How to create a subnet with NSG for an existing VNet?

thesse1 · August 4, 2023, 5:30am

In my Azure landing zone, my organization has established a policy that will not let me create a subnet without NSG.

Use case: I want to create an additional subnet for an existing VNet. How can I do that?

I tried the following: I have captured the existing VNet using data block:

data "azurerm_virtual_network" "aks" {
  name                = data.azurerm_resources.vnets.resources[0].name
  resource_group_name = azurerm_kubernetes_cluster.default.node_resource_group
}

Then I have tried to create a subnet:

resource "azurerm_subnet" "example" {
  name                 = "example-subnet"
  resource_group_name  = azurerm_kubernetes_cluster.default.node_resource_group
  virtual_network_name = data.azurerm_virtual_network.aks.name
  address_prefixes     = ["10.0.1.0/24"]
}

This gives me an error message that it is not allowed to create a subnet without NSG. But as per Terraform Registry, I do not see how to refer to an NSG in the creation of my subnet. How can I solve this problem?

Please note:

Yes, I know that I can configure a new VNet with subnet(s) with NSG using this syntax:

resource "azurerm_virtual_network" "default" {
  name                = "${var.projectName}-${var.clusterName}-vnet"
  address_space       = ["10.240.0.0/12"]
  location            = azurerm_resource_group.default.location
  resource_group_name = azurerm_resource_group.default.name
  subnet {
          address_prefix = "10.240.0.0/16"
          name           = "ag"
          security_group = azurerm_network_security_group.default.id
  }
}

But this does not help me, because I have to operate on an existing VNet.

Yes, I know that I can assign an NSG to an existing subnet via azurerm_subnet_network_security_group_association. But this will also try to create the subnet first which will also fail because of the missing NSG.

What can I do?

Thanks a lot!

Best regards,
Thomas

Johny · April 19, 2024, 7:10am

Hello,
Did you find a solution for this?
I have the same problem as you.

Contra · April 20, 2024, 4:56pm

What’s blocking you in creating a subnet without an NSG, is it Azure Policy enforcing the policy?

You can’t do this as they are created as separate resources so it must be exempt from the policy and instead mandate using a module that has the subnet and NSG resources.

You can have the policy in audit mode instead of deny to show where this hasn’t been followed but basically this breaks TF deployment.

Johny · May 28, 2024, 10:48am

Hello,
Thank you for the answer.
I wanted to create a subnet ans associate an nsg to it, not create the subnet and then associate. I was forced to due this due to policy in azure.
Solved the problem by using azureapi provider for subnet creation.

BBokdam · October 18, 2024, 8:05am

Hi,
I’ve got the same problem with my current customer?

Topic		Replies	Views
Unable to create subnet due to policy deny subnet with NSG Azure	3	904	February 21, 2025
Azurerm_subnet wont work with policy Terraform azure	1	560	February 21, 2025
How can I create a subnet with delegation when my organization has defined a Deny-Subnet-Without-Nsg? Azure	1	626	February 27, 2023
Azurerm - same nsg different subnet Terraform	1	969	May 7, 2021
Subscription has a policy that subnet should be associated with NSG during creation Terraform	1	37	February 14, 2025

How to create a subnet with NSG for an existing VNet?

Related topics