Using Application Security Groups
Setting up infrastructure in Azure can, at times, seem quite daunting with all of the available options one can configure within each service. In this blog, we will give you some tips for applying traditional security best practices into your Azure environment using Application Security Groups to help make managing network security groups less cumbersome.
To follow along with this blog, make sure you have an Azure account. Navigate to https://portal.azure.com, sign in, and then navigate to the ‘Application Security Groups’ blade. One way to get to the Application Security Groups blade is to use the search bar at the top of the main Azure dashboard and use the search terms ‘application security’.
Before we begin configuring our Application Security Groups, let’s make sure we understand what they are, and how we can use them. For those familiar with ‘network groups’ or ‘aliases’ in traditional on-premise firewalls, Azure Application Security Groups allow administrators to manage large groups of services or virtual machines by assigning them to a group. So, think of Application security groups the same way you would think about network groups or aliases in on-prem firewalls, with one exception. We’re not as limited within Application Security Groups as we are with on-prem firewall aliases or network groups. Azure Application Security Groups allow us to lump Azure services into a group for easy management when we need to permit certain traffic through an Azure firewall or Network Security Group. Instead of creating those Azure firewall rules or network security group rules one by one for each host, we can lump all the hosts that need that access into an Application Security Group and use the Application Security Group name to provision that access. Brilliant right? When first exploring Azure Application Security Groups, the name of this service really threw me off. However, once I worked through that, I discovered how useful this service really is. So, without further delay, let’s begin to configure a sample Azure Application Security Group.
The Azure Application Security Group blade home dashboard should resemble the following screenshot.
Azure Application security group home
The first thing we’ll do is click on ‘Create application security group’ to start the configuration process. Once we do that, a new window appears requesting additional information such as the ‘Subscription’ name, the ‘Resource group’ name, and asks us to choose which region we want to deploy this service. In the example blow, we are creating an Application Security Group named ‘AttackLab’. Make sure you complete each field as all four are required. Once happy, either click ‘Next: Tags >’ or ‘Review + Create’ if we’re finished. For the sake of this example, we can click ‘Review + Create’. In an actual production environment, we would want to apply metadata tags appropriately so we could track this service easier in a large environment.
Create Application security group dialogue
Assuming the validation phase passed, we can click on the ‘create’ button at the bottom of our browser window to create the Azure Application security group. Once Azure finishes provisioning our Application security group, we can begin to assign other services to it.
Let’s say you have several Azure VMs you need to group into the newly created Application security group for easier management of inbound traffic allowance rules. Choose an Azure virtual machine and navigate to its ‘Networking’ blade. Within this blade, we can select the ‘Configure the Application security groups’ button and configure those settings. As an example, the Networking blade for the ‘AttackLab-MB-VM’ VM is presented in the following screen shot:
Networking options within a VM
Adding a VM to an Application security group is rather easy. Just select the Application Security Group or groups to which you want the VM or service to belong and click ‘save’. In the following screenshot, the VM is added to the ‘AttackLab’ Application Security Group:
Select the application security group
So, we have our Application security group or groups created, we’ve assigned VMs or other services to the Application security group or groups, and now we’re ready to see how to implement this in the Network security group service. It’s actually pretty simple to use the Application security group in inbound or outbound rules as demonstrated below under the Inbound rules blade for the network security group.
NSG configuration using Application security group
In the above example, we’re allowing SSH inbound from a specific IP address (redacted from the image) to all hosts in the ‘AttackLab’ Application security group. If you want to learn more about Application security groups, Microsoft provides a plethora of documentation and further explanation at the following URL: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview