Last Updated on May 8, 2026 by Arnav Sharma
They both live in your Azure network. They both affect traffic flow. And they get confused for each other constantly, even by engineers who’ve been working in Azure for years.
I get it. The naming doesn’t help. Both sound like they control “the network,” and Microsoft’s documentation occasionally makes them feel interchangeable. They’re not.
Here’s a clear breakdown of what each one actually does, when you need which, and why running both is often the right call.
The Short Version
Azure VPN Gateway (and its sibling, ExpressRoute Gateway) connects your Azure virtual network to somewhere else. That could be your on-premises data centre, a branch office, or another Azure region. It handles the transport layer of your hybrid network.
Azure Firewall inspects and filters traffic that’s already inside or entering your Azure environment. It decides what’s allowed to talk to what, based on rules you define.
One is about connectivity. The other is about control. You generally need both.
Azure Virtual Network Gateway: The Tunnel Builder
Think of Azure VPN Gateway as the border crossing between two countries. It creates the road. It doesn’t decide who’s allowed to travel on it or what they’re carrying, it just makes the connection possible.
Under the hood, VPN Gateway supports two main scenarios:
- Site-to-site VPN: connects your on-premises network to Azure over an encrypted IPsec/IKE tunnel across the public internet.
- Point-to-site VPN: lets individual devices (a remote developer’s laptop, for example) dial into Azure directly.
- ExpressRoute Gateway: a separate but related gateway type that connects Azure to your on-premises network via a dedicated private circuit, not the public internet.
Key Characteristics
- Operates at Layer 3/4 (IP and transport)
- Manages encrypted tunnel establishment and key exchange
- Supports BGP for dynamic routing
- SKUs range from Basic (low throughput, dev/test only) to VpnGw5/AZ (high throughput, zone-redundant)
- Priced per hour, plus data transfer
A Real Scenario
Your organisation has a data centre in Sydney and wants workloads in Azure (Australia East) to access internal SQL servers on-prem. VPN Gateway creates that encrypted tunnel. Once it’s up, Azure VMs can reach those SQL servers as if they were on the same LAN. The connection exists. What traffic flows across it is a separate question.
Azure Firewall: The Traffic Inspector
Azure Firewall sits inside your Azure virtual network and watches traffic move between subnets, out to the internet, and in from external sources. It’s a stateful, managed firewall service, meaning Microsoft handles the underlying infrastructure, patching, and scaling.
It’s not just a basic packet filter. Azure Firewall can:
- Allow or deny traffic based on FQDNs (e.g., “allow traffic to *.microsoft.com only”)
- Filter outbound internet traffic using application and network rules
- Inspect inbound traffic with DNAT rules
- In the Premium tier, perform TLS inspection and detect threats using IDPS signatures
- Integrate with Microsoft Threat Intelligence to block known-bad IPs and domains
Key Characteristics
- Operates at Layer 4 and Layer 7 (with Premium)
- Centrally managed, no patching required from your side
- Supports forced tunnelling (routing all outbound traffic through it)
- Works with Azure Firewall Policy for multi-region rule management
- Priced per hour (deployment) plus data processed
A Real Scenario
Your developers need internet access from Azure VMs to pull packages and access APIs. Without Azure Firewall, you’re relying on Network Security Groups (NSGs), which are basic and IP-based. With Azure Firewall, you can say “these VMs can reach *.ubuntu.com and *.github.com, nothing else.” That’s fine-grained outbound control that NSGs simply can’t do.
Side-by-Side Comparison
| Feature | Azure VPN Gateway | Azure Firewall |
|---|---|---|
| Primary purpose | Connect Azure VNets to external networks | Inspect and filter network traffic |
| OSI layer | Layer 3/4 | Layer 4 (Standard), Layer 7 (Premium) |
| Traffic direction | Cross-network connectivity (VPN/ER) | Inbound, outbound, east-west |
| Packet inspection | No | Yes (stateful, IDPS with Premium) |
| URL/FQDN filtering | No | Yes |
| BGP support | Yes | No |
| TLS inspection | No | Yes (Premium only) |
| Threat intelligence | No | Yes (Microsoft TI feed) |
| Use case example | Site-to-site VPN to on-prem DC | Control outbound internet access from VMs |
| Typical deployment | Gateway subnet | Dedicated firewall subnet (hub VNet) |
| Managed service | Yes | Yes |
| Zone redundancy | Yes (AZ SKUs) | Yes |
Where They Work Together
In a hub-and-spoke architecture (the most common Azure network pattern), both services live side by side in the hub VNet.
VPN Gateway sits in the GatewaySubnet and handles all traffic coming in from your on-prem network. Azure Firewall sits in its own subnet (AzureFirewallSubnet) and inspects traffic before it’s allowed to flow to any spoke VNet or out to the internet.
User Defined Routes (UDRs) are the glue. You configure routes so that:
- Traffic from spokes destined for on-prem goes to the Firewall first, then to the Gateway
- Traffic from on-prem destined for Azure spokes gets filtered by the Firewall before reaching those subnets
This means even legitimate VPN traffic passes through your firewall rules. On-prem doesn’t get a free pass just because it connected via a trusted tunnel.
I’ve seen organisations skip this step and treat their VPN tunnel as inherently trusted. Then a compromised on-prem machine moves laterally into Azure because there were no controls on that path. The tunnel gave them the road; the missing firewall meant no one was checking IDs.
Which One Do You Need?
If you’re connecting Azure to your office, data centre, or remote users, you need a VPN Gateway (or ExpressRoute Gateway).
If you’re controlling what can talk to what inside Azure, or what can reach the internet, you need Azure Firewall (or at minimum, well-configured NSGs for simpler environments).
If you’re building anything beyond a small dev/test setup, you almost certainly need both.
The gateway gets you connected. The firewall keeps that connection from becoming a liability.
I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au — a platform for practical Cloud, Cybersecurity, DevOps and AI content.