Sunday, March 11, 2018

Creating Azure Application Security Groups

Azure application security groups are are relatively new construct for network security in Azure.  In the days of old, network security group administration in Azure was all done via IP addresses.  While the nested application of network security groups allowed for some interesting designs, most traditional firewall admins missed the idea of grouping servers together and then applying firewall rules to those groups.

Application security groups is an attempt to solve this problem.  Using them requires the following steps:
- Create an application security group
- Assign an application security group to a NIC, or set of NICs
- Create network security groups with application security group tags

The goal of this post is to demonstrate how to create an application security group from an ARM template.  The official documentation for this can be found here.

Here is my example of an application security group template:


{
    "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "variables": {},
    "resources": [
        {
            "type":"Microsoft.Network/applicationSecurityGroups",
            "name": "IISWebServers",
            "apiVersion": "2017-10-01",
            "location":"[resourceGroup().location]",
            "tags":{},
            "properties":{}
        }
    ],
    "outputs": {}
}


The above example essentially creates a group named IISWebServers.  Interestingly, this does not show up as a resource in the portal, even after deployed:



Here is the return from powershell: (Get-AzureRmApplicationSecurityGroup)



When you go to delete the resource group, you do see the item in the list:



Interesting!