Allow Custom Network Security Group rules based on custom tags
One of the biggest issue I have with Azure’s interpretation of Security Groups is the inability to apply custom tags to the ruleset. I should be able to filter traffic based on tags I generated for my resources. A good example would be creating a tag on an Azure IaaS VM called “app-x-webserver” and then tagging my Azure SQL Db with “app-x-sqldb”.
While I know that you can use an Application Security Group for the IaaS part, it’s not supported on PaaS. It also is limited to a specific vNET inside of a single Region. This severely limits the usefulness of ASG’s. I’m also not sold on having to “attach” something as a resource (ASG) to another resource (Virtual NIC) that is a resource of my Resource (IaaS VM) to get this functionality – that just is overly complicated for something so simple. We are already “tagging” our resources, so to me it makes more sense to simply use those tags for our NSG Filters.
It would also be nice to define “Custom Service Tag” vs Application Security Groups as a resource that would contain a list of values. So for example with Datadog I could create a list of their public IPs under a single custom Service Tag called “datadog-service” and another for their required ports called "datadog-ports..
That would give us a very clean and clear looking NSG Rule (almost self-documenting):
DESCRIPTION: "This rule allows app-x webservers to talk to app-x SQL Db"
We should also then be able to use our “tags” inside of PaaS Specific Network/Firewall settings, ie our Azure SQL Db Firewall would have a rule to allow traffic from “app-x-webserver” vs CIDR/IP. This is just cleaner to read and would allow for a more dynamic front-end without exposing a larger CIDR range. Same for Azure Firewall - it would give all of the various Azure Security endpoints a common solution and a more homogenous feel.