Azure Security Simplified: Understanding NSGs and ASGs

Cloud engineers often face confusion when distinguishing between NSG and ASG in Azure, making it a frequent topic in interviews — this article aims to clear up that confusion by providing a clear understanding of their differences.

Microsoft Azure offers several tools to secure traffic, and among them, two commonly used resources are Network Security Groups (NSGs) and Application Security Groups (ASGs). While both contribute to controlling traffic flow in Azure virtual networks, they serve different purposes and are often used together for more granular and scalable control.

Network Security Group is a firewall-like feature in Azure that acts as a stateful packet filtering device. It contains a list of security rules that allow or deny inbound or outbound traffic to network interfaces (NICs), virtual machines (VMs), or subnets. These security rules consist of source and destination (IP, CIDR, tag, or ASG), Port range, Protocol (TCP, UDP, Any), Action (Allow or Deny), name for every rule and a priority value (lower number = higher priority).

As you can see, each NSG comes with six default security rules — three for inbound and three for outbound traffic. Inbound rules block all incoming traffic by default, except for traffic originating from the Azure virtual network or Azure load balancer. Similarly, outbound rules block all outgoing traffic, except for traffic destined for the Azure virtual network or the Internet. These default rules have lower priority than any custom rule you create.

Use Case:

If you need to block all internet traffic to a subnet except for ports 80 (HTTP) and 3389 (RDP), you can achieve this by creating custom NSG rules. By assigning these rules to the subnet, you control which traffic is allowed. Custom NSG rules can be configured with a priority between 100 and 4096, allowing them to override default rules as needed.

Application Security Group is a way to group VMs logically, allowing you to apply network security rules based on application patterns, rather than hardcoding IP addresses or subnet ranges. ASGs are used within NSG rules as either the source or destination to define traffic flow. They are assigned at the network interface (NIC) level of virtual machines, allowing for more flexible and dynamic rule management.

Use Case:

Let’s say you have a multi-tier application:

• Web Tier (VMs in ASG: WebASG)
• App Tier (VMs in ASG: AppASG)
• Database Tier (VMs in ASG: DBASG)

You can create NSG rules like:

• Allow traffic from WebASG to AppASG on port 8080
• Allow traffic from AppASG to DBASG on port 1433

This approach lets you scale your application tiers without constantly modifying the NSG rules.

To summarize:

• Use NSGs to define and enforce network security rules.
• Use ASGs to group resources logically and reference them in NSG rules.

When building secure and scalable environments in Azure, combining NSGs with ASGs helps you manage complexity while keeping your infrastructure flexible and secure.

About CloudThat