Azure Security Simplified: Understanding NSGs and ASGs

Voiced by Amazon Polly

Cloud engineers often face confusion when distinguishing between NSG and ASG in Azure, making it a frequent topic in interviews — this article aims to clear up that confusion by providing a clear understanding of their differences.

Microsoft Azure offers several tools to secure traffic, and among them, two commonly used resources are Network Security Groups (NSGs) and Application Security Groups (ASGs). While both contribute to controlling traffic flow in Azure virtual networks, they serve different purposes and are often used together for more granular and scalable control.

Network Security Group is a firewall-like feature in Azure that acts as a stateful packet filtering device. It contains a list of security rules that allow or deny inbound or outbound traffic to network interfaces (NICs), virtual machines (VMs), or subnets. These security rules consist of source and destination (IP, CIDR, tag, or ASG), Port range, Protocol (TCP, UDP, Any), Action (Allow or Deny), name for every rule and a priority value (lower number = higher priority).

As you can see, each NSG comes with six default security rules — three for inbound and three for outbound traffic. Inbound rules block all incoming traffic by default, except for traffic originating from the Azure virtual network or Azure load balancer. Similarly, outbound rules block all outgoing traffic, except for traffic destined for the Azure virtual network or the Internet. These default rules have lower priority than any custom rule you create.

Access to Unlimited* Azure Trainings at the cost of 2 with Azure Mastery Pass

Microsoft Certified Instructor
Hands-on Labs
EMI starting @ INR 4999*

Subscribe Now

Use Case:

If you need to block all internet traffic to a subnet except for ports 80 (HTTP) and 3389 (RDP), you can achieve this by creating custom NSG rules. By assigning these rules to the subnet, you control which traffic is allowed. Custom NSG rules can be configured with a priority between 100 and 4096, allowing them to override default rules as needed.

Application Security Group is a way to group VMs logically, allowing you to apply network security rules based on application patterns, rather than hardcoding IP addresses or subnet ranges. ASGs are used within NSG rules as either the source or destination to define traffic flow. They are assigned at the network interface (NIC) level of virtual machines, allowing for more flexible and dynamic rule management.

Use Case:

Let’s say you have a multi-tier application:

Web Tier (VMs in ASG: WebASG)
App Tier (VMs in ASG: AppASG)
Database Tier (VMs in ASG: DBASG)

You can create NSG rules like:

Allow traffic from WebASG to AppASG on port 8080
Allow traffic from AppASG to DBASG on port 1433

This approach lets you scale your application tiers without constantly modifying the NSG rules.

To summarize:

Use NSGs to define and enforce network security rules.
Use ASGs to group resources logically and reference them in NSG rules.

When building secure and scalable environments in Azure, combining NSGs with ASGs helps you manage complexity while keeping your infrastructure flexible and secure.

Enhance Your Productivity with Microsoft Copilot

Effortless Integration
AI-Powered Assistance

Get Started Now

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.