Tuesday, March 13, 2018

Applying Azure Application Security Groups

In a previous post, I discussed the initial steps to creating application security groups in ARM templates.  This post takes this one step further and applies them to a NIC.  For reference, the Network Interface ARM template schema can be found here.

Fundamentally, application security groups are an array of groups that can be applied to a specific IP configuration on a specific nic.  I think this is a really elegant place to attach these constructs, and will allow for some interesting designs into the future.

Here is a quick ARM template of a bare-bones network interface with an associated application security group.


{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "variables": {},
    "resources": [
        {
            "type":"Microsoft.Network/networkInterfaces",
            "name": "IISWebServer-NIC1",
            "apiVersion": "2017-10-01",
            "location":"[resourceGroup().location]",
            "tags":{},
            "properties":{
                "ipConfigurations":[
                    {
                        "name":"ipconfig1",
                        "properties":{
                            "privateIPAllocationMethod":"Dynamic",
                            "subnet":{
                                "id": "[concat(resourceId('Microsoft.network/virtualNetworks','appsecurity'),'/subnets/', 'default')]"
                            },
                            "ApplicationSecurityGroups": [
                                {
                                    "id": "/subscriptions/xxxx/resourceGroups/testappsecuritygroups/providers/Microsoft.Network/applicationSecurityGroups/IISWebServers",
                                    "location":"[resourceGroup().location]"
                                }
                            ]
                        }
                    }
                ]
            }
        }
    ],
    "outputs": {}
}


As with a lot of ARM template constructs, application security groups are referenced via ID.  If you are creating a parameterized version of the above, you will need to pass in both the resource group and the name of the application security group.