MSDN Documentation

Application Security Groups

Application Security Groups (ASGs) enable you to configure network security as a natural extension of an application's structure. ASGs allow you to group virtual machines and provide security group rules to protect those virtual machines. You can associate ASGs with network interfaces (NICs) to group workloads based on their application role.

What are Application Security Groups?

Traditionally, network security rules are based on IP addresses. However, as applications become more complex, managing security rules based on individual IP addresses can become difficult and error-prone. ASGs simplify this by allowing you to:

• Group virtual machines (VMs) and their associated network interfaces (NICs) by application or role.
• Define security rules based on these groups, rather than individual IP addresses.
• Apply the same security policy to multiple VMs with similar roles.
• Easily manage network traffic flow between different tiers of an application (e.g., web tier, application tier, database tier).

Key Concepts

Here are some key concepts related to ASGs:

• Application Security Group: A collection of network security group rules that you can use to group network interfaces and/or virtual machines by application.
• Security Rules: Define traffic filtering policies. They specify source and destination, protocol, and direction.
• Network Security Group (NSG): A collection of security rules that apply to network interfaces (NICs) or subnets. NSGs can contain both ASGs and IP addresses/ranges.
• Association: ASGs are associated with NICs. When an ASG is associated with a NIC, the VMs attached to that NIC are considered part of the ASG for security rule evaluation.

Creating and Using ASGs

You can create and manage ASGs using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Using the Azure Portal

1. Navigate to the Azure portal.
2. Search for "Application Security Groups".
3. Click "Create" to create a new ASG.
4. Provide a name, subscription, resource group, and region.
5. Once created, you can associate NICs with this ASG.
6. You can then create NSGs and define security rules that reference your ASGs as sources or destinations.

Example Azure CLI Command

To create an ASG:

az network asg create --resource-group MyResourceGroup --name MyApplicationSecurityGroup --location westus
            

To associate a NIC with an ASG:

az network nic ip-config update \
    --resource-group MyResourceGroup \
    --nic-name MyNic \
    --name ipconfig1 \
    --add-application-security-group MyASG
            

Defining Security Rules with ASGs

When creating a security rule in an NSG, you can specify an ASG as the source or destination. For instance, to allow HTTP traffic from your web servers (in an ASG named "WebServers") to your application servers (in an ASG named "AppServers"):

az network nsg rule create \
    --resource-group MyResourceGroup \
    --nsg-name MyNsg \
    --name AllowHttpFromWebToApp \
    --protocol Tcp \
    --priority 300 \
    --destination-port-ranges 80 \
    --source-address-prefixes null \
    --source-application-security-groups MyASG-WebServers \
    --destination-address-prefixes null \
    --destination-application-security-groups MyASG-AppServers \
    --access Allow \
    --direction Inbound
            

Benefits of Using ASGs

• Simplified Management: Reduces complexity by abstracting IP addresses.
• Improved Agility: Easily reconfigure network security as your application scales or changes.
• Enhanced Security: Enforces granular security policies based on application roles.
• Consistency: Ensures consistent security policies across multiple instances of an application tier.

Application Security Groups are a powerful tool for building secure and manageable cloud-native applications on Azure.