5.1 Network Security Groups (NSGs) and ASGs
📘Microsoft Azure Networking Solutions (AZ-700)
1. What is an Application Security Group (ASG)?
An Application Security Group (ASG) is a logical grouping of virtual machine (VM) network interfaces inside an Azure Virtual Network.
ASGs are used together with Network Security Groups (NSGs) to simplify network security rules.
In simple words:
- NSG = Defines security rules (allow/deny traffic).
- ASG = Defines which VMs belong to which application group.
- NSG rule + ASG = Apply security rules to groups of VMs instead of IP addresses.
ASGs are a feature of Microsoft Azure networking.
2. Why Do We Need ASGs?
Without ASGs:
- You must write NSG rules using IP addresses.
- If a VM’s private IP changes, you must update the NSG rule.
- Managing large environments becomes complex.
With ASGs:
- You group VMs by application role, not IP.
- You reference the ASG in NSG rules.
- No need to update rules when IP addresses change.
3. Real IT Example (Simple and Clear)
Imagine a 3-tier enterprise application deployed in Azure:
- Web servers
- Application servers
- Database servers
Instead of:
- Writing NSG rules using multiple IP addresses,
You can:
- Create ASG-Web
- Create ASG-App
- Create ASG-DB
Then configure NSG rules like:
- Allow Web → App (Port 443)
- Allow App → DB (Port 1433)
- Deny everything else
This makes security management cleaner and scalable.
4. Important Characteristics of ASGs (Exam Focus)
You must remember these points for AZ-700:
1️⃣ ASGs Are Used Inside a Virtual Network
- ASGs work only within the same Virtual Network (VNet).
- They cannot span multiple VNets.
2️⃣ ASGs Contain Network Interfaces (NICs)
- You assign a VM’s network interface to an ASG.
- Not the VM itself — the NIC is assigned.
3️⃣ ASGs Are Regional Resources
- They are created in a specific Azure region.
- All NICs in the ASG must be in the same region.
4️⃣ ASGs Are Used Only in NSG Rules
- ASGs are referenced in:
- Source
- Destination
- They cannot be used anywhere else.
5️⃣ Only for Azure VMs
- ASGs apply to:
- Virtual Machines
- Virtual Machine Scale Sets
- Not used for:
- Azure PaaS services
- On-premises servers
5. Steps to Create an Application Security Group (ASG)
You can create ASG using:
- Azure Portal
- Azure CLI
- Azure PowerShell
- ARM/Bicep templates
For AZ-700, you must understand Portal + CLI basics.
Method 1: Create ASG Using Azure Portal
Step 1: Sign in
Go to Azure Portal.
Step 2: Create Resource
Click:
Create a resource → Search “Application Security Group”
Select:
Application Security Group
Click:
Create
Step 3: Configure Basics
You must provide:
- Subscription
- Resource Group
- Name (Example: ASG-Web)
- Region
⚠️ Region must match the VNet region.
Step 4: Review + Create
Click:
- Review + Create
- Create
ASG is now created.
6. Assign a VM to an ASG
After creating ASG, you must assign NICs.
Steps:
- Go to:
- Virtual Machine
- Click:
- Networking
- Select:
- Network Interface
- Under:
- Application Security Groups
- Click:
- Add ASG
- Select the ASG
- Save
Now that VM’s NIC belongs to the ASG.
7. Use ASG in an NSG Rule
After assigning NICs to ASG, create or modify an NSG rule.
In NSG rule configuration:
Instead of:
- Source = IP address
Choose:
- Source = Application Security Group
- Select ASG name
Same for Destination.
Example rule:
| Setting | Value |
|---|---|
| Source | ASG-Web |
| Destination | ASG-App |
| Port | 443 |
| Action | Allow |
This allows only Web group to talk to App group.
8. ASG + NSG Relationship (Very Important for Exam)
Remember:
- ASG does NOT enforce security by itself.
- NSG enforces rules.
- ASG only helps define targets.
Think of it like:
ASG = Logical grouping
NSG = Security policy
9. Exam Scenario-Based Concepts
You may get questions like:
Scenario 1:
IP addresses are changing frequently.
Solution?
Answer: Use ASGs in NSG rules.
Scenario 2:
You need to allow communication between web tier and database tier only.
Best solution?
Answer:
- Create ASGs for each tier
- Create NSG rules using ASGs
Scenario 3:
VMs are in different VNets.
Can you use one ASG?
Answer:
❌ No. ASGs work only within the same VNet.
Scenario 4:
Can ASG include resources from multiple regions?
❌ No. Region-specific.
10. Limits and Restrictions (Exam Important)
You should know these limitations:
- ASG must be in same region as NIC.
- NIC can belong to multiple ASGs.
- One NSG rule can reference:
- One ASG as source
- One ASG as destination
- Cannot use ASG across peered VNets.
- Cannot use ASG for internet traffic grouping.
11. When Should You Use ASG?
Use ASG when:
✔️ You have multiple VMs with similar roles
✔️ IP addresses may change
✔️ You want clean and scalable NSG rules
✔️ You are designing multi-tier architecture
Do NOT use ASG when:
❌ You only have one VM
❌ You are filtering internet traffic only
❌ Resources are in different VNets
12. ASG vs Service Tags (Common Exam Confusion)
Students often confuse these.
| Feature | ASG | Service Tag |
|---|---|---|
| Used For | Grouping VMs | Represent Azure services |
| Based On | NIC membership | Microsoft-managed IP ranges |
| Customizable | Yes | No |
| Example | ASG-Web | AzureStorage |
ASG = You control members
Service Tag = Microsoft controls IP ranges
13. Security Best Practices (Exam-Oriented)
For AZ-700:
✔️ Use ASG instead of IP addresses
✔️ Use least privilege principle
✔️ Separate tiers using different ASGs
✔️ Combine ASG + NSG properly
14. Quick Summary for Exam Revision
- ASG = Logical grouping of VM NICs
- Used with NSGs
- Simplifies rule management
- Region-specific
- Same VNet only
- Assign at NIC level
- Does not enforce security alone
Final Exam Tip
If the question says:
- “Simplify NSG rules”
- “Avoid using IP addresses”
- “Group VMs by role”
- “Multi-tier architecture”
The correct answer usually includes:
✔️ Create Application Security Groups
✔️ Reference ASGs in NSG rules
