Attach NSG to Existing Subnet Using ARM Template

Question

I'm looking to create a Network Security Group (NSG) in Azure and attach it to an existing subnet using an ARM Template. I've already come across this site: https://github.com/Azure/azure-quickstart-templates/tree/master/201-nsg-add-to-existing-subnet but the template references additional files on GitHub which my client won't allow.

Ideally i'd like to avoid nested ARM Templates if possible and just use x1 template.json and x1 parameters.json file OR just x1 template.json file altogether.

If somebody has experience with this or knows of a good site to reference I would appreciate the help.

Answer 1

The example is doing this as a nested template because the resource group that the virtual network is in, is in a different resource group to the virtual network its self. If yor NSG and vNet are in the same resource group then there is no need for this. All you need to do is add the subnet part to your main template, with a dependency on your NSG.

{
      "apiVersion": "2018-03-01",
      "type": "Microsoft.Network/virtualNetworks/subnets",
      "dependsOn": [
        "new-nsg"
      ],
      "name": "[concat(parameters('virtualNetworkName'), '/', parameters('subnetName'))]",
      "location": "[resourceGroup().location]",
      "properties": {
        "addressPrefix": "[parameters('subnetAddressPrefix')]",
        "networkSecurityGroup": {
          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', 'new-nsg')]"
        }
      }
    }

If your NSG and vNet are in different resource groups then the only way to do this is with a nested template. This is one of the downsides or ARM compared to something like Terraform. That said there are still a couple of options you could look at:

1. You could use an inline nested template. These are a bit limited but wouldn’t require you to reference an external file
2. You could run it as two separate deployments, passing the NSG resource group between the two