Use NSGs on subnets
April 16, 2025 ยท View on GitHub
SYNOPSIS
Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.
DESCRIPTION
Each VNET subnet should have a network security group (NSG) assigned. NSGs are basic stateful firewalls that provide network isolation and security within a VNET. A key benefit of NSGS is that they provide network segmentation between and within a subnet.
NSGs can be assigned to a virtual machine network interface or a subnet. When assigning NSGs to a subnet, all network traffic within the subnet is subject to the NSG rules.
There is a small subset of special purpose subnets that do not support NSGs. These subnets are:
GatewaySubnet- used for hybrid connectivity with VPN and ExpressRoute gateways.AzureFirewallSubnetandAzureFirewallManagementSubnet- are for Azure Firewall. Azure Firewall includes an intrinsic NSG that is not directly manageable or visible.RouteServerSubnet- used by managed routing provided by Azure Route Server.- Any subnet delegated to a dedicated HSM with
Microsoft.HardwareSecurityModules/dedicatedHSMs.
RECOMMENDATION
Consider assigning a network security group (NSG) to each virtual network subnet.
EXAMPLES
Configure with Bicep
To deploy virtual network subnets that pass this rule:
- Set the
properties.networkSecurityGroup.idproperty for each supported subnet to a NSG resource id.
For example:
resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: name
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
dhcpOptions: {
dnsServers: [
'10.0.1.4'
'10.0.1.5'
]
}
subnets: [
{
name: 'GatewaySubnet'
properties: {
addressPrefix: '10.0.0.0/24'
}
}
{
name: 'snet-001'
properties: {
addressPrefix: '10.0.1.0/24'
networkSecurityGroup: {
id: nsg.id
}
}
}
]
}
}
Configure with Azure template
To deploy virtual networks subnets that pass this rule:
- Set the
properties.networkSecurityGroup.idproperty for each supported subnet to a NSG resource id.
For example:
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2023-05-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"dhcpOptions": {
"dnsServers": [
"10.0.1.4",
"10.0.1.5"
]
},
"subnets": [
{
"name": "GatewaySubnet",
"properties": {
"addressPrefix": "10.0.0.0/24"
}
},
{
"name": "snet-001",
"properties": {
"addressPrefix": "10.0.1.0/24",
"networkSecurityGroup": {
"id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
}
}
}
]
},
"dependsOn": [
"[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
]
}
Configure with Azure CLI
az network vnet subnet update -n '<subnet>' -g '<resource_group>' --vnet-name '<vnet_name>' --network-security-group '<nsg_name>`
Configure with Azure PowerShell
$vnet = Get-AzVirtualNetwork -Name '<vnet_name>' -ResourceGroupName '<resource_group>'
$nsg = Get-AzNetworkSecurityGroup -Name '<nsg_name>' -ResourceGroupName '<resource_group>'
Set-AzVirtualNetworkSubnetConfig -Name '<subnet>' -VirtualNetwork $vnet -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg
NOTES
If you identify a false positive for an Azure service that does not support NSGs, please open an issue to help us improve this rule.
Rule configuration
To exclude subnets that are specific to your environment, use the AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG configuration option.
Any subnet names specified by this option will be ignored by this rule.
For example:
configuration:
AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG:
- subnet-1
- subnet-2