Azure NSGs and ASGs for Dummies

When it comes to cloud security Azure offers range of useful services covering different technologies. Concentrating specifically on network security and some of the available options you most likely used or at least seen network security groups ‘NSG’ and application security groups ‘ASG’ and maybe you had asked yourself one question ‘What is the difference between them?’. At least I did :)

Lets step through it together…

What is NSG

Azure Network Security Groups (NSGs) are utilized to filter network traffic between Azure resources within a virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Azure NSGs control access and manage communication between:

• Individual workloads hosted on one or more Azure VNets.
• Connectivity between on-prem environments and Azure via an Application Gateway, VPN Gateway, Azure Firewall, Azure Bastion service, and Virtual Network Appliances.
• Connections to and from the Internet.

NSGs can be assigned on the Subnet or network interface level however it is important to plan your implementation and establish clear guidelines. If you start placing NSG’s on the subnet and NIC level randomly you may end up in the situation that some of the rules will overlap what will result in the troubleshooting nightmare.

Some Recommended Practices for NSG use:

1. Sometimes less is more — you don’t need to create NSG per subnet or per NIC, group your resources together, design your network properly so you can create fewer NSG’s which can be assigned across similar resources
2. What comes first — For both inbound and outbound traffic a NSG that is applied to the NIC takes priority over a NSG applied to the subnet. Try to avoid assigning NSGs to the NICs unless it is last option, it is easier to control rules on the subnet level.
3. Lower is better — the order of NSG rules is very important, NSG rules are applied in a prioritised order between 100 & 4,096, with each new rule being sequentially added. Rules evaluation starts from the lowest to highest priority numbers
4. A bad plan is better than none at all — plan your deployment ahead, analyse subnets and required port scopes, with foundations arranged properly it will be much easier to manage your NSGs later
5. Call a spade a spade — make sure to implement uniform and readable naming convention for your rules so they can be easily identified

The example NSG presents all available rule settings which can be managed

NSG Flow Logs

It’s vital to monitor, manage, and know your own network so that you can protect and optimize it. You need to know the current state of the network, who’s connecting, and where users are connecting from. You also need to know which ports are open to the internet, what network behavior is expected, what network behavior is irregular, and when sudden rises in traffic happen.

Network security group flow logging is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through a network security group.

Important: Again, please plan ahead, NSG flow logs can generate huge amount of data which may result in some increase in the subscription cost

What is ASG

Application Security Group (ASG), is a networking feature that allows you to group Azure virtual machines (VMs) based on the application to which they belong. ASGs enable network security group (NSG) policies to be defined using logical application groupings rather than individual VM IP addresses. This simplifies network security rule management, especially when multiple VMs belong to the same application or service. Application Security Groups are especially useful in complicated and distributed application architectures where VMs must safely communicate across network boundaries. You can use ASGs to ease the maintenance of network security rules, improve security, and simplify application deployment in Azure.

ASG Benefits

Application Security Groups (ASGs) offer several advantages for managing network security in Azure, including:

1. Consistent Security Policies: With ASGs, you can ensure all VMs within a group follow the same security policies.
2. Granular Control: Create detailed network security policies based on workloads, applications, or environments. ASGs facilitate network segmentation to contain breaches.
3. Scalability: ASGs automatically adjust to accommodate changes in VM scale, eliminating the need for additional configuration.

In Practice

Let’s test some of its practices. I have the following deployment in my Azure subscription.

G1 — Green — win-vm01, win-vm03, lin-vm01

G2 — Pink — win-vm02, win-vm04

G3 — Red — lin-vm02

VMs are located in designated subnets with NSGs assigned and divided with the use of ASGs.

Each NSG contains rules specifying the source and/or destination based on ASGs

WEB-NSG

Web NSG has 3 rules

900 — allow connection between VM’s in G1 group

910 — allow connection between VM’s in G2 group

930 — allow incoming ICMP from G3 group

APP-NSG

App NSG has 3 rules

900 — allow connection between VM’s in G1 group

910 — allow connection between VM’s in G2 group

930 — allow incoming ICMP from G3 group

DATA-NSG

Data NSG has 2 rules

900 — allow connection between VM’s in G1 group

930 — allow incoming ICMP from G3 group

Testing

Based on the diagram above and all the rules provided, we can draw a few conclusions:

1. All VMs in G1 can communicate with other VMs in G1 but can’t communicate with VMs in G2 or G3.
2. All VMs in G2 can communicate with other VMs in G2 but can’t communicate with VMs in G1 or G3.
3. All VMs in G3 can communicate with other VMs in G1, G2, or G3.

Let’s verify if this is true.

1. Test from win-vm-01 (G1)

As you can see, I can use ‘ping’ to successfully communicate with other G1 VMs.

But G2 and G3 VM’s are not reachable

2. Test from win-vm-02 (G2)

We have a similar situation here; I can reach G2 VMs.

But nothing else

3. Test from lin-vm02 (G3)

G3 VM can communicate with all other groups

Conclusion

Most likely you will not see the exact example provided above, in real world. With this short lab I tried to highlight capabilities of ASG’s and how you can utilize them in your environment.

Implementation of Azure Application Security Groups (ASGs) represents a significant advancement in streamlining network security management and enhancing protection mechanisms for applications hosted on Azure. By enabling the grouping of virtual machines (VMs) and other resources based on their functional, security, or application structure, ASGs facilitate a more organized and efficient approach to network security policies. This allows for the application of granular controls tailored to the specific needs of each group. Furthermore, ASGs contribute to a reduction in the complexity of network security rules, thereby minimizing the potential for misconfigurations.