---
title: Subnets should be associated with a Network Security Group
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Subnets should be associated with a
  Network Security Group
---

# Subnets should be associated with a Network Security Group
 
## Description{% #description %}

Protect subnet resources by filtering inbound and outbound traffic with Network Security Group (NSG) rules. Subnets without an associated NSG expose workloads to unauthorized network access. Special-purpose subnets that cannot have NSGs attached (`GatewaySubnet`, `AzureFirewallSubnet`, `AzureFirewallManagementSubnet`, `AzureBastionSubnet`, `RouteServerSubnet`) are excluded from this check.

## Remediation{% #remediation %}

Associate a Network Security Group with the subnet by navigating to the virtual network's Subnets blade in the Azure portal, selecting the target subnet, and choosing an NSG under the Security section. For detailed steps, see [Associate or dissociate a network security group to or from a subnet](https://learn.microsoft.com/en-us/azure/virtual-network/manage-network-security-group#associate-or-dissociate-a-network-security-group-to-or-from-a-subnet).