Understanding Application Security Groups in the Azure Portal
Aidan Finn, Microsoft Most Valuable Professional (MVP), has been working in IT since 1996. He has worked as a consultant and administrator for the likes of Innofactor Norway, Amdahl DMR, Fujitsu, Barclays and Hypo Real Estate Bank International where...
This post will explain how to deploy application security groups to create granular (per-NIC/virtual machine) network security group rules in the Azure Portal.
Whar are Application Security Groups?
Normally when you deploy a network security group (NSG) it is either assigned to a NIC or a subnet (preferred). If you deploy that NSG to a subnet then the rules apply to all of the NICs, or virtual machines, in that subnet. This is OK when you’re deploying a new system where you can easily place virtual machines into subnets, and treat each subnet as its own security zone. But in the real world, things aren’t always that clean, and you might need something that allows a more dynamic or flexible means of assigning rules to some machines in a subnet.
An application security group allows you to logically group a number of virtual machine NICs from the same virtual network and apply a network security group (NSG) rule to them. I covered this topic last February but until now, the feature was not available in the Azure Portal so it was hard for many to implement and not very discoverable. Luckily, application security groups recently appeared in the Azure Portal.
Last year, from late August until Microsoft Ignite at the end of September was an interesting time of year. New Azure features and services started to appear in the Azure Portal and were announced at the big Microsoft conference. Application security groups in the Azure Portal might be one of these. And the eagle-eyed reader might notice a new style of UI in the Azure Portal.
How to Create an Application Security Group
You can start the process of using application security groups by creating one. Click Create A Resource in the Azure Portal, search for and select Application Security Group. Click Create and the Create An Application Security Group blade appears. This is a new-style of blade in the Azure Portal that uses a tabbed deployment instead of lots of child blades:
- Select or create a resource group for the new resource
- Give the new applications security group a name
- Create it in the same region as the virtual machines
- Click Next to navigate through the tabs – you can optionally add resource tags
![Creating a new application security group in the Azure Portal [Image Credit: Aidan Finn]](https://petri.com/wp-content/uploads/petri-imported-images/AzureCreateNewApplicationSecurityGroup.png)
Associate Virtual Machines
An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group, and then use the application security group as a source or destination in NSG rules.
The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the virtual machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups that this NIC should join, and then click Save to commit the change.
![Associating a virtual machine’s NIC with an application security group [Image Credit: Aidan Finn]](https://petri.com/wp-content/uploads/petri-imported-images/AzureAssociateVmNicApplicationSecurityGroup.png)
Each of the associated application security groups will be listed under the NIC.
Creating NSG Rules
You now can open an NSG and create inbound or outbound rules that use the application security group as a source or destination, and thus uses the associated virtual machine NICs as sources and destinations. Source and Destination in the new rule blade allow you to select any application security group in the same region.
![Using an application security group in an Azure network security group [Image Credit: Aidan Finn]](https://petri.com/wp-content/uploads/petri-imported-images/AzureNsgRuleApplicationSecurityGroup.png)
Summary
Application security groups in the Azure Portal make it easy to control Layer-4 security using NSGs for flat networks. You can quickly and easily join/remove NICs (virtual machines) to/from an application security group and dynamically apply/remove rules to those NICs. This should be very useful in lift-and-shift and DR scenarios in Azure.
FAQs
How many application security groups in Azure can be associated with a single network interface?
A single network interface in Azure can be associated with up to 20 application security groups in Azure, allowing for flexible and granular security configurations across your virtual network infrastructure.
Can application security groups in Azure work across different regions?
No, application security groups in Azure can only be used with resources within the same region. If you need cross-regional security management, you’ll need to create separate application security groups in each region.
What happens to application security groups in Azure during a virtual machine migration?
When migrating virtual machines, the application security groups in Azure associations need to be reconfigured in the new environment, as these security group mappings don’t automatically transfer during migration processes.
Are there any limitations on using application security groups in Azure with other Azure networking features?
Application security groups in Azure can’t be used with Azure ExpressRoute, Azure Application Gateway, or Azure Load Balancer (Basic SKU). They are primarily designed for use with standard NSG rules and virtual machines.
What is the pricing model for application security groups in Azure?
Application security groups in Azure are free to create and manage. You only pay for the underlying Azure resources like virtual machines and network interfaces that you’re securing with these groups.
