Ensure that Azure Virtual Network subnet is configured with a Network Security Group

Azure Virtual Network subnets should be associated with Network Security Groups. NSG provides the controls to facilitate a formal process for approving and testing all network connections and changes to the firewall and router configurations. NSG enables better control over network traffic to all resources within a subnet. As a best practice it is recommended to associate an NSG with a subnet to protect your VMs on a subnet-level.

Risk Level: High
Cloud Entity: Virtual Network
CloudGuard Rule ID: D9.AZU.NET.19
Covered by Spectral: Yes
Category: Networking & Content Delivery


VNet should have subnets contain [ securityGroup ]


Azure Console:

  1. Navigate to the 'Virtual Networks'
  2. For Each virtual network
  3. Select 'Subnets' from menu and select the subnet you need to modify.
  4. Select the Network security group (NSG) you want to associate with the subnet and 'Save' your changes.

Virtual Network

You can implement multiple virtual networks within each Azure subscription and Azure region. Each virtual network is isolated from other virtual networks. For each virtual network you can:
Specify a custom private IP address space using public and private (RFC 1918) addresses. Azure assigns resources in a virtual network a private IP address from the address space that you assign.
Segment the virtual network into one or more subnets and allocate a portion of the virtual network's address space to each subnet.

Compliance Frameworks

  • Azure CloudGuard Best Practices
  • Azure CloudGuard CheckUp
  • Azure HITRUST v9.5.0
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset