Azure Application Security Groups — In a nutshell
You are probably familiar with network security groups (aka. NSGs), but you also realize their limitations and challenges in managing several. Application security groups (ASGs) could be the right answer for your network security management issues. But, …
What are they? and how to create one.
To understand the key concepts of Application Security Groups, we better start with a quick recap of what the NSGs are and their limitations.
Network Security Groups (NSG)
NSG is a basic virtual firewall that offers network security controls over Azure Resources (e.g. Virtual Machines, Subnets). One of the features of NSGs is that you can assign them at the Subnet or Network Interface level of an Azure Resource. The same NSG can be assigned to multiple resources (usually resources offering the same Service, e.g., Web Servers).
NSGs Limitations
It could become challenging to provide/maintain fine-grained controls on the traffic hitting one or a specific set of Azure resources. The common solutions we tend to use are, and are not limited to, the following:
- Assign multiple NSGs to the same NIC > Unfortunately, this makes it harder to troubleshoot traffic when a problem occurs.
- Assigning NSGs on the subnet level while assuming all resources on that subnet offer the same service and require the same level of security controls. Still, this is not really the perfect solution.
How do we overcome such limitations?
Application Security Groups
To tackle such limitations, Microsoft has created the concept of Application Security Groups (ASG).
Early in 2018, Microsoft launched the public preview for Application Security Groups, short for ASG, in all Azure Regions. (Public preview: Application security groups in all regions | Azure updates | Microsoft Azure).
ASGs are best thought of as labels or groupings where we can combine resources based on the service or application that runs on top of them.
Easy to use and handy as they offer more flexibility in defining our networks.
In other words, they enable a seamless grouping of Azure resources (VMs, PEs, NICs, etc) and simplify the implementation of network security policies by allowing the definition of fine-grained network security controls without the need to worry about IP addresses.
We can create a single Network Security Group for a specific Subnet, which can be used as a single pane of glass to view all the policies we’ve applied and thus better control all accesses using several Application Security Groups. We can allow traffic sources and destinations using ASGs within that single NSG.
To Conclude!
ASGs streamline the process of securing complex applications and make it easier to maintain and update security rules as application landscapes evolve.
In our next blog post, we will explore deploying ASGs using Bicep and offer a better way to manage infrastructure as code. Stay tuned!
