For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-ler.md. A documentation index is available at /llms.txt.

Subnets should be associated with a Network Security Group

azure-virtual-network

Description

Protect subnet resources by filtering inbound and outbound traffic with Network Security Group (NSG) rules. Subnets without an associated NSG expose workloads to unauthorized network access. Special-purpose subnets that cannot have NSGs attached (GatewaySubnet, AzureFirewallSubnet, AzureFirewallManagementSubnet, AzureBastionSubnet, RouteServerSubnet) are excluded from this check.

Remediation

Associate a Network Security Group with the subnet by navigating to the virtual network’s Subnets blade in the Azure portal, selecting the target subnet, and choosing an NSG under the Security section. For detailed steps, see Associate or dissociate a network security group to or from a subnet.