Azure Virtual Networks – Application Security Groups

Azure Virtual Networks – Application Security Groups

In last post, I have tried to publish the minimum things that we should know before starting hands on on the Azure virtual network. In this short blog post, let’s try to know bit more about Application Security Groups aka ASG.

What is it ?

While knowing about the Network Security Group (NSG) in last post, we have seen there are security rules. Every security rule has source and destination. The source and destination can be either IP or CIDR notation, meaning you need to know about IP address to which you want to allow the traffic / or from which you want to allow the traffic.

The Application Security Group (ASG) allows you to configure the network security as an extension of your application’s structure. What does this mean ? While defining the application’s structure, you might define some VMs to be part of front end web servers, while some others to be part of business layer and some other virtual machines to host the database. The number of servers in each layer (web, business, data) would vary depending on nature and requirements of your applications.

You might not want internet traffic directly going to business or database virtual machines. Probably, you might want only web frontend servers to interact with business layer servers. Similarly, you might want business layer servers to interact with database virtual machines.

This is exactly how you would be able to configure security rules, without need to know the IP addresses of those groups.

How to define rules ?

Let’s try to see how the ASG security rules would be for the scenario mentioned in previous paragraphs.

Let’s say there is an Application Security Group with name AsgWeb for group of frontend web servers. There is another Application Security Group with name AsgBusiness for group of business layer servers. And there is another Application Security Group with name AsgDb for set of servers hosting database.

So, database layer should allow traffic only from business layer, not from any other source. For this, two rules can be specified:

  • Deny-All
    • Priority: some priority
    • Source: *
    • Source Port: *
    • Destination: AsgDb
    • Destination Port: 1433
    • Protocol: Any
    • Access: Deny
  • Allow-Database-Business
    • Priority: some priority
    • Source: AsgBusiness
    • Source Port: *
    • Destination: AsgDb
    • Destination Port: 1433
    • Protocol: TCP
    • Access: Allow

For allowing traffic from internet to web servers, there can a rule as shown below:

  • Allow-Internet-Web
    • Priority: some priority
    • Source: Internet
    • Source Port: *
    • Destination: AsgWeb
    • Destination Port: 80
    • Protocol: TCP
    • Access: Allow

As you can see, in all above rules, you must have observed, that we do not need to specify IP addresses. So, if we add or remove servers from any of the layers, as long as they are associated with right application security group, we do not need to change the security rules too. Thus, application security groups making life easier for defining the security rules as per your application’s context.

I hope you found this useful. Let me know your thoughts.

Leave a Reply