Application Security Groups (ASGs) Overview
Application Security Groups (ASGs) are a logical grouping of network interfaces that you can use to configure network security. An ASG simplifies management of network security policies for applications. You can apply ASGs directly to network interfaces, and then use ASGs in Network Security Group (NSG) rules.
What are Application Security Groups?
Application Security Groups (ASGs) allow you to define security policies based on the applications that a workload runs. This approach provides a more granular and easier-to-manage way to secure your Azure resources compared to solely relying on IP addresses. Instead of managing NSG rules that target specific IP addresses or address ranges, you can create ASGs that represent the network traffic allowed for a particular application tier or component.
Key benefits of using ASGs include:
- Simplified management: Group similar network interfaces together, reducing the number of NSG rules.
- Granular control: Define security policies at the application level.
- Dynamic updates: Easily update security policies as your application topology changes without modifying individual NSG rules.
- Scalability: Scales effectively for large and complex environments.
How ASGs Work
ASGs function by grouping network interfaces (NICs) that belong to the same set of security rules. These groups are then referenced within Network Security Groups (NSGs). When you associate a NIC with an ASG, that NIC inherits the security rules defined in NSGs that reference that ASG.
The process involves the following steps:
- Create an ASG: Define an ASG in Azure, giving it a descriptive name (e.g.,
webservers-asg,databases-asg). - Associate NICs with ASGs: Assign the network interfaces of your virtual machines to the relevant ASGs. For example, all NICs for your web servers would be associated with the
webservers-asg. - Create NSG Rules: Within an NSG, create inbound or outbound security rules. Instead of specifying source or destination IP addresses, you specify the source or destination ASG.
For instance, you could create a rule allowing traffic from the webservers-asg to the databases-asg on port 1433 (SQL Server).
Example Scenario
Consider a typical three-tier application:
- Web Tier: Virtual machines running a web server.
- Application Tier: Virtual machines running application logic.
- Database Tier: Virtual machines running a database server.
Using ASGs, you can implement the following:
# Create ASGs
az network asg create --resource-group MyResourceGroup --name webservers-asg
az network asg create --resource-group MyResourceGroup --name appservers-asg
az network asg create --resource-group MyResourceGroup --name databases-asg
# Associate NICs with ASGs (example for web servers)
az network nic ip-config update --resource-group MyResourceGroup --nic-name MyWebNic --name ipconfig1 --set applicationSecurityGroups='[{"id": "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/Microsoft.Network/applicationSecurityGroups/webservers-asg"}]'
# Create NSG rules
# Allow HTTP/HTTPS from anywhere to web servers
az network nsg rule create --resource-group MyResourceGroup --nsg-name MyNsg --name Allow-HTTP-HTTPS --protocol tcp --priority 100 --destination-port-ranges 80 443 --destination-asg webservers-asg --direction Inbound --access Allow
# Allow traffic from web servers to app servers on port 8080
az network nsg rule create --resource-group MyResourceGroup --nsg-name MyNsg --name Allow-Web-To-App --protocol tcp --priority 110 --destination-port-ranges 8080 --source-asg webservers-asg --destination-asg appservers-asg --direction Inbound --access Allow
# Allow traffic from app servers to database servers on port 1433
az network nsg rule create --resource-group MyResourceGroup --nsg-name MyNsg --name Allow-App-To-DB --protocol tcp --priority 120 --destination-port-ranges 1433 --source-asg appservers-asg --destination-asg databases-asg --direction Inbound --access Allow
This setup ensures that only web servers can talk to application servers, and only application servers can talk to database servers, enhancing the overall security posture.
Key Considerations
- ASGs are associated with NICs, not subnets.
- A NIC can be associated with multiple ASGs.
- NSGs are applied at the subnet or NIC level. When applied to a subnet, NSG rules affect all NICs in that subnet.
- ASGs provide a logical grouping for security rules. The actual enforcement happens at the NSG level.