Azure Security Simplified: Understanding NSGs and ASGs

Cloud engineers often face confusion when distinguishing between NSG and ASG in Azure, making it a frequent topic in interviews — this article aims to clear up that confusion by providing a clear understanding of their differences.

Microsoft Azure offers several tools to secure traffic, and among them, two commonly used resources are Network Security Groups (NSGs) and Application Security Groups (ASGs). While both contribute to controlling traffic flow in Azure virtual networks, they serve different purposes and are often used together for more granular and scalable control.

Network Security Group is a firewall-like feature in Azure that acts as a stateful packet filtering device. It contains a list of security rules that allow or deny inbound or outbound traffic to network interfaces (NICs), virtual machines (VMs), or subnets. These security rules consist of source and destination (IP, CIDR, tag, or ASG), Port range, Protocol (TCP, UDP, Any), Action (Allow or Deny), name for every rule and a priority value (lower number = higher priority).

As you can see, each NSG comes with six default security rules — three for inbound and three for outbound traffic. Inbound rules block all incoming traffic by default, except for traffic originating from the Azure virtual network or Azure load balancer. Similarly, outbound rules block all outgoing traffic, except for traffic destined for the Azure virtual network or the Internet. These default rules have lower priority than any custom rule you create.

Use Case:

If you need to block all internet traffic to a subnet except for ports 80 (HTTP) and 3389 (RDP), you can achieve this by creating custom NSG rules. By assigning these rules to the subnet, you control which traffic is allowed. Custom NSG rules can be configured with a priority between 100 and 4096, allowing them to override default rules as needed.

Application Security Group is a way to group VMs logically, allowing you to apply network security rules based on application patterns, rather than hardcoding IP addresses or subnet ranges. ASGs are used within NSG rules as either the source or destination to define traffic flow. They are assigned at the network interface (NIC) level of virtual machines, allowing for more flexible and dynamic rule management.

Use Case:

Let’s say you have a multi-tier application:

• Web Tier (VMs in ASG: WebASG)
• App Tier (VMs in ASG: AppASG)
• Database Tier (VMs in ASG: DBASG)

You can create NSG rules like:

• Allow traffic from WebASG to AppASG on port 8080
• Allow traffic from AppASG to DBASG on port 1433

This approach lets you scale your application tiers without constantly modifying the NSG rules.

To summarize:

• Use NSGs to define and enforce network security rules.
• Use ASGs to group resources logically and reference them in NSG rules.

When building secure and scalable environments in Azure, combining NSGs with ASGs helps you manage complexity while keeping your infrastructure flexible and secure.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner,  AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront, Amazon OpenSearch, AWS DMS, AWS Systems Manager, Amazon RDS, and many more.