How to implement Application Security Groups (ASG) in Azure virtual network

Application Security Groups (ASGs) in Azure allow you to manage and group virtual machines (VMs) based on their application roles for network security.

They help you simplify the management of security rules without worrying about IP address assignments or VM scale set updates.

Instead of creating rules for individual VMs based on IP addresses, ASGs allow you to group VMs logically and apply rules to the group.

This is especially helpful in environments with dynamic scaling, such as virtual machine scale sets.

This guide provides an step-by-step walkthrough of how to implement ASGs in an Azure Virtual Network (VNet).

Prerequisites

Before proceeding, ensure you have the following:

1. Azure Subscription: An active Azure subscription.

2. Virtual Network (VNet): An existing or new VNet where ASGs will be implemented.

3. Virtual Machines: Deployed VMs or plans to create them.

4. Network Security Groups (NSGs): NSGs control access rules and need to be configured in tandem with ASGs.

Step 1: Create a Virtual Network

If you don’t already have a virtual network:

1. In the Azure Portal:

   • Navigate to Create a resource > Networking > Virtual Network.

2. Configure the VNet:

   • Name: Provide a name for the VNet (e.g., MyVNet).

   • Address space: Define the CIDR block (e.g., 10.0.0.0/16).

   • Subnets: Create one or more subnets (e.g., FrontendSubnet with 10.0.1.0/24 and BackendSubnet with 10.0.2.0/24).

   • Region: Select a region close to your users or applications.

3. Deploy the VNet.

Step 2: Create Application Security Groups (ASGs)

1. Navigate to ASGs:

   • In the Azure Portal, search for Application Security Groups in the search bar or navigate via Create a resource > Networking > Application Security Group.

2. Create ASGs:

   • For each application tier or group, create an ASG.

   • Example:

     • Name: web-tier-asg for web servers.

     • Region: Same as the VNet.

     • Resource Group: Use the same resource group as your VNet for better organization.

   • Repeat for other tiers (e.g., app-tier-asg, db-tier-asg).

3. Save and Review.

Step 3: Associate ASGs with Network Interfaces

Each VM in Azure has a Network Interface (NIC). To apply an ASG, associate it with the VM's NIC.

1. Go to Virtual Machines:

   • Navigate to the VM you want to associate with an ASG.

   • Under Settings, select Networking.

2. Modify NIC Configuration:

   • Click on the network interface (NIC) listed.

   • Under Settings, select Application security groups.

   • Select one or more ASGs (e.g., web-tier-asg for web VMs).

   • Save the changes.

3. Repeat for All VMs:

   • Ensure all VMs in the tier are assigned to the appropriate ASG.

Step 4: Configure Network Security Group (NSG) Rules

NSGs enforce traffic rules, and ASGs simplify this process by acting as sources or destinations.

1. Locate the NSG:

   • Navigate to Network security groups in the Azure Portal.

   • Select the NSG associated with the subnet or NIC.

2. Add Inbound or Outbound Rules:

   • Under Settings, select Inbound security rules (or Outbound security rules, depending on your needs).

   • Click Add to create a new rule.

3. Set Rule Parameters:

   • Source: Select "Application security group" and choose the source ASG (e.g., web-tier-asg).

   • Destination: Select "Application security group" and choose the destination ASG (e.g., app-tier-asg).

   • Protocol: Choose TCP, UDP, or Any.

   • Port range: Define the port range (e.g., 80 for HTTP, 1433 for SQL).

   • Action: Choose Allow or Deny.

   • Priority: Assign a priority number (lower numbers are processed first).

   • Name: Give the rule a descriptive name (e.g., Allow-Web-To-App).

4. Save the Rule.

Step 5: Test and Verify

After applying the rules, test the connectivity and security:

1. Deploy Applications:

   • Ensure applications are running on the VMs (e.g., a web server on port 80).

2. Validate Connectivity:

   • Use tools like:

     • Azure Network Watcher: To test packet flow between VMs.

     • Telnet or Ping: For manual connection tests.

     • Application Logs: To verify if traffic is reaching the application.

3. Simulate Failures:

   • Remove VMs from ASGs to confirm traffic is blocked as expected.

Example Scenarios

Web Tier to Application Tier

Web-tier VMs (assigned to web-tier-asg) should communicate with app-tier VMs (assigned to app-tier-asg) on port 8080.

Create an NSG rule

• Source: web-tier-asg.

• Destination: app-tier-asg.

• Port: 8080.

• Action: Allow.

Application Tier to Database Tier

App-tier VMs (assigned to app-tier-asg) should communicate with database-tier VMs (db-tier-asg) on port 1433.

Create an NSG rule

• Source: app-tier-asg.

• Destination: db-tier-asg.

• Port: 1433.

• Action: Allow.

Advanced Tips

1. Use ASGs with VM Scale Sets:

   • ASGs automatically include VMs added to a scale set, making them ideal for scaling applications.

2. Combine with Tags:

   • Use Azure Resource Manager (ARM) tags alongside ASGs for further organization.

3. Audit Security Rules:

   • Regularly review and optimize NSG rules to ensure there are no overly permissive rules.

4. Leverage Automation:

   • Use Azure CLI, PowerShell, or Terraform to script the creation of ASGs and NSG rules.

Benefits of Application Security Groups

• Simplifies Rule Management: Reduces the complexity of creating IP-based rules.

• Dynamic Updates: Automatically includes or excludes VMs as they are added or removed from ASGs.

• Scalable and Flexible: Works seamlessly with dynamic scaling scenarios.

• Secure by Design: Ensures a well-defined segmentation between application tiers.

By implementing ASGs effectively, you can enhance the manageability and security of your Azure environment while ensuring compliance with organizational policies.