Application Security Groups

Question

Hello all, Just curious to see if any of you have ever faced issues using ASGs? I am trying to do something simple as a test which is to block Internet. It works in the NSG but does not work when using ASGs so I am confused. It is the lowest numbered rule and takes priority. No NSG associated with NIC of the VM either. Just the subnet. This does not work. The machine I am testing on is in the ASG. No routing or anything else set.

This works, no ASG.

One more thing please. Would it be best to go with custom and specify port 443/80 instead? In this way we can avoid two rules for each port. Thanks in advance. JJ

Answer 1

Hi @AnnaG , I understand that you want to use ASG (Application Security Group) but found that it did not work as you expected.

In your NSG configuration (first screenshot), you set:

Source = Any, port = * Destination = James_App ASG Protocol/port = HTTPS/443 Action = Deny

It means blocking traffic from any (including internet) to all VMs in your ASG using HTTPS/443. If you want to block traffic to internet from VMs in your ASG, you need to configure an Outbound security rule in NSG with :

Source = James_App ASG, port = * Destination = Service Tag - Internet Protocol/port = HTTPS/443 Action = Deny

Regarding your second question: Would it be best to go with custom and specify port 443/80 instead? - It has the same effect, so it depends on your preference: whether you prefer to create 2 rules by choosing the protocol (not having to enter the port number), or create 1 rule by entering several port numbers.