You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-network/application-security-groups.md
+11-8Lines changed: 11 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ description: Learn about the use of application security groups.
5
5
author: asudbring
6
6
ms.service: azure-virtual-network
7
7
ms.topic: concept-article
8
-
ms.date: 03/31/2025
8
+
ms.date: 07/09/2025
9
9
ms.author: allensu
10
10
# Customer intent: As a network administrator, I want to configure application security groups for my virtual machines, so that I can easily manage network security policies and reduce the complexity of maintaining explicit IP addresses.
11
11
---
@@ -16,7 +16,7 @@ Application security groups enable you to configure network security as a natura
16
16
17
17
:::image type="content" source="./media/security-groups/application-security-groups.png" alt-text="Diagram of Application security groups.":::
18
18
19
-
In the previous picture, *NIC1* and *NIC2* are members of the *AsgWeb* application security group. *NIC3* is a member of the *AsgLogic* application security group. *NIC4* is a member of the *AsgDb* application security group. Though each network interface (NIC) in this example is a member of only one application security group, a network interface can be a member of multiple application security groups, up to the [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=%2fazure%2fvirtual-network%2ftoc.json#azure-resource-manager-virtual-networking-limits). None of the network interfaces have an associated network security group. *NSG1* is associated to both subnets and contains the following rules:
19
+
In the previous picture, *NIC1* and *NIC2* are members of the *AsgWeb* application security group. *NIC3* is a member of the *AsgLogic* application security group. *NIC4* is a member of the *AsgDb* application security group. Although each network interface (NIC) in this example is a member of only one application security group, a network interface can be a member of multiple application security groups, up to the [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=%2fazure%2fvirtual-network%2ftoc.json#azure-resource-manager-virtual-networking-limits). None of the network interfaces have an associated network security group. *NSG1* is associated to both subnets and contains the following rules:
20
20
21
21
## Allow-HTTP-Inbound-Internet
22
22
@@ -28,7 +28,7 @@ This rule is needed to allow traffic from the internet to the web servers. Becau
28
28
29
29
## Deny-Database-All
30
30
31
-
Because the **AllowVNetInBound** default security rule allows all communication between resources in the same virtual network, this rule is needed to deny traffic from all resources.
31
+
Because the **AllowVNetInBound** default security rule allows all communication between resources in the same virtual network, you need this rule to deny traffic from all resources.
Network interfaces that are members of the application security group apply the rules that specify it as the source or destination. The rules don't affect other network interfaces. If the network interface isn't a member of an application security group, the rule isn't applied to the network interface, even though the network security group is associated to the subnet.
45
+
Network interfaces that are members of the application security group apply the network security group rules that specify it as the source or destination. The network security group rules don't affect other network interfaces. If the network interface isn't a member of an application security group, the rule doesn't apply to the network interface, even though the network security group is associated to the subnet.
46
+
47
+
48
+
## Constraints
46
49
47
50
Application security groups have the following constraints:
48
51
49
52
- There are limits to the number of application security groups you can have in a subscription, and other limits related to application security groups. For details, see [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=%2fazure%2fvirtual-network%2ftoc.json#azure-resource-manager-virtual-networking-limits).
50
53
51
-
- All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named *AsgWeb* is in the virtual network named *VNet1*, then all subsequent network interfaces assigned to *ASGWeb* must exist in *VNet1*. You can't add network interfaces from different virtual networks to the same application security group.
54
+
- All network interfaces assigned to an application security group must exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named *AsgWeb* is in the virtual network named *VNet1*, then all subsequent network interfaces assigned to *ASGWeb* must exist in *VNet1*. You can't add network interfaces from different virtual networks to the same application security group.
52
55
53
-
- If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network.
56
+
- If you specify an application security group as the source and destination in a network security group rule, the network interfaces in both application security groups must exist in the same virtual network.
54
57
55
-
-An example would be if *AsgLogic*had network interfaces from *VNet1* and *AsgDb*had network interfaces from *VNet2*. In this case, it would be impossible to assign *AsgLogic* as the source and *AsgDb* as the destination in a rule. All network interfaces for both the source and destination application security groups need to exist in the same virtual network.
58
+
-For example, *AsgLogic*contains network interfaces from *VNet1* and *AsgDb*contains network interfaces from *VNet2*. In this case, it would be impossible to assign *AsgLogic* as the source and *AsgDb* as the destination in the same network security group rule. All network interfaces for both the source and destination application security groups must exist in the same virtual network.
56
59
57
60
> [!TIP]
58
-
> To minimize the number of security rules you need, plan out the application security groups you require. Create rules using service tags or application security groups, rather than individual IP addresses or ranges of IP addresses, whenever possible.
61
+
> To minimize the number of security rules you need, plan out your required application security groups. Create rules using service tags or application security groups, rather than individual IP addresses or ranges of IP addresses, when possible.
0 commit comments