Skip to main content
Application Security Groups (ASGs) in Azure provide an application-centric, scalable way to manage network access across virtual machines (VMs). Instead of authoring and maintaining rules that reference individual IP addresses, ASGs let you group NICs (and therefore VMs) logically and reference those groups from Network Security Group (NSG) rules. This simplifies policy management, enables layered security, and makes group membership flexible — a VM can be in multiple ASGs and an ASG can be referenced by many NSGs.
A diagram titled "Application Security Groups (ASG)" showing a virtual network with two subnets, NSGs, VMs and NICs grouped into an "ASG Web," with traffic flows indicating allowed HTTP (TCP 80) to some NICs and TCP 1433 to another VM. The left column lists ASG benefits: dynamic grouping, simplified NSG management, and flexible association.
Why use ASGs? Here are the core benefits:
BenefitDescriptionExample
Dynamic groupingGroup NICs logically without hardcoding IPsAdd/remove VM NICs from an ASG as VMs scale
Simplified NSG rulesReference ASGs in NSG rules instead of IP listsOne rule allowing HTTP to a “Web” ASG
Reusable policiesReuse ASGs across multiple NSGs and subnetsApply same ASG in different NSGs for consistent access
ASGs enable layered and reusable policies. For example, put all web servers into a Web ASG and allow only TCP/80 to that group; place database servers in a DB ASG and allow only TCP/1433 to that group.
This walkthrough demonstrates creating an ASG, associating NICs (VM1 and VM2), and updating a subnet-level NSG so only those two VMs can access Azure Storage, while a third VM in the same subnet remains blocked.

1) Create the Application Security Group

Create an ASG in the Azure portal (choose subscription, resource group, name, region). After deployment, you can reference this ASG in NSG rules and add NICs to make VMs members.
A Microsoft Azure portal screenshot showing the "Create an application security group" form. The form is filled with subscription "Kodekloud Labs", resource group "rg-az700-nsg", name "asg-storage", and region "East US".

2) Associate NICs with the ASG

Associate a VM’s network interface (NIC) to the ASG so it becomes a logical member. Open the VM’s networking settings, select the NIC, and add the ASG.
A screenshot of the Microsoft Azure portal showing the Network settings for a virtual machine named "vm-nsg-lab-1." It displays the VM’s network interface, public and private IP addresses, and the attached network security group (nsg-lab-01).
Use the “Add application security groups” option on the NIC and pick the ASG you created.
A screenshot of the Microsoft Azure portal on the "Application security groups" page showing a network interface (vm-nsg-lab-1-nic / ipconfig1). A side pane titled "Add application security groups" lists a selected ASG named "asg-storage-servers" with the Add button highlighted.
Repeat the association for VM2’s NIC. Leave VM3 ungrouped so it does not gain the same access.

3) Update the NSG to Allow Storage Only for the ASG

Instead of permitting storage access from the entire subnet, create an NSG outbound rule that allows traffic only when the source is the ASG. Configure the new outbound rule with values like the following:
FieldValue
SourceApplication Security Group (select your ASG)
Source port ranges*
DestinationService Tag — Storage
Destination port range443
ActionAllow
PriorityLower number than existing Deny (e.g., 100 if Deny is 200)
NameAllowStorage
Be sure the rule priority places this allow rule above any broader Deny rules so it takes effect.
NSG rule ordering matters. A lower priority number has higher precedence. If a Deny rule has a lower number than your Allow, the Deny will still block traffic. Place the AllowStorage rule with a priority that precedes the Deny.
After creating the rule, confirm it appears in the NSG outbound rules list.
A screenshot of an Azure Network Security Group "Outbound security rules" page showing a table of rules. The table lists rules like AllowStorage and DenyInternet with priorities, ports, sources/destinations and Allow or Deny actions.
You can also review the NSG overview and existing rules (for context, e.g., a Deny Internet rule) before and after changes.
A Microsoft Azure portal screenshot showing the Network Security Group "nsg-lab-01" overview with resource details. The main pane lists inbound and outbound security rules (e.g., AllowAnySSHInbound, AllowVnetInBound, DenyInternet) and their priorities/actions.

4) Verify behavior from a VM

After the ASG membership and NSG rule are in place:
  • VM1 and VM2 (NICs in the ASG) can reach Azure Storage on TCP/443.
  • VM3 (not in the ASG) remains blocked by the subnet-level deny rule.
Example SSH + curl session showing the change (before and after the AllowStorage rule): 
# SSH into VM1
ssh kodekloud@172.191.36.135

# Before the ASG-based allow rule:
kodekloud@vm-nsg-lab-1:~$ curl https://cskodekloudaz01.blob.core.windows.net/vision/note.jpeg
^C
kodekloud@vm-nsg-lab-1:~$ curl https://www.microsoft.com
curl: (28) Failed to connect to www.microsoft.com port 443: Connection timed out

# After creating the NSG outbound rule that allows Storage from the ASG:
kodekloud@vm-nsg-lab-1:~$ curl -I https://cskodekloudaz01.blob.core.windows.net/vision/note.jpeg
HTTP/1.1 200 OK
Content-Length: 12345
Content-Type: image/jpeg
...
This verifies that a single NSG rule referencing an ASG can selectively permit storage access for a subset of VMs in the same subnet, avoiding manual IP lists and simplifying policy management.

References and further reading

This concludes the ASG walkthrough.

Watch Video