...
Control our outbound access to the internet just like a network security group (IP addressing protocol, port). We can call network rules within Azure Firewall service : Network Rules or Application Rules.
Control our inbound access (allow RDP access into VM → use public IP address of Azure Firewall itself – we create DNAT rules to allow that inbound access and to map the traffic onto VM for example) : DNAT Rules.
...
We might need to deploy multiple networks all across the globe. So, we can use Azure Firewall Manager which can configure Policies (for example, we can have some rules that apply to a region).