Open in app

Sign in

Write

Sign in

Azure — Application Security group

Prashanth Kumar
6 min readOct 26, 2020

Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.

Application Security Groups helps to manage the security of Virtual Machines by grouping them according the applications that runs on them. It is a feature that allows the application-centric use of Network Security Groups.

This approach allows for the grouping of Virtual Machines logically, irrespective of their IP address or subnet assignment within a Virtual Network.

whenever you deploy a network security group (NSG) it is either assigned to a NIC or a subnet. If you deploy that NSG to a subnet then the rules apply to all of the NICs, or virtual machines, in that subnet.

ASGs are used within a NSG to apply a network security rule to a specific workload or group of VMs — defined by ASG worked as being the “network object” & explicit IP addresses are added to this object. This provides the capability to group VMs into associated groups or workloads, simplifying the NSG rule definition process. Another great use of this is for scalability, creating the virtual machine and assigning the newly created virtual machine to its ASG will provide it with all the NSG rules in place for that specific ASG.

Benefits:

  • It reduces need to for creating or updating NSG every time you add a server to existing application set.
  • Allow point to point communication with less number of NSG rules.

As a part of this demo I will be showing few different ways to implement usage of Application Security groups.

  1. using single Virtual network with multiple subnets
  2. using multiple Virtual networks with single subnet.
  3. As a part of first scenario with using single Virtual network with 2 subnets, 2 Application Security groups to route traffic flow using single virtual network between 2 Azure VM’s.

As a pre-requisite we need

a. Create 1 virtual network with Address space of 10.0.0.0/16
b. Create 2 subnets:

  • Subnet1: 10.0.0.0/24
  • Subnet2: 10.0.2.0/24

c. create 2 new ASG’s

d. Now lets create 2 Azure Virtual Machines

Associate first Azure VM with current virtual network1 with Subnet1

4b. Now lets create our second VM with 2nd Vnet + subnet2 but with no public IP address.

Now lets start associating ASG rules to virtual network to test traffic.

  1. Go to Azure Portal → go to first VM properties page → click on Networking → click on “Application Security groups”

2. It will open a new page and now select appropriate ASG to attach it with 1st VM. → click Save

3. Now as a part of testing we want to route RDP port to VM2, for that → click on Inbound port rules → select Destination as prademoasg1 → click Add.

Now lets configure traffic rules for VM2

Here you can see we don’t have any RDP rule mentioned yet under Inbound port rules.

Now once again click on Inbound port rules → create a new rule → select below options → Add

Lets add Application Security group to route the traffic from VM1 to VM2.

for this click on Application Security group → click on “configure Application Security groups” → select Prademoasg2 → Save

Now lets do the final RDP validation → Try connecting to Azure VM1

Once you connect to Azure VM1 → validate host name

Now lets open a new RDP session to Azure VM2 which doesn't have any Public IP at this moment, it just have private IP address.

Azure VM1 shows Public & Private IP address

Azure VM2 we connected via Private IP address

Scenario 2: using Multi Virtual networks with single subnet.

  1. Lets create a new Virtual network with the name : Prademovnet2

2. Create new Application Security group

3. Lets create our 3rd Azure VM and Associate this newly created virtual network (prademovnet2) with this, and with no Public IP address

4. As we are using 2 virtual networks so we need to peer them first. So go to Azure Portal → go to virtual networks → click on first virtual network → under Settings → click on Peering's → click on + →

5. Now in order to testing actual routing → go to Azure VM1 → go to networking → click on Add inbound port rule →

Source : Application Security group
Source application security group : prademoasg1
Source port ranges : *
Destination : Application Security group
Destination Application Security group: prademoasg3
Destination port ranges : 3389
protocol : Any
Action : Allow
Priority : 330
Name : vm1tovm3

6. Now lets go to Azure VM3 → go to networking and Add Application Security group, so that this VM can start taking RDP traffic.

Now lets add new Application Security group

Finally lets test RDP connection from Azure VM1 to Azure VM3

Azure Nsg

--

--

Prashanth Kumar

Written by Prashanth Kumar

120 Followers

IT professional with 20+ years experience, feel free to contact me at: Prashanth.kumar.ms@outlook.com

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams