Application Security Group

Application Security Group

In this lab you will get an overview of application security groups (ASG)

learn how to do the following:

  • Log in to the Azure CLI

  • Create an ASG

  • Create and log in between two VMs

Step 1 - Logging In

Microsoft Azure is a cloud computing service offered and operated by Microsoft that can be used to host your data and applications in the cloud.

Run this command to log in to the Azure account:

az login -u $username -p $password

After you log in, you should get a block of JSON with details about your sign-in.

You can view the Azure account username with this command:

echo $username

You can view the Azure account password with this command:

echo $password

Step 2 - Getting Set Up

In this lab we are going to create an application security group (ASG), which provides a convenient abstraction to not maintain IP addresses in a network security group.

Let's say we want to enforce this network structure:

Maintaining these rules in an NSG can be tedious. That's why we are going to create an ASG to streamline the connecting of networks and enforcing the desired rules.

We are going to create an NSG on a virtual network, configure the ASGs around resources, and create two VMs to test the traffic filter.

First we need a resource group. O'Reilly provides a resource group with a name saved to the variable $resource, which was created with this command:

az group create --name $resource --location eastus

Step 3 - Creating the ASGs

Next let's create two ASGs using az network asg create. This will enable you to group resources with similar traffic filter rules:

az network asg create \
  --resource-group $resource \
  --name myASG1 \
  --location eastus

az network asg create \
  --resource-group $resource \
  --name myASG2 \
  --location eastus

Next we need to create an NSG:

az network nsg create \
  --resource-group $resource \
  --name myNSG

Now we must create two new rules in our NSG with the command az network nsg rule create. We will allow inbound internet traffic from myASG1 with ports 80 through 443. This will allow web traffic:

az network nsg rule create \
  --nsg-name myNSG \
  --resource-group $resource \
  --name AllWebAllowed \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 100 \
  --source-address-prefix Internet \
  --source-port-range "*" \
  --destination-asgs "myASG1" \
  --destination-port-range 80 443

Next we will create another rule to allow SSH traffic to myASG2. We will give it slightly less priority than the previous rule (so they don't clash on shared ranking) and limit to port 22:

az network nsg rule create \
  --resource-group $resource \
  --nsg-name myNSG \
  --name AllowAllSSH \
  --access Allow \
  --protocol Tcp \
  --direction Inbound \
  --priority 110 \
  --source-address-prefix Internet \
  --source-port-range "*" \
  --destination-asgs "myASG2" \
  --destination-port-range 22

Note that in production, we would typically use a private connection or VPN rather than exposing port 22 to the internet like this.

Step 4 - Creating the VMs

Let's create a virtual network and a subnet inside it. Note for the az network vnet subnet create command, we are tying it to the network security group we just created:

az network vnet create \
  --name myVN \
  --resource-group $resource \
  --address-prefixes 10.0.0.0/16

az network vnet subnet create \
  --vnet-name myVN \
  --resource-group $resource \
  --name mySubnet \
  --address-prefix 10.0.0.0/24 \
  --network-security-group myNSG

Let's create a virtual machine to act as our web server. We will put it on the subnet and force the nsg argument to be blank so a default NSG is not applied. We are going to have the admin-password be Password1234. Of course, your security in real life would use a better (more concealed) password as well as SSH and keys:

az vm create \
  --resource-group $resource \
  --name myVM1 \
  --image UbuntuLTS \
  --vnet-name myVN \
  --subnet mySubnet \
  --nsg "" \
  --asgs myASG1 \
  --admin-username azureuser \
  --admin-password Password1234

Finally, let's create the backend VM that will act as the backend server:

az vm create \
  --resource-group $resource \
  --name myVM2 \
  --image UbuntuLTS \
  --vnet-name myVN \
  --subnet mySubnet \
  --nsg "" \
  --asgs myASG2 \
  --admin-username azureuser \
  --admin-password Password1234

After that runs, extract the public IP address of the virtual machine and save it to a variable:

myIp=$(az vm show -d --resource-group $resource --name myVM2 --query publicIps -o tsv)

Step 5 - Testing and Cleanup

Let's test this out. Log in to the second virtual machine acting as the backend:

ssh azureuser@$myIp

Notice we get in because we allow connecting through port 22. From that machine, we can now bounce to the other machine acting as the frontend. But here we can do it by addressing as myVM1 rather than an IP address:

ssh azureuser@myVM1

We would not have been able to log in to myVM1 through the internet because it was restricted in our rules. But because we were inside the same virtual network with myVM2, we were able to log in to that machine. This effectively shows our ASGs are working! You will also find that if you go back to the frontend myVM1, you can access outbound traffic to the internet because our rule allows that.