Azure

3 Mins Read

Azure Security Simplified: Understanding NSGs and ASGs

Voiced by Amazon Polly

Cloud engineers often face confusion when distinguishing between NSG and ASG in Azure, making it a frequent topic in interviews — this article aims to clear up that confusion by providing a clear understanding of their differences.

Microsoft Azure offers several tools to secure traffic, and among them, two commonly used resources are Network Security Groups (NSGs) and Application Security Groups (ASGs). While both contribute to controlling traffic flow in Azure virtual networks, they serve different purposes and are often used together for more granular and scalable control.

Network Security Group is a firewall-like feature in Azure that acts as a stateful packet filtering device. It contains a list of security rules that allow or deny inbound or outbound traffic to network interfaces (NICs), virtual machines (VMs), or subnets. These security rules consist of source and destination (IP, CIDR, tag, or ASG), Port range, Protocol (TCP, UDP, Any), Action (Allow or Deny), name for every rule and a priority value (lower number = higher priority).

As you can see, each NSG comes with six default security rules — three for inbound and three for outbound traffic. Inbound rules block all incoming traffic by default, except for traffic originating from the Azure virtual network or Azure load balancer. Similarly, outbound rules block all outgoing traffic, except for traffic destined for the Azure virtual network or the Internet. These default rules have lower priority than any custom rule you create.

Access to Unlimited* Azure Trainings at the cost of 2 with Azure Mastery Pass

  • Microsoft Certified Instructor
  • Hands-on Labs
  • EMI starting @ INR 4999*
Subscribe Now

Use Case:

If you need to block all internet traffic to a subnet except for ports 80 (HTTP) and 3389 (RDP), you can achieve this by creating custom NSG rules. By assigning these rules to the subnet, you control which traffic is allowed. Custom NSG rules can be configured with a priority between 100 and 4096, allowing them to override default rules as needed.

Application Security Group is a way to group VMs logically, allowing you to apply network security rules based on application patterns, rather than hardcoding IP addresses or subnet ranges. ASGs are used within NSG rules as either the source or destination to define traffic flow. They are assigned at the network interface (NIC) level of virtual machines, allowing for more flexible and dynamic rule management.

Use Case:

Let’s say you have a multi-tier application:

  • Web Tier (VMs in ASG: WebASG)
  • App Tier (VMs in ASG: AppASG)
  • Database Tier (VMs in ASG: DBASG)

You can create NSG rules like:

  • Allow traffic from WebASG to AppASG on port 8080
  • Allow traffic from AppASG to DBASG on port 1433

This approach lets you scale your application tiers without constantly modifying the NSG rules.

To summarize:

  • Use NSGs to define and enforce network security rules.
  • Use ASGs to group resources logically and reference them in NSG rules.

When building secure and scalable environments in Azure, combining NSGs with ASGs helps you manage complexity while keeping your infrastructure flexible and secure.

Enhance Your Productivity with Microsoft Copilot

  • Effortless Integration
  • AI-Powered Assistance
Get Started Now

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

WRITTEN BY Sunil Kumar G R

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!