Reading Time: 3 minutes

Application security groups enable you to configure network security as a natural extension of an application’s structure, allowing you to group virtual machines and define network security policies based on those groups. You can reuse your security policy at scale without manual maintenance of explicit IP addresses. The platform handles the complexity of explicit IP addresses and multiple rule sets, allowing you to focus on your business logic.

Microsoft Docs

This is very good news for us who deploy resources on Azure and need a layer of abstraction above the network so that we can group servers based on our needs.

Consider the following scenario: for some reason you have application servers in the same subnet with your web servers. Humor me, please. The application servers need to talk with your database and should have no internet access. Your web servers should have internet access and should not contact the database servers.

Image courtesy of Microsoft Docs

ASGs, as NSGs, are associated with the NIC of the VM. In this case, VM1 and VM2 have their NICs associated with AsgWeb Application Security Group, while VM3 (the application server) is associated with AsgLogic Application Security Group. All 3 VMs are part of Subnet1 which is safeguarded by NSG1 Network Security Group, which in turn also is associated with Subnet2 that holds VM4 the data layer of our application. The latter is part of AsgDb.

For specifics on the inbound/outbound rules check the link here.

Another important thing to note is that a NIC can be part of multiple ASGs. This can become quite complex if you have a wild imagination but can also help in many scenarios where you need this flexibility.

Application Security Groups (ASGs) is the tool that can do the trick and you don’t have to worry about the underlying IPs and all. It is taken care of for you by the Azure fabric.

You can create a simple ASG with the following JSON ARM Template:

    "$schema": "",
    "contentVersion": "",
    "parameters": {
        "asgName": {
            "type": "String"
    "variables": {},
    "resources": [
            "type": "Microsoft.Network/applicationSecurityGroups",
            "apiVersion": "2020-03-01",
            "name": "[parameters('asgName')]",
            "location": "[resourceGroup().location]"

You can deploy it issuing the following PowerShell command:

# create a resource group called rg-demo
New-AzResourceGroup -Name "rg-demo" -Location "westeurope" 
Resource Group successfully deployed
# deploy the ASG to the created RG. The file must be 
# in the same directory where you execute the code
New-AzResourceGroupDeployment `
    -DeploymentName "ASG-Deployment" `
    -ResourceGroupName "rg-demo" `
    -TemplateFile ".\applicationsecuritygroup.json" `
    -AsgName "asg-application-servers" `
ASG successfully deployed using the JSON template

Tomorrow I will post about Network Security Groups and show how you can pair them together. Stay tuned!