This image shows a comparison of firewalls implemented using security lists and network security groups (NSGs):

• The resources in subnets X and Y use firewalls implemented using security lists. The rules you define in a security list are effective for all the VNICs in the subnet to which you attach the security list.
• The resources in subnets A and B use NSG-based firewalls; that is, the security rules in each NSG are applied to only the VNICs that you specify, regardless of the subnet architecture. NSGs give you more granular control when designing firewalls. In the example, the two instances within subnet A are subject to separate firewalls: NSG-A and NSG-B. And an instance in subnet B shares a firewall (NSG-A) that's also used for an instance in subnet A.