Network Security Groups (NSGs) and Application Security Groups (ASGs)
5 minutes
5 Questions
Network Security Groups (NSGs) and Application Security Groups (ASGs) are fundamental components for securing Azure virtual networks.
**Network Security Groups (NSGs)**
NSGs act as virtual firewalls that filter network traffic to and from Azure resources. They contain security rules that allow or…Network Security Groups (NSGs) and Application Security Groups (ASGs) are fundamental components for securing Azure virtual networks.
**Network Security Groups (NSGs)**
NSGs act as virtual firewalls that filter network traffic to and from Azure resources. They contain security rules that allow or deny inbound and outbound traffic based on five key properties: source, source port, destination, destination port, and protocol.
Key characteristics of NSGs include:
- They can be associated with subnets or individual network interfaces (NICs)
- Rules are processed in priority order (lower numbers = higher priority)
- Default rules exist that allow VNet-to-VNet traffic and outbound internet access
- They are stateful, meaning return traffic is automatically permitted
- Each NSG can contain up to 1000 rules
NSGs operate at Layer 3 and Layer 4 of the OSI model, filtering based on IP addresses and ports.
**Application Security Groups (ASGs)**
ASGs provide a way to group virtual machines and define network security policies based on application structure rather than explicit IP addresses. They simplify security rule management in complex environments.
Benefits of ASGs:
- Enable natural grouping of VMs by application role (web servers, database servers, etc.)
- Reduce the number of security rules needed
- Scale automatically as VMs are added or removed
- Eliminate the need to maintain lists of IP addresses
**Working Together**
ASGs are used within NSG rules as source or destination parameters. For example, you can create a rule allowing traffic from the "WebServers" ASG to the "DatabaseServers" ASG on port 1433, rather than specifying individual IP addresses.
This combination provides a powerful, scalable approach to network security that adapts to dynamic cloud environments while maintaining clear, application-centric security policies. Organizations can implement micro-segmentation strategies effectively using these complementary technologies.
Network Security Groups (NSGs) and Application Security Groups (ASGs) - Complete Guide
Why NSGs and ASGs Are Important
Network Security Groups and Application Security Groups are fundamental components of Azure network security. They provide the first line of defense for controlling inbound and outbound traffic to Azure resources. Understanding these concepts is crucial for the AZ-500 exam as they represent core security controls that every Azure Security Engineer must master.
What Are Network Security Groups (NSGs)?
NSGs are stateful packet filters that allow you to control network traffic flow to and from Azure resources. They contain security rules that permit or deny traffic based on:
• Source and destination IP addresses • Source and destination ports • Protocol (TCP, UDP, ICMP, or Any)
NSGs can be associated with: • Subnets - affecting all resources within that subnet • Network interfaces (NICs) - affecting specific virtual machines
What Are Application Security Groups (ASGs)?
ASGs enable you to group virtual machines logically and define network security policies based on those groups. Instead of managing rules based on explicit IP addresses, you can use ASGs as source or destination in NSG rules.
Key benefits include: • Simplified rule management - Group VMs by application role • Dynamic membership - Rules automatically apply to new VMs added to the ASG • Reduced maintenance - No need to update rules when IP addresses change
How NSGs Work
Rule Processing: • Rules are evaluated by priority (100-4096, lower numbers processed first) • Once a matching rule is found, processing stops • Default rules exist with priority 65000+ that cannot be deleted
Default Rules Include: • AllowVNetInBound - Allows traffic within the virtual network • AllowAzureLoadBalancerInBound - Allows Azure Load Balancer health probes • DenyAllInBound - Denies all other inbound traffic • AllowVNetOutBound - Allows outbound traffic within the virtual network • AllowInternetOutBound - Allows outbound internet access • DenyAllOutBound - Denies all other outbound traffic
Stateful Nature: NSGs are stateful, meaning if you allow inbound traffic on a port, the return traffic is automatically allowed.
How ASGs Work
1. Create an Application Security Group 2. Assign virtual machine NICs to the ASG 3. Reference the ASG in NSG rules as source or destination
Example Scenario: Create ASGs named 'WebServers' and 'DatabaseServers', then create NSG rules allowing traffic from WebServers to DatabaseServers on port 1433.
Best Practices
• Apply NSGs at the subnet level for broad protection • Use additional NIC-level NSGs for granular control • Implement ASGs to simplify complex environments • Document all security rules and their purposes • Use Azure Network Watcher to verify effective security rules • Regularly audit and review NSG flow logs
Exam Tips: Answering Questions on NSGs and ASGs
Key Points to Remember:
1. Rule Priority Matters - Lower numbers are processed first. If asked about conflicting rules, the rule with the lowest priority number wins.
2. Association Levels - Remember that NSGs can be applied at both subnet AND NIC levels. When both are applied, rules are evaluated at the subnet first for inbound traffic, and NIC first for outbound traffic.
3. ASG Limitations - All NICs in an ASG must be in the same virtual network. ASGs cannot span virtual networks.
4. Service Tags - Know common service tags like Internet, VirtualNetwork, AzureLoadBalancer, and Storage. These simplify rule creation.
5. Augmented Security Rules - You can specify multiple IP addresses, ranges, and ports in a single rule using augmented rules.
6. Default Rules Cannot Be Deleted - But they can be overridden by creating rules with lower priority numbers.
7. NSG Flow Logs - These are stored in Azure Storage and can be analyzed with Traffic Analytics in Log Analytics.
8. Effective Security Rules - Use Network Watcher to view the combined effect of all NSG rules on a NIC.
Common Exam Scenarios:
• Choosing between NSG at subnet vs. NIC level • Determining why traffic is being blocked (check effective rules) • Configuring ASGs for multi-tier applications • Understanding traffic flow between subnets with NSGs • Troubleshooting connectivity issues using NSG flow logs
Remember: When exam questions ask about simplifying security rule management for applications with dynamic IP addresses, ASGs are typically the correct answer. When questions focus on blocking or allowing specific traffic patterns, focus on NSG rule priority and evaluation order.