Skip to main content

Configure Application Security Groups in Azure

Hands-On Lab


Photo of

Training Architect





Application Security Groups (ASG) are a feature within Azure that helps simplify the management of Network Security Group (NSG) rules.

In this lab, you will have the opportunity to learn about how to create and implement an ASG for some pre-configured network resources.

After completing this lab, you will be familiar with the purpose of an ASG, how to create one, and how to associate it with a virtual machine and NSG.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Configure Application Security Groups for Azure Virtual Networks

In this lab, we will create and implement an ASG for some pre-configured network resources.

To do so, we will create an application security group, associate it with an existing virtual machine, and configure security rules within an existing network security group.

Before We Begin

To get started, we need to log in to the Azure portal using the provided credentials.

Create an Application Security Group

Please take note of our resources' region, as we will need to use the same region in the following steps. For example, we'll be using (US) West US 2.

We also need to check which region our resources are from. To do so, select All resources and check the location column. For our example, we are in (US) West US 2.

Create an Application Security Group by completing the following:

  1. Click on the + Create a resource option.
  2. Search for "application security group".
  3. Choose the application security group option, then click on Create
  4. Create the application security group with the following settings:
    • Subscription: Select the existing subscription
    • Resource group: Select the existing resource group
    • Name: webvms-asg
    • Region: Select the region in use for your existing resources. For our example, we're using (US) West US 2.
      1. Click on Review + create

Associate WEBVM1 with the Application Security Group

Next, we need to associate our WEBVM1 with the application security group that we just created:

  1. Click on Virtual machines option.
  2. Select the provided virtual machine.
  3. Click on Networking.
  4. Choose the Application security groups.
  5. From the dropdown that appears, select the security group that we created, then select Save.

Update the Network Security Group to use the Application Security Group

Update the Network Security Group to use the Application Security Group:

  1. Navigate to the network security group, shared-nsg, which has been created for you. You may search for shared-nsg, access via all resources, or through the 'Network Security Groups' service page.
  2. Click on Inbound security rules in the Settings section of the resource menu on the left-hand side.
  3. Click on the existing rule, allow_rdp_webservers, within the working pane (middle of the screen).
  4. Set the Destination to be our Application security group.
  5. Select webvms-asg, which you created in a previous objective, for the Destination application security group.
  6. Click on Save.

Check the Connection

You may now choose to verify that the network security group is working as expected by connecting to webvm1 using RDP.

To do so:

  1. Navigate back to our virtual machine and, once selected, copy the Public IP address using the Copy button.
  2. Use an RDP client from your computer, and connect via the IP address we copied.
  3. Log in using the following credentials:
    • Username: azureuser
    • Password: labh0l-526-learn!
  4. Once we log in, we'll know the virtual machine is working.


Congratulations! You've completed the lab!