Circumvent Azure Policy - Deny Subnet without NSG


I have recently run into an issue when creating a subnet in without an nsg in Azure. The situation at hand is as follows. I work in a large corporate environment, where IT seniors manage our overall Azure Strategy. The intended workflow is for them to create a subscription with a vnet and nsg, and delegate access rights to other teams that require such a subscription. I am a part of one such team. Within the virtual network all PaaS services are required to disable public network access. For the time being, if a service requires access from on-premise network, a private_endpoint needs to be created. I am now in a situation where I need to create another subnet, and create private links to PaaS resources. However, an Azure Policy assignment prohibits me from doing so, stating Deny-Subnet-Without-Nsg., even though I do try to associate the subet with the existing nsg.

I am aware that one can create a azurerm_virtual_network and associate the nsg to subnet on creation, however this vnet is already created, and I have currently no option to alter it.

My code is as follows:

data "azurerm_virtual_network" "vnet" {
    name =
    resource_group_name = var.vnet.rg_name

data "azurerm_network_security_group" "nsg" {
    name =
    resource_group_name = var.nsg.rg_name

resource "azurerm_subnet" "snet" {
    name =
    address_prefixes = var.subnet.address_prefixes
    resource_group_name = data.azurerm_virtual_network.vnet.resource_group_name
    virtual_network_name =
    enforce_private_link_endpoint_network_policies = var.subnet.enforce_private_link_endpoint_network_policies

resource "azurerm_subnet_network_security_group_association" "snet_nsg_ass" {
    subnet_id =
    network_security_group_id =

I kindly appreciate any advice or guidance towards solving this issue.

Best Regards

create your subnet in this way.

resource "azurerm_virtual_network" "aksvnet" {

  name                = "aks-network"

  location            = azurerm_resource_group.aks_rg.location

  resource_group_name =

  address_space       = [""]

  subnet {

    name           = "aks-default-subnet"

    address_prefix = ""

    security_group =


Thanks for the reply. I cannot really do that, as the vnet is already supplied. Furthermore, I would also need to be able to modify the enforce_private_link_service_network_policies and enforce_private_link_endpoint_network_policies, which your solution doesn’t allow for.
The only possibilities I can think of:

  1. Disable the policy - Not really feasible due to corporate SLA
  2. Manual creation via console or azure cli - Consequence: No automation
  3. Use a local_exec provisioner to execute az cli scripts - Consequence: no upserts, no destroy, state drift