What are Microsoft Azure NSGs & ASGs?

Overview

 

NSG’s (Network Security Group) & ASG’s (Application Security Group) are the main Azure Resources that are used to administrate and control network traffic within a virtual network (vNET).


Difference: NSG vs ASG

 

Network Security Group is the Azure Resource that you will use to enforce and control the network traffic with.

 Application Security Group is an object reference within a Network Security Group.

NSG:

NSG’s control access by permitting or denying network traffic in a number of ways-

  • Communication between different workloads on a vNET
  • Network connectivity from on-site environment into Azure
  • Direct internet connection

It is just a logical groupingd of Access Control List rules that either allow or deny network traffic to a specific destination located on your vNET.

NSG will be on the perimeter before an Azure deployment and/or Network virtual appliance – all traffic entering or leaving your Azure network can be processed via the NSG.

 

They can be applied either on a virtual machine or subnet (one NSG can be applied to multiple subnets or virtual machines)-

  • Virtual Machines – the rules will only get applied to Virtual Machines that are associated
  • Subnets –  All Virtual Machines within the specified subnet will have get the applied ruleset

Security rules in network security groups enable you to filter the type of network traffic that can flow in and out of virtual network subnets and network interfaces.

ASG:

ASGs are used within the NSG to apply a network security rule to a specific workload or group of VMs This provides the capability to group VMs into associated groups or workloads, simplifying the NSG rule definition process.

Another great use of this is for scalability, creating the virtual machine and assigning the newly created virtual machine to its ASG will provide it with all the NSG rules in place for that specific ASG .

Some tips on defining a NSG/ASG configuration: -

  • Define application groups into workloads or processes with a descriptive naming convention
  • A single set of rules using ASGs can be applied to a single NSG which can be used throughout your entire virtual network whether it be NIC assigned or at subnet level
  • As mentioned previously, using ASGs throughout your NSG can simplify workloads and assist with scalability due to the ease of applying a new VM a specific ASG or multiple ASGs.

Summary

Above the document summarised in a more simplified process: -

  • What is a Network Security Group?
  • What is an Application Security Group?
  • How they are part of the Azure security layer
  • Why Application Security Groups are beneficial to your deployment

Comments

Post a Comment