@anil kumar , thank you for your questions.
Are we supposed to pay for extension attached to Azure VMs?
There is no additional charge that you have to pay for VM extensions.
How can I see the list of Network Interface Cards (NICs) of Azure VMs attached to a Application Security Groups (ASGs) ?
Application Security Groups can be be seen as property of Network Interface Cards. However we can programatically find out which NICs are associated with a particular Application Security Group.
Following is a PowerShell code that achieves this.
param (
[Parameter(Mandatory=$true, HelpMessage="Enter the resource ID of the ASG")][string]$ASGId
)
$nics = Get-AzNetworkInterface
foreach($nic in $nics)
{
$Name = $nic.Name
$RG = $nic.ResourceGroupName
$asgResource = ($nic.IpConfigurationsText | ConvertFrom-Json).ApplicationSecurityGroups
if ( $asgResource -ne $null ) {
$asgResourceID = $asgResource.Id
if ($asgResourceId -eq $ASGId)
{ Write-Output "`nNIC: $Name, Resource Group: $RG" }
}
}
Save this code in a .ps1
file and you can run it as filename.ps1 <resource ID of the ASG>
or you can simply run filename.ps1
and input the Resource ID of the ASG interactively.
Note: this code makes use of the Az PowerShell Module. Installation Instructions can be found here.
Is it possible to associate a Application Security Groups (ASGs) or Network Security Groups (NSGs) to on premise VMs/systems if on premise network is connected to Azure network via VPN gateway or EXPRESSROUTE?
Network Security Groups (NSG): An access control mechanisms for controlling traffic between resources within a virtual network and also with external networks, such as the internet, other virtual networks. NSGs can take your segmentation strategy to a granular level by creating perimeters for a subnet, a VM, or a group of VMs. For information about possible operations with subnets in Azure, see Subnets (Azure Virtual Networks).
Application Security Groups (ASGs): Similar to NSGs but are referenced with an application context. It allows you to group a set of VMs under an application tag and define traffic rules that are then applied to each of the underlying VMs.
For more information please check this document.
To summarize, these are not feasible options for on-premise networks connected to Azure.
Can Azure firewall regulate the traffic flowing in and out of on premise computers if on premise network is connected to Azure network via VPN gateway or EXPRESSROUTE?
Azure Firewall: A cloud native stateful Firewall as a service, which can be deployed in your VNet or in Azure Virtual WAN hub deployments for filtering traffic flowing between cloud resources, the internet, and on-premise. You create rules or policies (using Azure Firewall or Azure Firewall Manager) specifying allow/deny traffic using layer 3 to layer 7 controls. You can also filter traffic going to the internet using both Azure Firewall and third parties by directing some or all traffic through third-party security providers for advanced filtering & user protection.
For more information please check this document.
Here is a guide to deploy and configure Azure Firewall in a hybrid network using the Azure portal.
Why Azure doesn't allow downgrading an IP Address from Standard to Basic ?
At the time of writing, this feature is not available. [Reference] On attempting to downgrade SKU for a Standard Public IP address to Basic through Azure CLI the following is seen.
(PublicIPSKUDowngradeFeatureNotEnabled) PublicIP /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxx/providers/Microsoft.Network/publicIPAddresses/test SKU downgrade feature flag Microsoft.Network/AllowPublicIPSkuDowngrade is not enabled for this subscription /subscriptions/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxxxx/providers/Microsoft.Network/subscriptions/.
If you attempt to register the feature it will say:
(FeatureRegistrationUnsupported) The feature 'AllowPublicIPSkuDowngrade' does not support registration.
This is currently by design and might change in the future. If you have a concern which is the consequence of this, I would urge you to voice your feedback here.
----------
Hope this helps.
Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.