Azure Virtual Networks – Security Rules using ASG

Azure Virtual Networks – Security Rules using ASG

In last few posts, I have tried to cover basic concepts those would be required for hands on. If you want to have a look at them, below is the list:

In this post, let’s try to create a new Application security group (ASG) and we will try to add the security rules using the ASG.

We already have a virtual network and two virtual machines created already. In this post, we will create two Application security groups (ASGs), one for each virtual machine. Then we will try to associate the ASG with existing virtual machine. Then let’s try to add the rules in NSG. But while adding rules, we will not use IP Addresses or service tags, but we will use ASG for the new rule.

You would need to have an Azure account with an active subscription.  If you do not have it yet, you can create one for free. And then sign in to the Azure portal.

Let’s get started.

Create ASG

To create a new Application Security Group, search ASG in top menu search box and then select Application Security Group from the search results. It would open the list showing all existing ASGs. Then click on Add button to add a new resource.

Provide below inputs:

  • Subscription, the subscription under which this ASG should be created
  • Resource Group, the resource group under which this resource should be placed
  • Name, the name of ASG. We want to create two ASGs, hence please see note below before creating.
  • Region, where the ASG would be placed. Make sure this is same as the VM and its Network Interface.

As we have to create two ASGs, create the first ASG with name asgWeb and second one with name asgDb.

Then click on Review + Create button which would trigger validation of inputs. If validation is successful, you can click on Create button to start creation of resource.

Azure Portal: Create a new application security group
Azure Portal: Create a new application security group

Assign ASG to VM

Now, next step is to assign ASG to virtual machine. Follow below steps for assigning ASG to existing VM:

  • Go to the resource group which contains the virtual machine.
  • Click on virtual machine demo-vm1 and it would open a new blade showing details of virtual machine.
  • Then click on Networking option from the new blade, which would open details view on right side.
  • Then click on Application security groups tab from the right side panel.
  • Next, click on Configure the application security groups button. This would open a new right hand side panel.
  • Select asgWeb for current selected virtual machine demo-vm1. Then click on Save button.

Repeat above steps for demo-vm2 and then select asgDb.

Azure Portal: assign application security group to existing VM
Azure Portal: assign application security group to existing VM

Associate NSG with Subnet

We have seen how to create a new NSG in the previous blog post. So, let’s create a new NSG namely demo-nsg.

Once the NSG is created, open the NSG and select Subnets option from left navigation. Then select on Associate button. This would open a new panel on right side. On the new panel, select the virtual network and subnet inside that network.

Currently we have only a single virtual network and a single default subnet. Hence select them and then click on OK.

Azure Portal: Associate NSG with subnet
Azure Portal: Associate NSG with subnet

Create Security Rule

Now, we can add ASG based rules in the demo-nsg. Navigate to the NSG and then go to Inbound security rules and then click on Add button.

For adding new rule, we will use service tag Internet as source, and Application security group asgWeb as destination. This rule is to allow traffic from internet to all the VMs associated with asgWeb. Please find the details in below snapshot.

Azure Portal: Allow internet traffic to application security group
Azure Portal: Allow internet traffic to application security group

Verifying

Install IIS on demo-vm1 and then try to access the default web page using public IP of demo-vm1 on HTTP. You should be able to access the web page.

Now, in order to test new rule, just change the above rule to deny access from internet. You may want to restart the virtual machine in order to apply the latest changes. Then try to access the web page again. You should not be able to access the default web page as the access is denied.

So, we now know how to use service tags and ASGs in the NSG security rules.

I hope you found this information useful. Let me know your thoughts.

Leave a Reply