Manage NSG association on Subnets via Azure Policy
In this blog article, we will cover how to deny the creation of a subnet in a Virtual Network if the subnet does not have a Network Security Group associated with it, using a custom Azure Policy.
You can follow the steps below to create a custom policy:
1) From the Azure portal, access Azure policy, then definitions blade.
2) Create a new policy definition.
3) Add the definition location (which subscription will be hosting this policy), Name, and description.
4) Set the category to use existing and select Networking (as below):
5) Then add the below policy definition into the rule field:
Note: you can adjust the below parameters as needed, also the below example excludes the following subnets. You can add more subnets of your choice.
"GatewaySubnet",
"AzureFirewallSubnet",
"AzureBastionSubnet",
"AzureFirewallManagementSubnet"
6) Then save the policy.
Now you can assign this policy as per your requirements.
1) From Azure policies page, and access definitions blade -> select the created custom policy, and click assign policy (you can assign on the Subscription level or a specific resource group depending on your business requirements).
2) To update the excluded subnet list at time of policy assignment. Go to Parameters tab, then uncheck the box "Only show parameters that need input or review" and select of the three dots next to the "Excluded subnets" box.
3) It will open the editor; update the subnet name you want to exclude and click save.
4) Click Next, and Next, update the "Non-compliance message" as per your requirement.
5) Click review + create and review the output. Once verified create the policy assignment. Policy assignment usually takes around 5-15 minutes to take effect.
To update the list of excluded subnets after the policy assignment.
1) From the Azure portal, access Azure policy, then Assignments blade and search the assignment.
2) Open the assignment by clicking on the name
3) Select Edit assignment
4) Go to Parameters tab, then uncheck the box "Only show parameters that need input or review" and select of the three dots next to the "Excluded subnets" box.
5) It will open the editor; update the subnet name you want to exclude and click save.
Disclaimer
- Please note that products and options presented in this article are subject to change. This article reflects custom policy for Azure Subnets in September 2024.
- If users have the required permissions, they can create exemptions for their resources, which makes this policy ineffective for those resources.
- Some subnets managed by Azure services may not require an NSG. Ensure these subnets are added to the excluded subnet list or use a policy exception as needed.
- It is highly recommended to test this policy in a non-production environment before applying it to your production environment to avoid any unintended disruptions and to make sure it meets your requirements.
References
Tutorial: Create a custom policy definition - Azure Policy | Microsoft Learn
Programmatically create policies - Azure Policy | Microsoft Learn
Troubleshoot common errors - Azure Policy | Microsoft Learn
Overview of Azure Policy - Azure Policy | Microsoft Learn
Published on:
Learn moreRelated posts
Announcing Azure MCP Server 1.0.0 Stable Release – A New Era for Agentic Workflows
Today marks a major milestone for agentic development on Azure: the stable release of the Azure MCP Server 1.0! The post Announcing Azure MCP ...
From Backup to Discovery: Veeam’s Search Engine Powered by Azure Cosmos DB
This article was co-authored by Zack Rossman, Staff Software Engineer, Veeam; Ashlie Martinez, Staff Software Engineer, Veeam; and James Nguye...
Azure SDK Release (October 2025)
Azure SDK releases every month. In this post, you'll find this month's highlights and release notes. The post Azure SDK Release (October 2025)...
Microsoft Copilot (Microsoft 365): [Copilot Extensibility] No-Code Publishing for Azure AI Foundry Agents to Microsoft 365 Copilot Agent Store
Developers can now publish Azure AI Foundry Agents directly to the Microsoft 365 Copilot Agent Store with a simplified, no-code experience. Pr...
Azure Marketplace and AppSource: A Unified AI Apps and Agents Marketplace
The Microsoft AI Apps and Agents Marketplace is set to transform how businesses discover, purchase, and deploy AI-powered solutions. This new ...
Episode 413 – Simplifying Azure Files with a new file share-centric management model
Welcome to Episode 413 of the Microsoft Cloud IT Pro Podcast. Microsoft has introduced a new file share-centric management model for Azure Fil...
Bringing Context to Copilot: Azure Cosmos DB Best Practices, Right in Your VS Code Workspace
Developers love GitHub Copilot for its instant, intelligent code suggestions. But what if those suggestions could also reflect your specific d...
Build an AI Agentic RAG search application with React, SQL Azure and Azure Static Web Apps
Introduction Leveraging OpenAI for semantic searches on structured databases like Azure SQL enhances search accuracy and context-awareness, pr...
Announcing latest Azure Cosmos DB Python SDK: Powering the Future of AI with OpenAI
We’re thrilled to announce the stable release of Azure Cosmos DB Python SDK version 4.14.0! This release brings together months of innov...