What is Application Security Groups?
ASGs enable you to define fine-grained network security policies based on workloads, centralized on applications, instead of explicit IP addresses. Implementing granular security traffic controls improves isolation of workloads and protects them individually. If a breach occurs, this technique limits the potential impact of lateral exploration of your networks from hackers.
You may find the details in the MS site more about this which I do not want to copy and paste it here. Let’s talk about the use case and how we can make use of his in better way.
Deny all the communication and open the specific communication using ASG. Yes, you can create a Deny All rule with lower priority within your vNET. Then you create specific ports to open but you will select ASG as source and destination. This will open the communication between those servers have the specific ASG configured. Looks at the below pictures (figure1&2) to understand this better.
You do not have any option to add a server in the ASG but you need to go and select the required ASG from the vNIC of the VMs. You can add this option in the ARM templates to configure when you create this VM. This will reduce number NSG changes you need to make every time you add a server rather you select required ASG while you create the VM.
You need to remember few things about ASG.
- You cannot make any settings on ASG but you can only add tags.
- You can only select one ASG as source or destination in every NSG rules.
- You can select multiple ASGs for single VM.
- Limitations
- 3000 per subscription
- 20 per vNIC
- 4000 IP configuration per ASG
- You can only assign ASG from the same subscription.
- You cannot have VMs from different vNETs in one ASG.
- Both source and destination ASGs in your NSG rules should be in same vNET.
Continue reading “All about Application Security Group”
anoop.blog 