Application security groups are a logical collection of VM NICs, which can be a source of destinations in the network security group rules. They make network security groups even more flexible. For example, let's assume that we have two VMs that will access the PostgreSQL database via 5432 ports. We want to make sure that only those VMs have access to the database:
We can create two application security groups named web and db. Then, we join the VMs to the web group and the database to the db group, and create the following network security group rules:
| Direction | Priority | Source | Source ports | Destination | Dest ports | Protocol | Access |
| Inbound | 120 | * | * | db | 0-65535 | All |
Deny |
| Inbound | 110 | web | * | db | 5432 | TCP |
Allow |
According to this table, the priority of the second rule is higher than the first one. Only the web group has access to the db group with port 5432. All other inbound traffic will be denied.