Azure Network Security Groups (NSGs) and Application Security Groups (ASGs)

Network Security Groups (NSGs) and Application Security Groups (ASGs) in Azure

Network Security Groups (NSGs) and Application Security Groups (ASGs) are fundamental components of Azure's network security capabilities. They allow you to define granular access control policies for your Azure resources, helping to segment your network and protect your applications.

What are Network Security Groups (NSGs)?

A Network Security Group (NSG) is a collection of security rules that can be associated with one or more virtual network interfaces (NICs), virtual machines, or subnets. NSGs act as a basic firewall, allowing or denying network traffic to Azure resources.

Key Features of NSGs:

Security Rules: NSGs contain security rules that define inbound and outbound traffic filtering.
Prioritization: Rules are processed in order of priority (lower number indicates higher priority).
Stateful Filtering: NSGs are stateful, meaning if you allow inbound traffic, the corresponding outbound traffic is automatically allowed.
Association: NSGs can be associated with NICs or subnets. If associated with both, the rules are combined.

NSG Rules Components:

Priority: A number from 100 to 4096.
Source/Destination: IP addresses, CIDR blocks, service tags, or application security groups.
Port Ranges: Specific ports or ranges (e.g., 80, 443, 1000-2000).
Protocol: TCP, UDP, ICMP, or Any.
Action: Allow or Deny.
Name: A descriptive name for the rule.

Example NSG Rule (Allow HTTP inbound to a subnet):


{
  "name": "AllowHttpInbound",
  "properties": {
    "priority": 300,
    "protocol": "*",
    "access": "Allow",
    "direction": "Inbound",
    "sourceAddressPrefix": "*",
    "sourcePortRange": "*",
    "destinationAddressPrefix": "*",
    "destinationPortRange": "80",
    "description": "Allow inbound HTTP traffic"
  }
}

What are Application Security Groups (ASGs)?

Application Security Groups (ASGs) enable you to group virtual machines and their network interfaces based on application role. You can then use these ASGs as source or destination in NSG rules, simplifying the management of complex security policies.

Benefits of Using ASGs:

Simplified Management: Instead of managing IP addresses, you manage groups of VMs.
Reduced Complexity: NSG rules become easier to read and maintain.
Dynamic Updates: When a VM is added or removed from an ASG, NSG rules that reference the ASG are automatically updated.
Consistent Policies: Apply the same security rules to VMs with similar roles.

Scenario: Imagine you have web servers and database servers. You can create an ASG for 'WebServers' and another for 'DatabaseServers'. Then, you can create an NSG rule to allow traffic from 'WebServers' to 'DatabaseServers' on port 1433 (for SQL Server), instead of specifying individual IP addresses.

How ASGs and NSGs Work Together:

You create ASGs and associate NICs with them. Then, in your NSG rules, you can use the ASGs as source or destination security principals. This allows you to define rules like:

Allow traffic from the FrontendApp ASG to the BackendApp ASG on port 8080.
Deny all inbound traffic from the internet to the Database ASG.

Implementing NSGs and ASGs:

You can implement NSGs and ASGs using the Azure portal, Azure CLI, Azure PowerShell, or ARM templates.

Azure Portal Steps (High-level):

Navigate to the Azure portal.
Create or select a Network Security Group.
Define inbound and outbound security rules, using IP addresses, service tags, or ASGs.
Create Application Security Groups.
Associate NICs of your virtual machines with the relevant ASGs.
Associate the NSG with the appropriate subnets or NICs.

Note: NSGs are stateless by default for outbound rules if not defined in conjunction with inbound rules. However, modern NSG implementations are stateful for both inbound and outbound traffic based on defined rules.

Best Practices:

Least Privilege: Apply the principle of least privilege by allowing only necessary traffic.
Use ASGs: Leverage ASGs to simplify policy management, especially for large environments.
Service Tags: Use service tags (e.g., Internet, VirtualNetwork) instead of specific IP addresses where applicable.
Default Rules: Understand and review the default rules in an NSG.
Tagging: Tag your NSGs and ASGs for better organization and management.

By effectively utilizing Network Security Groups and Application Security Groups, you can significantly enhance the security posture of your Azure network infrastructure.