Skip to content

ASG

👥 What is an Application Security Group (ASG)?

Application Security Groups (ASGs) are logical containers used to group virtual machines (VMs) or network interfaces (NICs) within a Virtual Network (VNet), allowing you to simplify and manage NSG rules at scale.

Instead of using static IPs in NSGs, you use ASGs to define dynamic, scalable rules.

📚 Table of Contents

  1. What ASG Solves

  2. ASG vs NSG

  3. How ASG Works

  4. Real-World Architecture Example

  5. Hands-On (Portal & CLI)

  6. ASG Best Practices

  7. Interview Questions

1️⃣ What Problem Does ASG Solve?

Without ASG:

  • You define NSG rules with IP addresses.

  • It's hard to manage and not scalable when IPs change.

With ASG:

  • Group VMs (e.g., "Web", "App", "DB") into ASGs.

  • Define NSG rules based on group name, not IP.

  • Rules auto-apply to any VM/NIC in the ASG.

2️⃣ ASG vs NSG — Relationship

Feature NSG ASG
Purpose Controls traffic Groups VMs
Scope Subnet or NIC VMs/NICs
Used in NSG rules As source or destination in NSG rules
Dynamic? No Yes (auto-updates as VMs join ASG)

3️⃣ How ASG Works

Example Scenario

Group VMs ASG Name
Web Tier VM1, VM2 web-asg
App Tier VM3, VM4 app-asg
DB Tier VM5 db-asg

NSG Rule

Allow app tier to access DB on port 1433 (SQL):

Source: app-asg
Destination: db-asg
Port: 1433
Action: Allow

Whenever you add or remove VMs, the rule automatically applies — no manual update needed.

4️⃣ Real-World Architecture

          ┌────────────┐
          │ web-asg    │
          │ (VM1, VM2) │
          └────┬───────┘
               ↓ Port 443
          ┌────┴───────┐
          │ app-asg    │
          │ (VM3, VM4) │
          └────┬───────┘
               ↓ Port 1433
          ┌────┴───────┐
          │ db-asg     │
          │ (VM5)      │
          └────────────┘

NSG rules reference ASG names instead of IPs.

5️⃣ Hands-On Guide

✅ Create ASG via Portal

  1. Go to "Application Security Groups"Create

  2. Fill:

    • Name: web-asg

    • Region: Same as VNet

    • Resource Group

  3. Repeat for app-asg, db-asg

🧩 Associate VM NIC with ASG

  1. Go to the VM → Networking

  2. Click on Network Interface

  3. Click on "Application security groups"

  4. Add the ASG (e.g., web-asg)

💻 Azure CLI Example

# Create ASG
az network asg create \
  --name web-asg \
  --resource-group my-rg \
  --location eastus

# Add VM NIC to ASG
az network nic update \
  --name myVMNic \
  --resource-group my-rg \
  --application-security-groups web-asg

# Create NSG
az network nsg create \
  --name web-nsg \
  --resource-group my-rg

# Create NSG rule using ASG
az network nsg rule create \
  --resource-group my-rg \
  --nsg-name web-nsg \
  --name AllowAppToDB \
  --priority 100 \
  --direction Inbound \
  --access Allow \
  --protocol Tcp \
  --source-asg app-asg \
  --destination-asg db-asg \
  --destination-port-ranges 1433

6️⃣ Best Practices

Tip Why
Use ASG for tiers (web, app, db) Logical grouping improves readability
Avoid IPs in NSG rules Makes your infra scalable
Use clear ASG naming E.g., asg-web-tier-eastus
Keep ASG in same region as VM ASG is regional
Monitor with NSG flow logs See traffic flow per ASG

7️⃣ Interview Questions

  1. What is the difference between NSG and ASG?

  2. Can a VM belong to multiple ASGs?

    • ✅ Yes

  3. Can ASG be applied directly to a subnet?

    • ❌ No (only at NIC level)

  4. Can ASG span across regions?

    • ❌ No (region-specific)

  5. How does ASG help with dynamic scaling?