Enhancing The Security of Your Web Application with Azure Network Security Groups and Application Security Groups (Part 2)

Introduction:

In part 1, we explored isolating resources within a virtual network for enhanced security. This part delves into Azure Network Security Groups (NSGs) and Application Security Groups (ASGs) to further control network traffic to your web application.

Prerequisites:

• An Azure account with an active subscription
• A virtual network created in Azure (refer to part 1 for guidance)
• Basic understanding of Azure Resource Manager templates (ARM templates)

Understanding Network Security Groups and Application Security Groups:

• NSGs: These act as firewalls, filtering inbound and outbound traffic to specific resources or subnets within your virtual network.
• ASGs: These group VMs with similar security needs, allowing you to define security policies at the application level rather than managing individual VMs.

Creating an Application Security Group:

1. Search: In the Azure portal, search for "Application Security Group" and click "Create."

   

2. Configuration:

   • Select your existing resource group.
   • Provide a descriptive name for the ASG (e.g., "web-app-asg").
   • Choose the same region as your virtual network (The images shows Canada Central but use US East).

3. Review and Create: Click "Review + create" to validate and deploy the ASG.

   

Creating and Associating a Network Security Group:

1. Search: In the Azure portal, search for "Network Security Group" and click "Create."

   

2. Configuration:

   • Select your existing resource group.
   • Provide a name for the NSG (e.g., "web-app-nsg").
   • Choose the same region as your virtual network.

3. Review and Create: Click "Review + create" to deploy the NSG.

   

4. Association:

   • Search for "Network Security Group" again and navigate to your newly created NSG.
   • In the "Settings" menu, select "Subnets."
   • Click "+ Associate" and choose the virtual network subnet containing your web server (e.g., "backend").
   • Click "OK" to confirm the association.

   

Creating Network Security Group Rules:

1. Inbound Security Rules:

   • Navigate to your NSG's "Settings" and select "Inbound security rules."
   • Click "+ Add" to create a new rule.

   

2. Rule Configuration:

   • Leave "Source" as "Any" to allow traffic from anywhere.
   • Change "Destination" to "Application Security Group."
   • Select the ASG you created earlier (e.g., "web-app-asg").
   • Choose the service/port combination for your application traffic (e.g., "SSH" for port 22).
   • Leave "Priority" as 100.
   • Click "Add" to create the rule.

   

Deploying VMs with an ARM Template (Optional)

This section walks you through deploying the VMs needed for this tutorial using a remote ARM template hosted on GitHub. ARM templates provide a declarative way to define your infrastructure resources and their configurations. If you're unfamiliar with ARM templates, you can skip this section and proceed with the assumption that you already have two VMs created within your virtual network.

1. Open Azure Cloud Shell:

• In the Azure portal, locate the Cloud Shell button (usually on the top menu bar) and click it. Choose PowerShell or Bash based on your preference.

  

2. Deploying VMs with Remote Template:

• Paste the following PowerShell code snippet into your Cloud Shell window, replacing [your resource group name] with the actual name of your resource group:

   $RGName = "[your resource group name]"
   $TemplateUri = "https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/main/Instructions/Labs/azuredeploy.json"
   New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateUri $TemplateUri

• Press Enter to execute the code. This will deploy the VMs defined within the template.

Benefits of ARM Templates:

• Repeatability: Define your infrastructure configuration once and deploy it multiple times consistently.
• Version Control: Track changes to your infrastructure over time using version control systems like Git.
• Error Reduction: Reduce errors by defining infrastructure as code instead of manual deployments.

Additional Notes:

This section provides a high-level overview of ARM template deployment. Consider including a link to Microsoft's documentation on ARM templates for a deeper dive (https://learn.microsoft.com/en-us/azure/azure-resource-manager/).

Adding the Application Security Group to VM2

Now that you have your VMs deployed (either manually or through the ARM template), we can proceed with configuring the security groups.

1. Navigate: Locate your virtual network resource group and select VM2.
2. Networking Tab: Go to the "Networking" tab of VM2.

3. Application Security Groups: Under "Application security groups," click "+ Add application security group."

   

4. Selection: Choose the ASG you created earlier (e.g., "web-app-asg").

5. Confirmation: Click "Add" to associate the ASG with VM2.

   

Conclusion

By implementing ASGs and NSGs, you've significantly enhanced the security of your web application by controlling inbound traffic and grouping VMs with similar security requirements. Remember to adjust security rule settings based on your specific application needs.

In the next post we'll take a look at using Azure Firewall to secure your application.