Understanding Application Security Groups in the Azure Portal

Microsoft Azure cloud hero

Application Security Groups

Normally when you deploy a network security group (NSG) it is either assigned to a NIC or a subnet (preferred). If you deploy that NSG to a subnet then the rules apply to all of the NICs, or virtual machines, in that subnet. This is OK when you’re deploying a new system where you can easily place virtual machines into subnets, and treat each subnet as its own security zone. But in the real world, things aren’t always that clean, and you might need something that allows a more dynamic or flexible means of assigning rules to some machines in a subnet.
An application security group allows you to logically group a number of virtual machine NICs from the same virtual network and apply a network security group (NSG) rule to them. I covered this topic last February but until now, the feature was not available in the Azure Portal so it was hard for many to implement and not very discoverable. Luckily, application security groups recently appeared in the Azure Portal.
Last year, from late August until Microsoft Ignite at the end of September was an interesting time of year. New Azure features and services started to appear in the Azure Portal and were announced at the big Microsoft conference. Application security groups in the Azure Portal might be one of these. And the eagle-eyed reader might notice a new style of UI in the Azure Portal.

Creating an Application Security Group

You can start the process of using application security groups by creating one. Click Create A Resource in the Azure Portal, search for and select Application Security Group. Click Create and the Create An Application Security Group blade appears. This is a new-style of blade in the Azure Portal that uses a tabbed deployment instead of lots of child blades:

  1. Select or create a resource group for the new resource
  2. Give the new applications security group a name
  3. Create it in the same region as the virtual machines
  4. Click Next to navigate through the tabs – you can optionally add resource tags
Creating a new application security group in the Azure Portal [Image Credit: Aidan Finn]
Creating a new application security group in the Azure Portal [Image Credit: Aidan Finn]

Associate Virtual Machines

An application security group is a logical collection of virtual machines (NICs). You join virtual machines to the application security group, and then use the application security group as a source or destination in NSG rules.
The Networking blade of virtual machine properties has a new button called Configure The Application Security Groups for each NIC in the virtual machine. If you click this button, a pop-up blade will appear and you can select which (none, one, many) application security groups that this NIC should join, and then click Save to commit the change.

Associating a virtual machine’s NIC with an application security group [Image Credit: Aidan Finn]
Associating a virtual machine’s NIC with an application security group [Image Credit: Aidan Finn]
Each of the associated application security groups will be listed under the NIC.

Creating NSG Rules

You now can open an NSG and create inbound or outbound rules that use the application security group as a source or destination, and thus uses the associated virtual machine NICs as sources and destinations. Source and Destination in the new rule blade allow you to select any application security group in the same region.

Using an application security group in an Azure network security group [Image Credit: Aidan Finn]
Using an application security group in an Azure network security group [Image Credit: Aidan Finn]

Summary

Application security groups in the Azure Portal make it easy to control Layer-4 security using NSGs for flat networks. You can quickly and easily join/remove NICs (virtual machines) to/from an application security group and dynamically apply/remove rules to those NICs. This should be very useful in lift-and-shift and DR scenarios in Azure.