NSG’s (Network Security Group) & ASG’s (Application Security Group) are the main Azure Resources that are used to administrate and control network traffic within a virtual network (vNET).
The difference
Network Security Group is the Azure Resource that you will use to enforce and control the network traffic with, whereas Application Security Group is an object reference within a Network Security Group.
Network Security Group (NSG)
As mentioned above, NSG’s control access by permitting or denying network traffic in a number of ways, whether it be:-
- Communication between different workloads on a vNET
- Network connectivity from on-site environment into Azure
- Direct internet connection
Theoretically speaking, it is just a group of Access Control List rules that either allow or deny network traffic to a specific destination located on your vNET. The below diagram shows where the NSG would sit within the security layer of an Azure environment:
Image reference: msdn.microsoft.com
As you can see above, a NSG will be on the perimeter before an Azure deployment and/or Network virtual appliance – all traffic entering or leaving your Azure network can be processed via the NSG.
They can be applied either on a virtual machine or subnet (one NSG can be applied to multiple subnets or virtual machines):-
- Virtual Machines – the rules will only get applied to Virtual Machines that are associated
- Subnets – All Virtual Machines within the specified subnet will have get the applied ruleset
Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces.
Application Security Group (ASG)
ASGs are used within a NSG to apply a network security rule to a specific workload or group of VMs – defined by ASG worked as being the “network object” & expilicit IP addresses are added to this object. This provides the capability to group VMs into associated groups or workloads, simplifying the NSG rule definition process. Another great use of this is for scalability, creating the virtual machine and assigning the newly created virtual machine to its ASG will provide it with all the NSG rules in place for that specific ASG – zero distribution to your service!
Together they become one
As summarised above, both NSG and ASG play part of your security layer within Azure, diagram shows an example use of both:-
As ASGs are used as part of the deployment process a more simplified NSG ruleset is produced:
| Priority | Action | Name | Source | Destination | Port |
| 100 | Allow | Internet-To-DMZ | Internet | DMZ-ASG | 443 |
| 101 | Allow | DMZ-To-Web | DMZ-ASG | WEB-ASG | 443 |
| 102 | Deny | Web-To-SQL | WEB-ASG | SQL-ASG | 1443 |
| 65000 | Deny | DenyAllInBound | Any | Any | Any |
A handy diagram detailing how rules are evaluated:
Image reference: msdn.microsoft.com
Some tips on defining a NSG/ASG configuration:-
- Define application groups into workloads or processes with a descriptive naming convention
- A single set of rules using ASGs can be applied to a single NSG which can be used throughout your entire virtual network whether it be NIC assigned or at subnet level
- As mentioned previously, using ASGs throughout your NSG can simplify workloads and assist with scalability due to the ease of applying a new VM a specific ASG or multiple ASGs.
Is a single NSG recommended? Sure is!
- Centralised view of your ruleset being applied
- Enforcing a ruleset is simplified as rules are all in one place
- Centralised logging, one NSG flow configured to assist with additional traffic analysis
Be Careful!
There are default NSG rules for both inbound and outbound traffic even if you deploy a blank NSG, numbered 65000, 65001 & 65500 – if no previous rule has a deny, these default rules will be used, they are:
Please note – these rules are default even if NSG is complete empty
Inbound:-
Outbound:-
Be careful when defining NSG rules as you could lose connectivity to the VM or to an additional outbound destination that is part of your environment.
Summary
Above I have summarised in a more simplified process:-
- What is a Network Security Group?
- What is an Application Security Group?
- How they are part of the Azure security layer
- Why Application Security Groups are beneficial to your deployment
- How Application Security Groups interact with Network Security Groups
Thank you for reading!
In an additional blog I will dive deeper into the Azure security/network stack which will include the use of UDR’s (User defined routes) & potential use of network virtual appliances.
Thomas Thornton - Microsoft Azure MVP - GitHub Star - HashiCorp Ambassador 
Well explained! All new dimension to the topic.
Thank you for the comment, glad you enjoyed it!