In this scenario, do I need to put in an Azure firewall? I know the basic SKUs are not that expensive any more but I am not sure if it is really needed or not.<\/p>","upvoteCount":9,"datePublished":"2024-02-18T05:08:03.000Z","url":"https://community.spiceworks.com/t/back-with-another-question-about-azure-firewall/967182/1","author":{"@type":"Person","name":"chipperchoi","url":"https://community.spiceworks.com/u/chipperchoi"}},{"@type":"Answer","text":"
It depends on your needs. I have done similar setups with a simple VNet and NSGs to control access. I have also used firewall appliances. If you have a simple environment, and NSGs provide the ACLs that you need, then a firewall appliance may be excessive. If you need more advanced routing, NAT, and/or logging and monitoring, then a firewall appliance would be useful. You’ll need to determine if the extra features are worth the extra costs of running a firewall appliance.<\/p>","upvoteCount":1,"datePublished":"2024-02-18T13:19:51.000Z","url":"https://community.spiceworks.com/t/back-with-another-question-about-azure-firewall/967182/2","author":{"@type":"Person","name":"Evan7191","url":"https://community.spiceworks.com/u/Evan7191"}},{"@type":"Answer","text":"
Thanks again for the reply.<\/p>\n
When I was first reviewing this setup, it was really a simple setup. Just a few VMs in Azure as an extension of the current subnets via S2S VPN.<\/p>\n
Since there is no public IP and anything and everything is blocked via NSG (only default rule to allow traffic from Vnet to Vnet and load balancers allowed).<\/p>\n
We don’t have any load balancers as there is no public IP incoming for any of the servers.<\/p>\n
As far as I can tell, this is as secure as it gets but I get bombarded with warnings/notices all the time about security and it just has me on edge…<\/p>\n
I must be overthinking this but this is starting to give me anxiety about everything in Azure. lol<\/p>","upvoteCount":1,"datePublished":"2024-02-18T15:41:59.000Z","url":"https://community.spiceworks.com/t/back-with-another-question-about-azure-firewall/967182/3","author":{"@type":"Person","name":"chipperchoi","url":"https://community.spiceworks.com/u/chipperchoi"}},{"@type":"Answer","text":"