Securing Azure Networks: Creating and Configuring Network Security Groups (NSGs) and Application Security Groups (ASGs)

This article is a continuation of Building Strong Connections: A Beginner’s Guide to Setting Up Virtual Networks and Peering in Azure. In that guide, we set up a virtual network (app-vnet) with two subnets: frontend and backend.

In this article, we’ll focus on securing those subnets by implementing network security groups (NSGs) and application security groups (ASGs) to control inbound and outbound traffic between VMs and from the internet.

Step 1: Deploy Virtual Machines to Existing Subnets

We will deploy two Ubuntu virtual machines using an Azure Resource Manager (ARM) template provided by Microsoft. VM1 will reside in the frontend subnet, and VM2 will be placed in the backend subnet.

Open Azure Cloud Shell (select PowerShell) and run the following command:

   $RGName = "RG1"

   New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateUri https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/main/Instructions/Labs/azuredeploy.json

Step 2: Create an Application Security Group (ASG)

ASGs allow you to group virtual machine network interfaces by application roles, making it easier to manage NSG rules.

1. In the Azure portal, search for Application security groups.

2. Click + Create.
   

3. Use the following configuration:

   • Subscription: Your subscription
   • Resource Group: RG1
   • Name: app-frontend-asg
   • Region: East US

4. Click Review + create, then click Create.

Step 3: Associate VM1 with the Application Security Group

To apply NSG rules based on ASG membership, associate VM1 with the app-frontend-asg.

1. Go to Virtual Machines, select VM1.
   

2. Under Settings, select Networking.

3. Click Application security groups, then select Add application security groups.
   

4. Choose app-frontend-asg and click Add.
   

Step 4: Create a Network Security Group (NSG)

Now create a network security group to control traffic to the backend subnet.

1. Search for Network security groups in the portal.
2. Click + Create.
3. Use the following configuration:
   • Subscription: Your subscription
   • Resource Group: RG1
   • Name: app-vnet-nsg
   • Region: East US
4. Click Review + create, then click Create.

Step 5: Associate the NSG with the Backend Subnet

1. Open the app-vnet-nsg NSG from the list in your resource group.

1. In the left pane, click Subnets.
2. Click + Associate.
3. Select:
   • Virtual Network: app-vnet
   • Subnet: backend
4. Click OK to complete the association.

Step 6: Add an Inbound Security Rule to Allow SSH from Frontend ASG

Now configure an NSG rule to allow secure SSH access from the frontend web server (VM1, in app-frontend-asg) to the backend VM (VM2).

1. Open the app-vnet-nsg NSG.
2. Click Inbound security rules under Settings.
3. Click + Add.
4. Use the following settings:
   • Source: Any
   • Source port ranges: *
   • Destination: Application Security Group
   • Destination application security group: app-frontend-asg
   • Service: SSH
   • Action: Allow
   • Priority: 100
   • Name: AllowSSH
5. Click Add to create the rule.

Conclusion

At this point, you’ve:

• Deployed VMs into existing subnets
• Created and applied an ASG to organize frontend VMs
• Created an NSG and associated it with the backend subnet
• Added a rule allowing SSH traffic from frontend ASG members to backend resources

This security configuration enables precise control over internal communication within your Azure virtual network. By leveraging Application Security Groups (ASGs) and Network Security Groups (NSGs), you can implement scalable, role-based access policies that are easier to manage and adapt as your infrastructure grows. This layered approach enhances both security and flexibility, laying the groundwork for a robust cloud governance strategy.