Use NSGs on subnets

April 16, 2025 ยท View on GitHub

SYNOPSIS

Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.

DESCRIPTION

Each VNET subnet should have a network security group (NSG) assigned. NSGs are basic stateful firewalls that provide network isolation and security within a VNET. A key benefit of NSGS is that they provide network segmentation between and within a subnet.

NSGs can be assigned to a virtual machine network interface or a subnet. When assigning NSGs to a subnet, all network traffic within the subnet is subject to the NSG rules.

There is a small subset of special purpose subnets that do not support NSGs. These subnets are:

  • GatewaySubnet - used for hybrid connectivity with VPN and ExpressRoute gateways.
  • AzureFirewallSubnet and AzureFirewallManagementSubnet - are for Azure Firewall. Azure Firewall includes an intrinsic NSG that is not directly manageable or visible.
  • RouteServerSubnet - used by managed routing provided by Azure Route Server.
  • Any subnet delegated to a dedicated HSM with Microsoft.HardwareSecurityModules/dedicatedHSMs.

RECOMMENDATION

Consider assigning a network security group (NSG) to each virtual network subnet.

EXAMPLES

Configure with Bicep

To deploy virtual network subnets that pass this rule:

  • Set the properties.networkSecurityGroup.id property for each supported subnet to a NSG resource id.

For example:

resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
  name: name
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    dhcpOptions: {
      dnsServers: [
        '10.0.1.4'
        '10.0.1.5'
      ]
    }
    subnets: [
      {
        name: 'GatewaySubnet'
        properties: {
          addressPrefix: '10.0.0.0/24'
        }
      }
      {
        name: 'snet-001'
        properties: {
          addressPrefix: '10.0.1.0/24'
          networkSecurityGroup: {
            id: nsg.id
          }
        }
      }
    ]
  }
}

Configure with Azure template

To deploy virtual networks subnets that pass this rule:

  • Set the properties.networkSecurityGroup.id property for each supported subnet to a NSG resource id.

For example:

{
  "type": "Microsoft.Network/virtualNetworks",
  "apiVersion": "2023-05-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "addressSpace": {
      "addressPrefixes": [
        "10.0.0.0/16"
      ]
    },
    "dhcpOptions": {
      "dnsServers": [
        "10.0.1.4",
        "10.0.1.5"
      ]
    },
    "subnets": [
      {
        "name": "GatewaySubnet",
        "properties": {
          "addressPrefix": "10.0.0.0/24"
        }
      },
      {
        "name": "snet-001",
        "properties": {
          "addressPrefix": "10.0.1.0/24",
          "networkSecurityGroup": {
            "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
          }
        }
      }
    ]
  },
  "dependsOn": [
    "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
  ]
}

Configure with Azure CLI

az network vnet subnet update -n '<subnet>' -g '<resource_group>' --vnet-name '<vnet_name>' --network-security-group '<nsg_name>`

Configure with Azure PowerShell

$vnet = Get-AzVirtualNetwork -Name '<vnet_name>' -ResourceGroupName '<resource_group>'
$nsg = Get-AzNetworkSecurityGroup -Name '<nsg_name>' -ResourceGroupName '<resource_group>'
Set-AzVirtualNetworkSubnetConfig -Name '<subnet>' -VirtualNetwork $vnet -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg

NOTES

If you identify a false positive for an Azure service that does not support NSGs, please open an issue to help us improve this rule.

Rule configuration

To exclude subnets that are specific to your environment, use the AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG configuration option. Any subnet names specified by this option will be ignored by this rule.

For example:

configuration:
  AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG:
  - subnet-1
  - subnet-2