Firewall vs NVA

 Criteria to Determine Whether an Organization Needs a Firewall

Criteria	Explanation	Example
Internet-facing Applications	App is exposed to the internet; needs protection from attacks	A public-facing API or website
Outbound Traffic Control	Need to restrict egress (internet-bound) traffic to specific domains	Only allow servers to access updates.microsoft.com
East-West Traffic Control	You want to inspect traffic between subnets or VMs	App servers talking to DB over internal network
Threat Detection/Prevention	You want to detect malicious traffic or prevent intrusion	Malware communication blocked by threat intel
TLS/SSL Inspection	You want to decrypt and inspect HTTPS traffic	Detect if users are visiting malicious HTTPS websites
Logging & Auditing	Need visibility for compliance or governance	Log every connection attempt for audit reports
VPN/Hybrid Connectivity	You want to connect Azure to on-prem or other clouds	IPsec tunnel between Azure and branch office
Compliance Needs	Required by regulators (e.g., ISO, PCI-DSS, HIPAA)	Bank must inspect all inbound/outbound traffic

Azure Firewall Vs NVA

Use Case / Requirement	Choose Azure Firewall Premium	Choose NVA (e.g., FortiGate)
✅ Native Azure Integration	✔ Fully managed by Azure	❌ Requires manual setup & VM maintenance
✅ Need IDPS & Threat Intelligence	✔ Built-in with Premium SKU	✔ Advanced but needs configuration
✅ TLS/SSL Inspection	✔ Out of the box	✔ With more control over certificates
✅ Cost-efficient & Easy to Scale	✔ Auto-scaling and simple pricing	❌ Fixed sizing, license cost, HA config needed
❌ Need VPN/SD-WAN	❌ Not supported	✔ Built-in IPsec VPN, SD-WAN, BGP routing
❌ Complex Routing/Custom NAT	❌ Limited to what Azure supports	✔ Full flexibility with NAT, BGP, Policy routes
✅ You're cloud-first / cloud-native	✔ Best fit	❌ More effort to manage and patch NVAs
✅ Prefer Microsoft-native tooling (e.g., Sentinel)	✔ Tight integration	❌ Manual export of logs (unless using 3rd party SIEM)