Skip to content

Use NSGs on subnets#

Security · Virtual Network · Rule · 2020_06 · Critical

Virtual network (VNET) subnets should have Network Security Groups (NSGs) assigned.

Description#

Each VNET subnet should have a network security group (NSG) assigned. NSGs are basic stateful firewalls that provide network isolation and security within a VNET. A key benefit of NSGS is that they provide network segmentation between and within a subnet.

NSGs can be assigned to a virtual machine network interface or a subnet. When assigning NSGs to a subnet, all network traffic within the subnet is subject to the NSG rules.

There is a small subset of special purpose subnets that do not support NSGs. These subnets are:

  • GatewaySubnet - used for hybrid connectivity with VPN and ExpressRoute gateways.
  • AzureFirewallSubnet and AzureFirewallManagementSubnet - are for Azure Firewall. Azure Firewall includes an intrinsic NSG that is not directly manageable or visible.
  • RouteServerSubnet - used by managed routing provided by Azure Route Server.
  • Any subnet delegated to a dedicated HSM with Microsoft.HardwareSecurityModules/dedicatedHSMs.

Recommendation#

Consider assigning a network security group (NSG) to each virtual network subnet.

Examples#

Configure with Bicep#

To deploy virtual network subnets that pass this rule:

  • Set the properties.networkSecurityGroup.id property for each supported subnet to a NSG resource id.

For example:

Azure Bicep snippet
resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
  name: name
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    dhcpOptions: {
      dnsServers: [
        '10.0.1.4'
        '10.0.1.5'
      ]
    }
    subnets: [
      {
        name: 'GatewaySubnet'
        properties: {
          addressPrefix: '10.0.0.0/24'
        }
      }
      {
        name: 'snet-001'
        properties: {
          addressPrefix: '10.0.1.0/24'
          networkSecurityGroup: {
            id: nsg.id
          }
        }
      }
    ]
  }
}

Configure with Azure template#

To deploy virtual networks subnets that pass this rule:

  • Set the properties.networkSecurityGroup.id property for each supported subnet to a NSG resource id.

For example:

Azure Template snippet
{
  "type": "Microsoft.Network/virtualNetworks",
  "apiVersion": "2023-05-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "addressSpace": {
      "addressPrefixes": [
        "10.0.0.0/16"
      ]
    },
    "dhcpOptions": {
      "dnsServers": [
        "10.0.1.4",
        "10.0.1.5"
      ]
    },
    "subnets": [
      {
        "name": "GatewaySubnet",
        "properties": {
          "addressPrefix": "10.0.0.0/24"
        }
      },
      {
        "name": "snet-001",
        "properties": {
          "addressPrefix": "10.0.1.0/24",
          "networkSecurityGroup": {
            "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
          }
        }
      }
    ]
  },
  "dependsOn": [
    "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('nsgName'))]"
  ]
}

Configure with Azure CLI#

Azure CLI snippet
az network vnet subnet update -n '<subnet>' -g '<resource_group>' --vnet-name '<vnet_name>' --network-security-group '<nsg_name>`

Configure with Azure PowerShell#

Azure PowerShell snippet
$vnet = Get-AzVirtualNetwork -Name '<vnet_name>' -ResourceGroupName '<resource_group>'
$nsg = Get-AzNetworkSecurityGroup -Name '<nsg_name>' -ResourceGroupName '<resource_group>'
Set-AzVirtualNetworkSubnetConfig -Name '<subnet>' -VirtualNetwork $vnet -AddressPrefix '10.0.1.0/24' -NetworkSecurityGroup $nsg

Notes#

If you identify a false positive for an Azure service that does not support NSGs, please open an issue to help us improve this rule.

Rule configuration#

AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG

To exclude subnets that are specific to your environment, use the AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG configuration option. Any subnet names specified by this option will be ignored by this rule.

For example:

configuration:
  AZURE_VNET_SUBNET_EXCLUDED_FROM_NSG:
  - subnet-1
  - subnet-2

Comments