If you are working in Azure you must be aware about the Network Security Groups, where we allow/deny connections coming in or going out based on the IP addresses.
So lets assume you have a set of SQL Servers installed in multiple IaaS environment servers. Now there is a single IaaS server where your application is hosted or there are multiple servers which makes connection to different databases on different servers.
Now if we are just using NSG then we are required to do:
1. Add the IP of each SQL Server servers in the Application Servers for outgoing connection.
2. Add the IP of Application server(s) into all the SQL Servers inbound security rules.
They are added in the below Inbound and Outbound security rules.
Whitelisting the IPs for each and every server is going to be time consuming and pretty hard to maintain.
Now to help out in maintaining rules in such scenarios you can use Application Security Groups.
The logic is you add the VMs into a specific ASG group and provide the inbound/outbound security rule to the ASG instead of the separate IPs.
For creating a ASG you are just required to provide the Resource Group, a Name and the Region.
Once you have got your ASG created, now you need to assign this ASG to your VM.
Once you click on “Configure the application security group” we are prompted for the ASG.
Selected the TestASG we created before and clicked on Save.
Now when adding a new rule in NSG you can choose “Application Security Group” in either for source or the destination.
You can directly assign an ASG to a specific rule and it is applicable to all the resources inside that ASG. By doing this we are able to reduce manual overhead of adding the IPs of VM at different locations.