Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Issue Type?

I'm not sure

(Optional) Module Version

No response

(Optional) Correlation Id

No response

Description

Description

The AVM module currently allows creation of subnets without enforcing association with a Network Security Group (NSG). This behavior can lead to unintended exposure or misconfiguration, especially in environments where NSG enforcement is critical for maintaining security posture.

This issue was flagged by S360, Microsoft’s internal compliance system.

Expected Behavior

All subnets provisioned through the module should either:

• Be explicitly associated with an NSG, or
• Fail validation if no NSG is provided.

Suggested Fix

Introduce a validation check or default behavior that ensures every subnet other than AzureFirewallSubnet has an NSG associated. Optionally, provide a flag to allow skipping NSG association only when explicitly intended.

Additional Context

This issue was identified during deployment reviews where some subnets were inadvertently left without NSGs, leading to potential security gaps. Enforcing NSG association aligns with best practices and internal compliance requirements.