Application Security Groups (ASGs) offer the opportunity to group VMs logically. Thus, they eliminate the difficulty of referencing private IP addresses or subnets to regulate the inbound and/or outbound rules of VMs and the administrative complexity that may arise from this difficulty.
ASGs offer a simplified approach to using the Network Security Group (NSG) by allowing fewer NSGs to be used in an Azure subscription. ASGs make it easy to read the rules when the NSG’s rules need to be reviewed. In addition, this service is a free service like the Virtual Network service and is available in all Azure regions.
1. Comparison of Two Scenarios
In this title, the scenario where NSG rules are created by choosing the traditional method and the scenario where NSG rules are created with the help of ASG will be compared.
The rules to be allowed in the network architecture in Figure-1 are shown with green lines together with the port numbers. In order to apply these rules by choosing the traditional method without using ASG, 24 rules should be written in NSG, taking the private IP addresses of the relevant VMs as reference. All of these rules are shown in the table in Figure-2.
For each new VM to be added to the Virtual Network, it is a remarkable fact that the management difficulty increases due to the repeated entry of the rules similar to Figure-2. ASGs allow the relevant rules to refer to a logical group instead of referring to the private IP addresses of VMs by grouping VMs logically as in Figure-3 in order to solve this management difficulty problem. Thus, instead of adding 24 rules despite the first case, only 4 rules are added with the help of ASGs and an equivalent situation is obtained.
The steps under this heading will be followed in order to create the NSG rules in the network architecture in Figure-1 with less effort with the help of ASG.
2.1. Creating an Application Security Group
To create ASGs, write Application security groups in the search bar in the Azure Portal and access the management page of this service. On the page that appears, the Add button is clicked and the text boxes are filled in accordance with the network structure as in Figure-4. Following the steps under this heading, ASGs named WebServers, AppServers and DBServers were created.
2.2. Grouping VMs with Application Security Group
To include a VM in an ASG, after accessing Azure Portal> Virtual Machines> yourVM path, the steps indicated by numbers in Figure-5 should be followed sequentially.
As in Figure-6, after selecting the relevant ASG in the window on the right of the screen, the above Save button is clicked. It is possible to understand that a VM can be added to more than one ASG in this window.
In this subtitle, only the part of the VM named WEB-01 to be added to the ASG named WebServers is shown. Following the steps in this subtitle again, the VMs listed below should be added to the ASGs specified with an arrow.
- WEB-02, WEB-03 → WebServers
- APP-01, APP-02, APP-03 → AppServers
- DB-01, DB-02, DB-03 → DBServers
2.3. Writing the Rules in the NSG
In this title, the first 4 of the 5 rules in Figure-3 will be added by accessing the page of NSG, which includes 9 VMs. In order to access the NSG’s page, after following the Azure Portal> Network security groups> yourNSG path, the links marked with numbers in Figure-7 should be clicked one after the other.
After a field where security rules can be entered to the right of the screen, the first 4 rules specified in Figure-8 should be entered. It is possible to summarize these rules as follows:
- AllowInternetToWeb80: It is a rule that allows VMs in the ASG named WebServers to allow requests from TCP/80 port over over the Internet (See Figure-8.a).
- AllowInternetToWeb80: It is a rule that allows VMs in the ASG named WebServers to allow requests from TCP/443 port over the Internet (See Figure-8.b).
- AllowWebToApp: In the ASG named WebServers, it is a rule to allow requests from VMs named AppServers to VMs from TCP/443 port (See Figure-8.c).
- AllowAppToDB: It is a rule that enables to allow requests from AppServers ASG to DBServers ASG via TCP/1443 port (See Figure-8.d).
What should be done in case the number of instances is increased by adding 5 more VMs to web servers As in the topic of 2.2. Grouping VMs with Application Security Group, it will include newly added VMs to ASG named WebServers. Since 3 rules are entered in each VM to fulfill this request without using ASG, you will need to enter a total of 15 rules for the 5 newly added VMs. From this example, it is clear that using the ASG service reduces management complexity and increases readability for the user.
- In order to include a VM in the ASG, the ASG resource and the VM’s NIC resource must be in the same Azure region.
- All VMs in a ASG must be in the same Virtual Network. (See Figure-3 and Figure-9.a).
- It is possible to group VMs located in the same Virtual Network and in different subnets with ASG (See Figure-9.a).
- When creating the NSG rule, if the ASG is in both the source and destination fields, all VMs in these two ASGs must be in the same Virtual Network as in Figure-3 and Figure-9.a. In other words, it is not possible to use ASG as indicated in the network architecture in Figure-9.b.
In this article, a service named Application Security Group (ASG) is introduced, which reduces the management complexity and increases the readability of NSG rules by grouping your VMs logically. The first title of this article includes the capabilities of the service the application scenario in the second title and the limits of this service in the third title.