Microsoft Azure: NSGs & ASGs Simplified
NSG’s (Network Security Group) & ASG’s (Application Security Group) are the main Azure Resources that are used to administrate and control network traffic within a virtual network (vNET).
Network Security Group is the Azure Resource that you will use to enforce and control the network traffic with, whereas Application Security Group is an object reference within a Network Security Group.
As mentioned above, NSG’s control access by permitting or denying network traffic in a number of ways, whether it be:-
Theoretically speaking, it is just a group of Access Control List rules that either allow or deny network traffic to a specific destination located on your vNET. The below diagram shows where the NSG would sit within the security layer of an Azure environment:
Image reference: msdn.microsoft.com
As you can see above, a NSG will be on the perimeter before an Azure deployment and/or Network virtual appliance – all traffic entering or leaving your Azure network can be processed via the NSG.
They can be applied either on a virtual machine or subnet (one NSG can be applied to multiple subnets or virtual machines):-
Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces.
ASGs are used within a NSG to apply a network security rule to a specific workload or group of VMs – defined by ASG worked as being the “network object” & expilicit IP addresses are added to this object. This provides the capability to group VMs into associated groups or workloads, simplifying the NSG rule definition process. Another great use of this is for scalability, creating the virtual machine and assigning the newly created virtual machine to its ASG will provide it with all the NSG rules in place for that specific ASG – zero distribution to your service!
Together they become one
As summarised above, both NSG and ASG play part of your security layer within Azure, diagram shows an example use of both:-
As ASGs are used as part of the deployment process a more simplified NSG ruleset is produced:
A handy diagram detailing how rules are evaluated:
Some tips on defining a NSG/ASG configuration:-
Is a single NSG recommended? Sure is!
There are default NSG rules for both inbound and outbound traffic even if you deploy a blank NSG, numbered 65000, 65001 & 65500 – if no previous rule has a deny, these default rules will be used, they are:
Please note – these rules are default even if NSG is complete empty
Be careful when defining NSG rules as you could lose connectivity to the VM or to an additional outbound destination that is part of your environment.
Above I have summarised in a more simplified process:-
Thank you for reading!
Sign up to the Kainos newsletter