Application Security Groups in Azure

If you are working in Azure you must be aware about the Network Security Groups, where we allow/deny connections coming in or going out based on the IP addresses.

So lets assume you have a set of SQL Servers installed in multiple IaaS environment servers. Now there is a single IaaS server where your application is hosted or there are multiple servers which makes connection to different databases on different servers.

Now if we are just using NSG then we are required to do:
1. Add the IP of each SQL Server servers in the Application Servers for outgoing connection.
2. Add the IP of Application server(s) into all the SQL Servers inbound security rules.

They are added in the below Inbound and Outbound security rules.

NSG ibound/outbound

Whitelisting the IPs for each and every server is going to be time consuming and pretty hard to maintain.

Now to help out in maintaining rules in such scenarios you can use Application Security Groups.

The logic is you add the VMs into a specific ASG group and provide the inbound/outbound security rule to the ASG instead of the separate IPs.

Creating ASG

For creating a ASG you are just required to provide the Resource Group, a Name and the Region.

Once you have got your ASG created, now you need to assign this ASG to your VM.

Assigning ASG to VM

Once you click on “Configure the application security group” we are prompted for the ASG.

Adding ASG

Selected the TestASG we created before and clicked on Save.

Now when adding a new rule in NSG you can choose “Application Security Group” in either for source or the destination.

Providing ASG as either at source or destination or at both.

You can directly assign an ASG to a specific rule and it is applicable to all the resources inside that ASG. By doing this we are able to reduce manual overhead of adding the IPs of VM at different locations.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s