Azure Instance: Why are NSG enforced?
Some time ago, I needed cloud-hosted pfSense instances that terminate IPsec VPN and tried the Netgate image on Azure.
However, this image forces you to create a VM with a an "Advanced" setting for the network security group (whereas "None" and "Basic" would be available).
If you follow this process and try to expose the IPsec VPN on your pfSense, you will notice that this is not possible, because the NSG allows to pass through TCP, UDP or "*" (TCP, UDP and ICMP), but no ESP. I took this as an Azure limitation and moved to AWS with the project.
Now I was involved in planning an Azure infrastructrue with a different firewall appliance (Fortigate). I claimed we couldn't do that because we couldn't put the required IPsec VPN on the firewall. It turned out that our consultants have been running this setup with IPsec VPN for years, and the reason apparently is, that the Fortigate image does not have a NSG in front of it.
Why is Netgate enforcing this setting? It is a real dealbreaker for many use cases.