This chapter covers Application Security Groups (ASGs), a critical Azure networking feature that simplifies managing network security for groups of virtual machines. On the AZ-104 exam, ASGs appear in approximately 5-8% of questions, often integrated with Network Security Group (NSG) rules and virtual network design. You will need to understand when to use ASGs versus NSGs or service tags, how to configure them, and the specific limitations and behaviors the exam tests.
Jump to a section
Imagine a large office building with multiple departments: Finance (blue badge), HR (green badge), and IT (red badge). Instead of listing every employee's name at each door's access control list, the building uses badge colors. A door to the server room allows only red badges; the payroll office allows blue and green badges. When an employee swipes their badge, the system checks the badge color against the door's allowed colors. If the color matches, access is granted. This is exactly how Application Security Groups work in Azure. An ASG is a logical grouping of virtual machines (VMs) by a common attribute, like application tier, without needing to reference IP addresses. Network Security Group (NSG) rules then reference the ASG name instead of individual IPs or subnets. When a VM is added to an ASG, it automatically inherits the NSG rules that apply to that group. If a VM is moved to a different ASG, the rules change accordingly. Just as badge colors abstract individual identities, ASGs abstract individual VM IPs, making network security dynamic and manageable at scale. The building's access control system doesn't care which specific person is at the door—only their badge color. Similarly, Azure's network fabric doesn't care about the specific private IP of a VM—only which ASGs it belongs to.
What is an Application Security Group?
An Application Security Group (ASG) is a logical container that groups virtual machines (VMs) by application workload, such as 'web servers', 'application servers', or 'database servers'. Instead of writing NSG rules that reference source or destination IP addresses (like 10.0.1.0/24), you can reference an ASG name. This decouples security rules from IP addressing, making them dynamic and easier to manage as VMs are added, removed, or scaled.
Why ASGs Exist
Before ASGs, administrators had to maintain NSG rules based on IP addresses or subnets. This was brittle: if a VM's IP changed (e.g., due to deallocation/reallocation), or if new VMs were added, the NSG rules had to be updated. With ASGs, you define the security policy once at the ASG level. When you add a VM to an ASG, the NSG rules that reference that ASG automatically apply to that VM. This is especially useful in auto-scaling scenarios where VMs come and go.
How ASGs Work Internally
ASGs are a virtual network (VNet) resource. They are not applied directly to VMs; instead, the VM's network interface (NIC) has a property that references one or more ASGs. Each NIC can be associated with up to 20 ASGs. When a VM is created, you specify which ASGs it belongs to (or you can add them later).
When an NSG is associated with a subnet or NIC, and it contains a rule with an ASG reference, Azure's network fabric resolves the ASG to the set of private IP addresses of all VMs whose NICs are members of that ASG. This resolution occurs in the Azure SDN (Software Defined Networking) layer. The NSG rules are then evaluated against those resolved IPs.
Critically, ASGs are scoped to a single VNet. You cannot have an ASG that includes VMs from different VNets (unless peered, but even then, the ASG membership is per NIC in the same VNet). Also, ASGs only support private IP addresses within the VNet; they cannot reference on-premises or public IPs.
Key Components and Limits
ASG Resource: Defined at the VNet level. Each ASG can have up to 3000 VM NICs assigned (but check current limits as they may change).
NIC Association: Each NIC can be assigned to up to 20 ASGs.
NSG Rules: Up to 3000 ASG references per NSG (sum of all source and destination ASG references).
Cross-VNet: ASGs do not span VNets. If VMs are in different VNets, you cannot use a single ASG to group them; you need separate ASGs per VNet.
Limitation: ASGs cannot be used in NSG rules that reference service tags or application security groups as both source and destination in the same rule? Actually, you can have an NSG rule with source ASG and destination ASG, but both must be in the same VNet.
Configuration Steps
1. Create an ASG: Use Azure portal, PowerShell, CLI, or ARM template.
New-AzApplicationSecurityGroup -ResourceGroupName myRG -Name webASG -Location eastus
az network asg create --resource-group myRG --name webASG --location eastus2. Associate a NIC with an ASG: When creating a VM or updating an existing NIC.
$nic = Get-AzNetworkInterface -ResourceGroupName myRG -Name myVMNic
$nic.IpConfigurations[0].ApplicationSecurityGroups.Add((Get-AzApplicationSecurityGroup -ResourceGroupName myRG -Name webASG))
Set-AzNetworkInterface -NetworkInterface $nic
az network nic ip-config update --resource-group myRG --nic-name myVMNic --name ipconfig1 --application-security-groups webASG3. Create NSG rule referencing ASG:
$nsg = Get-AzNetworkSecurityGroup -ResourceGroupName myRG -Name myNSG
$nsg | Add-AzNetworkSecurityRuleConfig -Name AllowWebToApp -Direction Inbound -Priority 100 -Access Allow -Protocol Tcp -SourceApplicationSecurityGroupId (Get-AzApplicationSecurityGroup -ResourceGroupName myRG -Name webASG).Id -DestinationApplicationSecurityGroupId (Get-AzApplicationSecurityGroup -ResourceGroupName myRG -Name appASG).Id -SourcePortRange * -DestinationPortRange 80
Set-AzNetworkSecurityGroup -NetworkSecurityGroup $nsgVerification
- Check effective security rules on a VM:
az network nic show-effective-nsg --resource-group myRG --name myVMNicThis shows the resolved rules, including ASG expansions.
Interaction with Related Technologies
NSGs: ASGs are used within NSG rules. NSGs can be associated at the subnet or NIC level. When an NSG is associated with a subnet, all VMs in that subnet inherit the rules. ASG references in those rules then apply to the VMs that are members of the referenced ASGs.
Service Tags: ASGs are complementary to service tags. Service tags represent groups of Azure services (e.g., AzureLoadBalancer) by IP ranges, while ASGs represent your own application tiers. You can use both in the same NSG rule.
VNet Peering: ASGs cannot span peered VNets. However, you can create separate ASGs in each VNet and write NSG rules that reference the other VNet's ASG by its resource ID? Actually, no—ASG references in NSG rules are limited to the same VNet as the NSG. So you cannot reference an ASG from a peered VNet directly. You would need to use IP ranges or service tags.
Azure Firewall: ASGs are not used in Azure Firewall rules; Azure Firewall uses FQDN tags, IP groups, and network rules. ASGs are exclusive to NSGs.
Common Scenarios
Multi-tier application: Create ASGs for web, app, and database tiers. Then write NSG rules: allow web to app on port 80, app to db on port 1433, etc. As you scale out, new VMs automatically get correct rules when added to the appropriate ASG.
Management access: Create an ASG for jumpbox VMs and allow SSH/RDP from that ASG to other tiers.
Environment isolation: Use ASGs for dev, test, and prod within the same VNet. However, ASGs don't enforce isolation by themselves; you need NSG rules to block traffic between ASGs.
Performance and Scale
ASGs are resolved in the control plane. The resolution is efficient, but there are limits (e.g., 3000 NICs per ASG). In practice, for large-scale deployments, you may need to split tiers across multiple ASGs if you exceed limits. Also, changes to ASG membership are propagated quickly but not instantaneously; there might be a brief period where old rules still apply.
Exam Tips
ASGs are not a security boundary; they are a grouping mechanism. Security is enforced by NSG rules.
ASGs are regional resources (same as VNet).
ASGs can be used in NSG rules for both source and destination.
ASGs cannot be used with Azure Firewall or in network virtual appliance (NVA) routing.
The exam often tests the difference between ASGs and NSGs: ASGs group VMs; NSGs filter traffic.
Remember the limit: up to 20 ASGs per NIC, up to 3000 NICs per ASG.
ASGs are free; you only pay for NSG rules and data transfer.
Conclusion
ASGs enable you to write security rules based on application semantics rather than IP addresses, making your network security agile and easier to maintain. They are a core part of Azure's network security model and a frequent topic on the AZ-104 exam.
Create Application Security Group
First, define the ASG resource within a resource group and region. Use the Azure portal, Azure CLI, or PowerShell. The ASG is a logical container with no inherent security rules. Example CLI: `az network asg create --name webASG --resource-group myRG --location eastus`. The ASG resource ID is generated. This step is purely administrative; no traffic is affected yet.
Associate NICs with ASG
For each VM that should be part of the ASG, associate its NIC (or specific IP configuration) with the ASG. This can be done during VM creation or by updating an existing NIC. When a NIC is associated, Azure's SDN controller records the mapping. A single NIC can be associated with up to 20 ASGs. The association is at the IP configuration level, so a multi-homed VM can have different ASGs per IP config. Example PowerShell: `$nic.IpConfigurations[0].ApplicationSecurityGroups.Add($asg)` then `Set-AzNetworkInterface`. This step is critical because without association, the ASG has no members.
Create NSG with ASG-based rules
Now create or update an NSG with rules that reference the ASG as source or destination. For example, allow HTTPS traffic from the webASG to the appASG on port 443. When you specify the ASG ID in the rule, Azure stores the rule but does not yet resolve the IPs. The rule is applied to the NSG, which is then associated with a subnet or NIC. The rule priority must be set (e.g., 100). Lower numbers are higher priority. The rule is evaluated only when traffic matches the ASG membership.
Associate NSG with subnet or NIC
The NSG containing the ASG rules must be associated with either a subnet or a NIC. If associated with a subnet, all VMs in that subnet are subject to the NSG rules, but ASG rules only apply to VMs that are members of the referenced ASGs. If associated with a NIC, the rules apply only to that NIC. Typically, you associate the NSG with the subnet where your application VMs reside. This step activates the NSG rules for traffic entering/leaving the subnet or NIC.
Traffic flow and ASG resolution
When a packet arrives at a VM's NIC, the NSG rules are evaluated. If a rule references an ASG, Azure's network fabric resolves the ASG to the set of private IP addresses of all NICs that are members of that ASG within the same VNet. This resolution happens in the SDN layer. The rule is then applied as if the source/destination IPs were explicitly listed. The resolution is cached and updated when ASG membership changes. There may be a propagation delay of a few seconds. The NSG then applies the rule (allow or deny).
Enterprise Scenario 1: Multi-Tier E-Commerce Application
A large e-commerce company runs a three-tier application on Azure: web servers, application servers, and database servers. They have hundreds of VMs across multiple availability zones. Without ASGs, they would need to maintain NSG rules that list every web server's IP as a source for the application tier. Whenever a new web server is added via auto-scaling, the NSG rules would need updating, which is error-prone and slow.
Solution: The team creates three ASGs: webASG, appASG, and dbASG. All web server NICs are added to webASG, application servers to appASG, and database servers to dbASG. They then create an NSG associated with the application tier subnet. The NSG rules are:
Allow inbound from webASG to appASG on port 8080.
Allow inbound from appASG to dbASG on port 1433.
Deny all other inbound.
Now, when auto-scaling adds a new web server, its NIC is automatically added to webASG via ARM templates, and the NSG rules immediately apply. The team also configures the application load balancer to use the ASG as the backend pool? No, backend pools use NICs or IPs, not ASGs. So they still need to manage the load balancer separately.
Performance: With 500 VMs per tier, the ASG resolution works efficiently. However, they hit the 3000 NICs per ASG limit? Not yet. They monitor the number of NICs per ASG. They also ensure that the NSG rule count does not exceed 1000 (default per NSG).
What goes wrong: Initially, they accidentally associated the NSG at the NIC level instead of subnet, causing duplicate rule evaluation and confusion. They also misconfigured the rule direction; they created an outbound rule instead of inbound. The result was that traffic from web to app was blocked. They had to use az network nic show-effective-nsg to troubleshoot.
Enterprise Scenario 2: Microservices with Service Mesh
A fintech company uses Kubernetes (AKS) with a service mesh (Istio). They want to enforce network segmentation between microservices at the Azure network level for defense-in-depth. They create ASGs per microservice (e.g., auth-svc, payment-svc, notification-svc). Each AKS node pool's VMs have a NIC that is associated with the appropriate ASG. However, because AKS nodes run multiple pods, each node may need to be in multiple ASGs. But a NIC can only be in up to 20 ASGs, which may be insufficient for many microservices.
Solution: They use a different approach: they assign ASGs based on node pool purpose (e.g., frontend pool, backend pool) rather than per microservice. They then use Kubernetes network policies for granular control. This hybrid approach reduces the number of ASGs needed.
What goes wrong: They initially tried to assign ASGs to pod IPs, but ASGs are only for VM NICs, not individual pod IPs. They had to rethink their design.
Enterprise Scenario 3: Dev/Test/Prod Isolation in a Single VNet
A startup wants to isolate dev, test, and prod environments within a single VNet to save costs (no peering). They create ASGs: devASG, testASG, prodASG. Each VM's NIC is associated with its environment's ASG. Then they create an NSG associated with the subnet that contains all VMs. The NSG rules are:
Allow all traffic within the same ASG (e.g., dev to dev).
Deny all traffic between different ASGs (e.g., dev to test).
Allow management traffic from a jumpbox ASG to all ASGs.
This works because NSG rules can reference multiple ASGs. However, they must be careful about rule priorities. They set a rule with priority 100 to allow intra-ASG traffic, and a rule with priority 200 to deny inter-ASG traffic. But the deny rule must be explicit; otherwise, default deny applies. They also need to allow traffic to Azure services like Azure SQL via service tags.
Performance: With 100 VMs per environment, the NSG rules are manageable. But they hit the limit of 3000 ASG references per NSG? Not yet. They also need to ensure that the NSG does not become too complex.
What goes wrong: They forgot to add the deny rule and relied on default deny. But default deny applies at the end, so traffic between ASGs was implicitly denied. However, they wanted to log denied traffic; they had to enable NSG flow logs. Also, they mistakenly associated the NSG with the subnet but also with individual NICs, causing double evaluation and unexpected denies.
What AZ-104 Tests on ASGs
The AZ-104 exam objectives under 'Configure and manage virtual networking' (Objective 4.1) include 'Configure network security groups (NSGs) and application security groups (ASGs)'. You are expected to:
Understand the purpose of ASGs and how they differ from NSGs.
Know how to create and associate ASGs.
Be able to write NSG rules that reference ASGs.
Understand the limitations (e.g., ASGs are regional, scoped to a VNet, cannot span VNets, cannot be used with Azure Firewall).
Know the default limits: 20 ASGs per NIC, 3000 NICs per ASG, 3000 ASG references per NSG.
Common Wrong Answers and Why
'ASGs can be used as a source or destination in an Azure Firewall rule.' This is false. Azure Firewall does not support ASGs; it uses IP groups, FQDN tags, or network rules with IP addresses. Candidates confuse Azure Firewall with NSGs.
'ASGs can span multiple VNets.' False. ASGs are scoped to a single VNet. If you have VMs in peered VNets, you cannot use the same ASG. You must create separate ASGs in each VNet and write rules accordingly (but rules cannot reference ASGs from another VNet).
'ASGs are a security boundary that blocks traffic by default.' False. ASGs are just logical groups. They do not enforce any security by themselves. Security is enforced by NSG rules that reference ASGs. A VM in an ASG can still communicate with any other VM if no NSG rule blocks it.
'You can assign an ASG to a subnet.' False. ASGs are associated with NICs (or IP configurations), not subnets. You cannot assign an ASG to a subnet; you can only associate an NSG with a subnet.
Specific Numbers and Terms on the Exam
20 – Maximum number of ASGs per NIC.
3000 – Maximum number of NICs per ASG.
3000 – Maximum number of ASG references per NSG (sum of source and destination references).
Regional – ASGs are regional resources (same as VNet).
VNet-scoped – ASG membership is limited to NICs in the same VNet.
Free – No additional cost for ASGs.
Edge Cases and Exceptions
Multi-homed VMs: Each IP configuration on a NIC can have its own set of ASGs. The exam may test that ASG association is per IP configuration.
VM scale sets: Each VM instance in a scale set has its own NIC; you can associate ASGs at the scale set level via the virtualMachineProfile.networkProfile.networkInterfaceConfigurations.ipConfigurations.applicationSecurityGroups property. But the exam might ask how to apply ASGs to scale sets.
ASG with service tags: You can have an NSG rule that has a service tag as source and an ASG as destination, or vice versa. The exam may test that combination.
Propagation delay: When you add a NIC to an ASG, the NSG rules are not instant; there is a propagation delay of a few seconds. The exam may ask about this.
How to Eliminate Wrong Answers
If a question mentions 'Azure Firewall', eliminate any answer that involves ASGs.
If a question mentions 'multiple VNets', eliminate answers that say 'use a single ASG'.
If a question asks about 'blocking traffic', remember that ASGs alone do not block; NSG rules do.
If a question asks about 'cost', ASGs are free.
If a question asks about 'subnet association', remember ASGs are associated with NICs, not subnets.
ASGs are logical groups of VMs used to simplify NSG rule management; they are not security boundaries.
Each NIC can be associated with up to 20 ASGs; each ASG can contain up to 3000 NICs.
ASGs are regional and scoped to a single VNet; they cannot span VNets or regions.
ASGs are free; you only pay for NSG rules and data transfer.
ASGs are not supported in Azure Firewall; use IP groups instead.
To use ASGs, create the ASG, associate NICs, then create NSG rules referencing the ASG.
Changes to ASG membership propagate but are not instantaneous; expect a short delay (seconds).
These come up on the exam all the time. Here's how to tell them apart.
Application Security Groups (ASGs)
Logical grouping of VMs by application tier.
No security rules; used as source/destination in NSG rules.
Associated with NICs (up to 20 per NIC).
Cannot filter traffic directly; must be referenced by NSG.
Free of charge.
Network Security Groups (NSGs)
Contains security rules (allow/deny) based on IP, port, protocol.
Can be associated with subnets or NICs.
Evaluates traffic based on 5-tuple (source IP, dest IP, source port, dest port, protocol).
Can use ASGs, service tags, or IP ranges in rules.
No additional cost for rules, but data transfer costs apply.
Mistake
ASGs can be used to filter traffic between VNets.
Correct
ASGs are scoped to a single VNet. They cannot contain NICs from different VNets. To filter traffic between VNets, you must use NSGs with IP ranges, service tags, or virtual network peering with appropriate NSG rules.
Mistake
ASGs provide default security by blocking all traffic to/from the group.
Correct
ASGs are just logical containers; they do not enforce any security. Security is enforced by NSG rules that reference ASGs. Without an NSG rule, traffic is allowed by default (unless a subnet or NIC NSG denies it).
Mistake
You can assign an ASG to a subnet.
Correct
ASGs are associated with network interfaces (NICs) or IP configurations, not subnets. You associate an NSG with a subnet, and that NSG can contain rules that reference ASGs.
Mistake
ASGs can be used with Azure Firewall.
Correct
Azure Firewall does not support ASGs. It uses IP groups, FQDN tags, and network/application rules based on IP addresses or FQDNs.
Mistake
ASGs are global resources.
Correct
ASGs are regional resources, tied to the same region as the VNet. You cannot use an ASG from one region in a VNet in another region.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, by adding both VMs to the same ASG or different ASGs and creating an NSG rule that references the source and destination ASGs. However, ASGs are not a direct way to allow traffic between two specific VMs; they group VMs by role. For precise per-VM rules, use NSG rules with individual IP addresses.
ASGs group your own VMs by application tier. Service tags represent Azure services (e.g., AzureLoadBalancer, AzureSQL) by their IP ranges. Both can be used in NSG rules. Service tags are managed by Microsoft; ASGs are defined by you.
Yes, ASGs are regional, not zonal. VMs in the same region but different availability zones can be in the same ASG, as long as they are in the same VNet.
Use `az network nic show-effective-nsg` to see the effective rules. Verify that the NIC is associated with the correct ASG. Check that the NSG is associated with the correct subnet or NIC. Ensure the rule priority is appropriate. Also, check that the ASG is in the same VNet as the NSG.
ASGs cannot contain VMs from different VNets. In a hub-spoke topology, you must create separate ASGs in each VNet. You cannot reference an ASG from a spoke VNet in an NSG rule in the hub VNet. You would need to use IP ranges or service tags instead.
Yes, you can associate ASGs with the NICs of AKS nodes (VMs). However, AKS uses its own network policies (e.g., Calico, Azure Network Policy) for pod-level segmentation. ASGs operate at the VM level, not pod level.
You cannot associate more than 20 ASGs to a single NIC. If you need more, consider using multiple NICs per VM (each NIC can have its own set of ASGs) or redesign your ASG strategy to combine groups.
You've just covered Application Security Groups (ASG) — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?