The Application Security Group feature was just released in April. We are trying to implement this since we have large number of servers so the Network Security Group can quickly become hard to manage.
I cannot find any example Terraform code for this. I've modified the example Terraform code from https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-create-complete-vm for a quick POC. The scenario is we have a group of bastion servers (for now just 1) that we secure and all SSH into important servers will come from these bastion servers. So I've created a bastion_asg Application Security Group and have setup the DL2staging_rtb_nsg to only allow servers from bastion_asg for SSH access. However, once it ran and created the servers, I was not able to ssh into DL2staging_rtb_vm. I've attached my code.
Would really appreciate any and all pointers as to what might be wrong with my POC.
Thanks,
Derek
** Here is the main code addition to the sample Terraform code from https://docs.microsoft.com/en-us/azure/virtual-machines/linux/terraform-create-complete-vm:
resource "azurerm_network_security_group" "DL2staging_rtb_nsg" {
...
security_rule {
name = "AllowSSHInbound"
...
source_application_security_group_ids = ["${azurerm_application_security_group.bastion_asg.id}"]
destination_address_prefix = "*"
}
# Create network interface
resource "azurerm_network_interface" "DL2staging_rtb_nic" {
...
ip_configuration {
name = "DL2NicConfiguration"
...
application_security_group_ids = ["${azurerm_application_security_group.staging_sellsidertb_asg.id}"]
}
The complete code is at https://github.com/dl888888/azure-terraform-application-security-group/blob/master/vm3.tf
