Application Security Groups

IntermediateTopic20 min4 min readAzure

AZ-104 notes: Application Security Groups. Covers key concepts for the Azure Administrator Associate exam.

#azure #az-104 #nsg

This lesson explains how to make Network Security Groups (NSGs) more scalable and logical using:

Application Security Group Azure Network Security Group Azure Virtual Network

1️⃣ What Is an Application Security Group (ASG)?

An ASG is:

A logical grouping of VM network interfaces
Used inside NSG rules
Acts like a dynamic tag for NICs
Helps build application-tier-based security

Important:

ASGs do NOT filter traffic themselves. They are referenced inside NSG rules.

2️⃣ Why ASGs Exist

Without ASGs, NSG rules must specify:

IP addresses
Subnets
Individual NICs

Problem:

If IPs change or VMs scale out:

You must constantly update NSG rules.

ASGs solve this by:

Grouping resources logically:

asg-web
asg-db
asg-app

Then NSG rules reference:

Source: asg-web
Destination: asg-db
Port: 1433
No IP management required.

3️⃣ How ASGs Work

ASGs are:

Associated at the NIC level
Used as source/destination in NSG rules
Layer 4 aware (not Layer 7)

They create:

Application-tier-based security.

4️⃣ Demonstration Summary

Environment:

Two Ubuntu VMs
Both running NGINX
Same frontend subnet
One NSG associated at subnet level

Steps performed:

1️⃣ Created ASG: asg-web-prod-01 2️⃣ Associated both VM NICs with ASG 3️⃣ Moved NSG from NIC-level to subnet-level 4️⃣ Modified NSG rule:

Destination → Application Security Group

Result:

HTTP traffic allowed only to resources tagged with ASG.

5️⃣ Why Move NSG to Subnet Level?

Original setup:

NSG attached to NIC.

Improved setup:

NSG attached to subnet.
Why?
Centralized management
Applies to all VMs in subnet
Scales better

6️⃣ ASG in NSG Rule Structure

NSG rule supports:

Example Rule:

Inbound
Source: Any
Destination: asg-web
Port: 80
Allow

This means:

Allow HTTP traffic only to VMs tagged as web.

7️⃣ Application-Aware Pattern Example

3-tier architecture:

Frontend → App → Database

ASGs:

asg-web
asg-app
asg-db

NSG Rules:

Allow asg-web → asg-app (port 8080)
Allow asg-app → asg-db (port 1433)
Deny everything else
No IP addresses needed.

8️⃣ Key Characteristics

✔ Logical grouping ✔ Dynamic membership ✔ NIC-level association ✔ Works with subnet-level NSG ✔ Scales with VMSS

Important:

ASGs do NOT work across VNets.

9️⃣ ASG vs Service Tags vs IP-Based Rules

🔟 Stateful Behavior Still Applies

NSGs are stateful.

If inbound allowed:

Return outbound traffic automatically allowed.
ASGs do not change statefulness.

11️⃣ Common Enterprise Pattern

Public Load Balancer → asg-web → asg-app → asg-db

NSGs enforce tier communication only.

12️⃣ Common Exam Concepts (AZ-104 / AZ-700)

🚩 ASGs are Layer 7 firewalls → False 🚩 ASGs attach to subnet → False (NIC only) 🚩 ASGs replace NSGs → False 🚩 ASGs simplify scaling → True 🚩 ASGs work across VNets → False

13️⃣ When to Use ASGs

Use ASGs when:

✔ You have multi-tier apps ✔ You scale frequently ✔ You want logical grouping ✔ You want clean NSG rules ✔ You want IP-agnostic policies
Avoid using only IP-based rules in scalable environments.

14️⃣ Troubleshooting Checklist

If rule not working:

Confirm VM NIC associated with ASG
Confirm NSG associated to subnet or NIC
Confirm rule priority
Confirm protocol matches
Check effective security rules

15️⃣ Design Best Practices

✔ Use subnet-level NSGs ✔ Use ASGs for tier grouping ✔ Avoid hardcoded IP rules ✔ Keep rule priorities spaced (100, 200, 300) ✔ Use descriptive naming (asg-web-prod)