Security Groups

🔐 1 Core Concepts: NSGs and ASGs

1.1 Network Security Groups (NSGs)

An Azure Network Security Group (NSG) is a fundamental security component that acts as a virtual firewall for filtering network traffic to and from Azure resources in a virtual network (VNet). It contains a list of security rules that allow or deny inbound and outbound network traffic based on:

• Source/Destination IP addresses, CIDR blocks, service tags, or ASGs
• Port ranges (e.g., 80, 443, 3389, or ranges like 10000-10005)
• Protocols (TCP, UDP, ICMP, ESP, AH, or Any)
• Direction (Inbound or Outbound)
• Action (Allow or Deny) 【turn0search0】

NSGs are stateful, meaning if you allow an outbound traffic flow, the response traffic is automatically allowed without requiring an explicit inbound rule, and vice versa . This reduces the number of rules you need to manage.

1.2 Application Security Groups (ASGs)

An Application Security Group (ASG) enables you to group virtual machines (VMs) and define network security policies based on those groups, rather than managing individual IP addresses. This acts as a dynamic, application-centric abstraction for network security. Key characteristics include:

• Grouping by Function: You can group VMs that perform similar roles (e.g., web servers, application logic, database servers) into ASGs.

• Rule Simplification: Security rules can reference ASGs as sources or destinations. This reduces rule management overhead, as you don’t need to update rules when VMs are added or removed from the ASG.

• VNet Boundary: All network interfaces (NICs) assigned to an ASG must exist in the same virtual network as the first NIC assigned to that ASG .

• NSG (Network Security Group) is the firewall that contains the actual rules and does the filtering. It’s always required.

• ASG (Application Security Group) is an object reference used inside an NSG rule to define the source or destination as a group of VMs instead of individual IP addresses. It’s an optional but powerful helper.

4.2 Using Service Tags for Simplified Rules

Service tags represent a group of IP address prefixes for a given Azure service, which Microsoft manages. Using service tags eliminates the need to update IP ranges when Azure adds new addresses.

Common service tags include:

• VirtualNetwork - The virtual network, peered networks, and connected on-premises networks
• Internet - All IP addresses outside the virtual network
• AzureLoadBalancer - Azure infrastructure load balancer
• Sql.WestUS - Azure SQL in West US region
• Storage.EastUS2 - Azure Storage in East US 2 region

Example: Allow access to Azure SQL Database:

# Add a rule to allow access to Azure SQL in East US 2
$rule = Add-AzNetworkSecurityRuleConfig -NetworkSecurityGroup $nsg `
  -Name "Allow-AzureSQL" `
  -Description "Allow access to Azure SQL Database in East US 2" `
  -Access Allow `
  -Protocol Tcp `
  -Direction Outbound `
  -Priority 200 `
  -SourceAddressPrefix VirtualNetwork `
  -SourcePortRange * `
  -DestinationAddressPrefix Sql.EastUS2 `
  -DestinationPortRange 1433
 
# Update the NSG
$nsg | Set-AzNetworkSecurityGroup

4.3 Network Security Group Flow Logs

NSG Flow Logs is a feature of Azure Network Watcher that allows you to log information about IP traffic flowing through an NSG. This is invaluable for:

• Auditing and Compliance: Tracking network traffic for security requirements
• Troubleshooting: Diagnosing connectivity issues
• Performance Analysis: Identifying traffic patterns and bottlenecks
• Security Monitoring: Detecting anomalous traffic patterns or potential threats

Flow logs capture data including:

• Source and destination IP addresses
• Source and destination ports
• Protocol (TCP, UDP, etc.)
• Flow direction (inbound/outbound)
• Whether traffic was allowed or denied
• Number of bytes and packets

📋 Enabling NSG Flow Logs via PowerShell

# Get the NSG
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $rgName -Name $nsgName
 
# Get the storage account for flow logs
$storageAccount = Get-AzStorageAccount -ResourceGroupName $rgName -Name "mystorageaccount"
 
# Enable NSG flow logs
Set-AzNetworkWatcherConfigFlowLog `
  -NetworkWatcher $networkWatcher `
  -TargetResourceId $nsg.Id `
  -StorageAccountId $storageAccount.Id `
  -EnableFlowLog $true `
  -FormatVersion 2 `
  -RetentionInDays 7

🎯 5 Best Practices for NSG and ASG Deployment

5.1 Rule Design Principles

• Principle of Least Privilege: Start with a deny-all approach and only allow necessary traffic.
• Prioritize Rules Carefully: Ensure higher priority (lower number) rules are evaluated first and are more specific.
• Use ASGs for Grouping: Group VMs by function and use ASGs in rules instead of individual IPs.
• Leverage Service Tags: Use service tags for Azure services to avoid managing IP ranges.
• Minimize Rule Count: Use augmented security rules to specify multiple ports/IP ranges in a single rule.
• Document Rules: Maintain clear documentation of rule purposes and justifications.

5.2 ASG Implementation Guidelines

• One ASG per Function: Create ASGs based on application tiers (web, app, db) or roles.
• VNet Boundary: Ensure all NICs in an ASG are in the same VNet 【turn0search1】.
• Limit ASG Membership: A NIC can be in multiple ASGs, but keep memberships logical and manageable.
• Consistent Naming: Use consistent naming conventions (e.g., AsgWeb, AsgLogic, AsgDb).

5.3 Security Hardening Recommendations

• Deny Direct Database Access: Use ASGs to restrict database access only to application tiers.
• Implement Just-In-Time Access: Use Microsoft Defender for Cloud’s JIT VM access to lock down inbound ports and request access when needed 【turn0search5】.
• Use Azure Bastion: For secure RDP/SSH access to VMs without exposing public IP addresses or opening inbound ports 【turn0search5】.
• Regularly Review Rules: Periodically review NSG rules to remove unused or overly permissive rules.
• Enable Flow Logs: Enable NSG flow logs for auditing, troubleshooting, and security monitoring.
• Test Thoroughly: Test NSG rules in a non-production environment before deploying to production.

5.4 Operational Excellence

• Automate Deployments: Use Infrastructure as Code (IaC) with ARM templates, Bicep, or Terraform for NSG and ASG deployments.
• Version Control Rules: Maintain NSG configurations in version control for change management.
• Monitor and Alert: Set up monitoring and alerting on NSG flow logs to detect anomalies.
• Plan for Scale: Design NSG rules to accommodate application scaling and changes.
• Integrate with DevSecOps: Incorporate NSG and ASG configuration into your CI/CD pipelines.

⚠️ 6 Common Pitfalls and Troubleshooting

6.1 Common Mistakes

1. Ignoring Default Rules: Not accounting for default rules (especially AllowVNetInBound) can lead to unexpected traffic flows.
2. Incorrect Rule Priority: Placing rules in the wrong priority order can cause unintended denials or allows.
3. Overusing Specific IPs: Relying on individual IPs instead of ASGs or service tags makes management complex and error-prone.
4. Forgetting Stateful Nature: Not understanding the stateful nature can lead to unnecessary rule creation.
5. Asymmetric Routing: Not considering asymmetric routing can cause traffic drops.
6. Overly Permissive Rules: Creating rules that are too broad (e.g., * to *) can introduce security risks.
7. Not Testing in Dev: Failing to test NSG rules in a development environment before production deployment.

6.2 Troubleshooting Common Issues

Issue	Possible Cause	Resolution
Traffic blocked unexpectedly	More restrictive rule with higher priority (lower number)	Reorder rules to allow necessary traffic first
Cannot access VM from internet	Default DenyAllInBound rule blocking	Add specific allow rules with higher priority
Database inaccessible from app tier	ASG rules not correctly configured	Verify ASG memberships and rule priorities
Performance degradation	Too many NSG rules or complex logic	Simplify rules using ASGs and service tags
Asymmetric routing issues	NSG rules allowing traffic in one direction but not the other	Ensure both inbound and outbound rules are configured

6.3 Troubleshooting with Flow Logs

NSG flow logs are your most powerful troubleshooting tool. Analyze them to:

• Identify which rules are blocking or allowing traffic
• Understand traffic patterns and anomalies
• Validate rule configurations
• Investigate security incidents

🔍 Querying NSG Flow Logs with Azure Monitor KQL

// Query NSG flow logs to find allowed traffic from internet to web tier
NSGFlowLogs
| where TimeGenerated > ago(1h)
| where FlowStatus == "A" // Allowed traffic
| where SourceAddress contains "Internet" // Source from internet
| where DestinationPort in (80, 443) // HTTP/HTTPS ports
| summarize Count() by SourceAddress, DestinationAddress, DestinationPort
| order by Count_ desc

📊 7 NSG and ASG Limitations and Constraints

7.1 Azure Limits

Be aware of these key limits for NSGs and ASGs (limits may vary by subscription type and region):

Resource	Limit
NSGs per region	1000
Rules per NSG	1000
ASGs per region	3000
NICs per ASG	Limited by subscription limits
ASGs per NIC	Limited by subscription limits

💡 Tip: Always check the latest Azure limits documentation, as Microsoft may update these limits.

7.2 ASG Constraints

• VNet Boundary: All NICs assigned to an ASG must exist in the same virtual network as the first NIC assigned to that ASG 【turn0search1】.
• No Cross-Subscription: ASGs cannot span multiple subscriptions.
• Regional Limitation: ASGs are regional resources, but NICs must be in the same VNet.
• Classic Deployment: ASGs are not supported in the classic deployment model.

🔮 8 Advanced Integration and Future Considerations

8.1 Integration with Azure Firewall

While NSGs provide network-level filtering (Layer 3/4), Azure Firewall provides more advanced capabilities:

• Layer 7 Application Inspection: Deep packet inspection for web traffic
• Threat Intelligence: Filtering based on known malicious IP addresses and domains
• FQDN Filtering: Filtering by fully qualified domain names
• Outbound Internet Filtering: Controlling outbound internet access

Use Case: Use Azure Firewall at the perimeter of your VNet for advanced threat protection and use NSGs for internal segmentation and east-west traffic control.

8.2 Zero Trust Networking

Modern security approaches emphasize Zero Trust principles, which assume no implicit trust and verify explicitly:

• Validate Explicitly: Always authenticate and authorize based on all available data points.
• Use Least Privilege: Limit access with just-in-time and just-enough-access policies.
• Assume Breach: Minimize blast radius and segment access.

NSGs in Zero Trust: NSGs are a critical component of Zero Trust network segmentation, but they should be complemented with identity-based controls (Microsoft Entra Conditional Access), device health checks, and continuous monitoring.

8.3 Automation and DevOps Integration

Integrate NSG and ASG management into your DevOps workflows:

• IaC Templates: Use ARM templates, Bicep, or Terraform to define NSGs and ASGs as code.
• CI/CD Pipelines: Automatically deploy and update NSG rules as part of your deployment pipeline.
• Policy as Code: Use Azure Policy to enforce NSG configurations (e.g., require flow logs, block specific ports).
• Configuration Drift Detection: Monitor for configuration drift and automatically remediate.

💎 Conclusion: Mastering Azure Network Security with NSGs and ASGs

Azure Network Security Groups and Application Security Groups are powerful tools for controlling network traffic to and from your Azure resources. By understanding their core concepts, rule processing, and advanced configurations, you can design and implement robust network security architectures that meet your security and compliance requirements.

Key Takeaways:

1. NSGs are Stateful Firewalls: They process rules in priority order and track connection states.
2. ASGs Simplify Management: Group VMs by function and use ASGs in rules for scalable security policies.
3. Default Rules Matter: Understand and account for default rules like AllowVNetInBound in your security design.
4. Leverage Service Tags: Use service tags to simplify rules for Azure services and avoid managing IP ranges.
5. Enable Flow Logs: Enable NSG flow logs for auditing, troubleshooting, and security monitoring.
6. Follow Best Practices: Implement the principle of least privilege, use IaC, and regularly review your configurations.
7. Think Beyond Perimeter: Complement network segmentation with identity-based controls and monitoring for a defense-in-depth approach.

By mastering NSGs and ASGs, you can effectively implement network segmentation, control traffic flow, and enhance the security posture of your Azure deployments. Start with simple, well-documented configurations, and gradually adopt more advanced patterns as your requirements evolve.