Daniel's Tech Blog

Cloud Computing, Cloud Native & Kubernetes

Deploying Application Security Groups with an Azure Resource Manager template

This month Microsoft launched the public preview of the Application Security Groups, short ASG, in all Azure regions.

-> https://azure.microsoft.com/en-us/updates/public-preview-for-asg/

ASGs are like a security group and makes it easier to define an Azure Network Security Group rule set. You can join Azure VMs or to be more specific the Azure VM’s NIC to an ASG. In the next step you would use the Application Security Group in the source or destination section of a NSG rule to configure the access. ASGs are simplifying definition and management of the NSG rule set and making it more secure, because you don’t have to specify a subnet in CIDR notation to open communication for several VMs in a subnet or using a NSG rule for each VM.

With ASGs and NSGs you can build up your security before deploying the VMs, because you are independent of the VM’s IP address. Just add the VM to the specific ASG and the NSG rule set will be applied to the VM’s NIC.

During the public preview creation and configuration of Application Security Groups is only possible via Azure PowerShell, Azure CLI and ARM templates.

After setting the context let us talk about the ARM template deployment of ASGs.

Have a look at the following snippet.

{
    "apiVersion": "2017-10-01",
    "type": "Microsoft.Network/applicationSecurityGroups",
    "name": "[parameters('asgName')]",
    "location": "[resourceGroup().location]",
    "properties": {}
}

As you can see the only configuration parameter in an ARM template is the name of the Application Security Group. That is, it.

For NSG rule configuration and NIC assignment we need to link those resources with the ASG via the Application Security Group resource id. Have a look at the following snippets.

{
    "apiVersion": "2017-10-01",
    "type": "Microsoft.Network/networkSecurityGroups",
    "name": "[parameters('nsgName')]",
    "location": "[resourceGroup().location]",
    "dependsOn": [
        "[concat('Microsoft.Network/applicationSecurityGroups/', parameters('asgName'))]"
    ],
    "properties": {
        "securityRules": [
            {
                "name": "HTTP-80",
                "properties": {
                    "description": "HTTP 80",
                    "protocol": "Tcp",
                    "sourcePortRange": "*",
                    "destinationPortRange": "80",
                    "sourceAddressPrefix": "Internet",
                    "destinationApplicationSecurityGroups": [
                        {
                            "id": "[resourceId('Microsoft.Network/applicationSecurityGroups',parameters('asgName'))]"
                        }
                    ],
                    "access": "Allow",
                    "priority": 100,
                    "direction": "Inbound"
                }
            }
        ]
    }
}
{
    "apiVersion": "2017-10-01",
    "type": "Microsoft.Network/networkInterfaces",
    "name": "[parameters('vmNicName')]",
    "location": "[resourceGroup().location]",
    "dependsOn": [
        "[concat('Microsoft.Network/virtualNetworks/',parameters('virtualNetworkName'))]",
        "[concat('Microsoft.Network/applicationSecurityGroups/', parameters('asgName'))]"
    ],
    "properties": {
        "ipConfigurations": [
            {
                "name": "ipconfig1",
                "properties": {
                    "privateIPAllocationMethod": "Dynamic",
                    "subnet": {
                        "id": "[concat(resourceId('Microsoft.Network/virtualNetworks',parameters('virtualNetworkName')),'/subnets/',parameters('subnetName'))]"
                    },
                    "applicationSecurityGroups": [
                        {
                            "id": "[resourceId('Microsoft.Network/applicationSecurityGroups',parameters('asgName'))]"
                        }
                    ]
                }
            }
        ]
    }
}

That is all. If you need more information, have a look at the Azure documentation.

-> https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups


Posted

in

WordPress Cookie Notice by Real Cookie Banner