Application Security Groups and Associated Network Interface Cards
Introduction
Application Security Groups (ASGs) are a feature of Azure Network Security Groups (NSGs) that allow you to define security groupings based on application workloads. ASGs can be used to define security groupings based on application workloads, and can be used in conjunction with NSGs to define fine-grained network security policies based on workloads. Private Endpoint and Network Interface Cards (NIC) can be associated with the ASG resource which creates a logical grouping that can in turn be used in NSG Rules to manage traffic. Azure Application Security Groups (ASGs) offer several advantages:
- ASGs allow you to group Network Interface Cards and Private Endpoints and define network security policies based on those groups, rather than managing individual IP addresses in NSG rules. This simplifies the process of applying security rules.
- ASGs can automatically handle an increase in VMs without the need for additional configuration. This makes it easier to scale your applications while maintaining consistent security policies.
- ASGs provide fine-grained control over network traffic, allowing you to define security policies based on application attributes. This helps in creating more precise and effective security rules.
- With ASGs, you can centralize your network security configuration, making it easier to manage and monitor security policies. This reduces the complexity of managing multiple security rules across different resources.
- By grouping VMs with similar roles and applying security policies to those groups, ASGs help improve the security posture of your applications. This reduces the risk of misconfigurations and enhances overall security.
Objective
- The ASG at the time of writing this article does not provide you with a list of resources associated with it. This can make it difficult to manage and monitor the security policies applied to the VMs in an ASG. In this article, we will discuss how you can retrieve a list of resources associated with an ASG using Azure Resource Graph Explorer.
- This lack of visibility can introduce a minor security risk, as it may not be immediately apparent which VMs are included in an ASG. We will also explore how we can setup some monitoring to alert us when a new Network interface card is added to an ASG.
Lets get started!
Virtual machines associated with an Application Security Group
Azure Resource Graph is a service in Azure that is designed to extend Azure Resource Management by providing efficient and performant resource exploration with the ability to query at scale across a given set of subscriptions so that you can effectively govern your environment. Azure Resource Graph enables you to explore your resources with powerful query capabilities, and to get detailed information about your resources and their properties. In our case we will use Azure Resource Graph to query the VMs and Private Endpoints associated with an ASG as well as the private endpoint associated an ASG using the following queries which can be run in the Azure Resource Graph Explorer in the Azure Resource Graph Explorer or using the Azure Resource Graph REST API.
Virtual Machines associated with an ASG
resources
| where type =~ 'Microsoft.Network/networkInterfaces'
| mv-expand ipConfigurations=properties.ipConfigurations
| mv-expand applicationSecurityGroups=ipConfigurations.properties.applicationSecurityGroups
| extend asgId = tostring(applicationSecurityGroups.id)
| join kind=leftouter (
resources
| where type =~ 'Microsoft.Compute/virtualMachines'
| mv-expand nic=properties.networkProfile.networkInterfaces
| extend nicId = tostring(nic.id))
on $left.id == $right.nicId
| project vmName=name, asgId
| join kind=leftouter (
resources
| where type =~ 'Microsoft.Network/applicationSecurityGroups'
| project asgName=name, asgId=id)
on $left.asgId == $right.asgId
| project vmName, asgName
Private Endpoints associated with an ASG
resources
| where type =~ 'Microsoft.Network/networkInterfaces'
| mv-expand ipConfigurations=properties.ipConfigurations
| mv-expand applicationSecurityGroups=ipConfigurations.properties.applicationSecurityGroups
| extend asgId = tostring(applicationSecurityGroups.id)
| join kind=inner (
resources
| where type =~ 'Microsoft.Network/privateEndpoints'
| mv-expand nic=properties.networkInterfaces
| extend nicId = tostring(nic.id)
) on $left.id == $right.nicId
| project privateEndpointName=name, asgId
| join kind=inner (
resources
| where type =~ 'Microsoft.Network/applicationSecurityGroups'
| project asgName=name, asgId=id
) on $left.asgId == $right.asgId
| project privateEndpointName, asgName
Monitoring Application Security Group Association
There exist an inherent risk with the use of Application Security Groups (ASGs) in that the associations to a given ASG can allow network access to other resources. An example of this might be where you have web servers that has access to a database server via an ASG. An attacker who managed to evade other security controls could potentially add a new VM to the ASG and gain access to the database server. To mitigate this risk, you can setup monitoring to alert you when a new reference is added to an ASG. To Achieve this you need to have an existing Log Analytics Workspace configured to ingest the Azure Activity Logs. Using the query below a new log based query alert rule can be created to alert you when a new network interface card is added to an ASG.
AzureActivity
| where OperationNameValue in (```MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE```)
| where Properties contains "providers/Microsoft.Network/applicationSecurityGroups"
| where parse_json(Properties).activityStatusValue == "Accept"
| summarize by _ResourceId, Caller
| project _ResourceId, Caller
Ensure that the following items are configured on the Alert Rule:
| Configuration item | Value |
|---|---|
| Severity | 2-Warning |
| Signal name | Custom Log Search |
| Search query | Use the query above |
| Measure | Table rows |
| Aggregation type | Count |
| Aggregation granularity | 1 hour |
| Split by Dimension. Resource ID column | Don't Split |
| Alert logic. Operator | Greater than |
| Alert logic. Threshold value | 0 |
| Alert logic. Frequency of evaluation | 1 hour |
Note: Please add your own field values / configuration where not specified in the above table.
Conclusion
In this article we covered how you can retrieve a list of resources associated with an ASG using Azure Resource Graph Explorer. We also discussed how you can setup monitoring to alert you when a new VM is added to an ASG.