question

JulieM-2552 avatar image
0 Votes"
JulieM-2552 asked JulieM-2552 answered

Associating NSG to VM instead of Subnet

Dear All,

We have a Azure virtual Desktop infra. We have created a NSG rule and associated with the individual VM NICs.

The subnet is shared with other Azure services, so we are unable to attach at the subnet level.

Now, part of monthly patching we may have to delete the VMs and recreate using the updated Master image. The entire process will be done using Azure Devops.

Query: I need to automate the process of associating the NSG with individual VM nics after the VM creation. Could someone help on this?

azure-virtual-machinesazure-virtual-desktopazure-virtual-network
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If possible, I would suggest to create a new subnet and move your session hosts to this subnet. This will allow you to associate an NSG with the subnet and given you better network segmentation. If you have a big enough network space then this should be possible. If not, what language are you using to deploy your code?

0 Votes 0 ·

@AlanKinane Thanks for your response.

Due to some technical challenges, we cant use different subnet.


The language we use to deploy the code is PowerShell and JSON


PS is used for scripts and JSON is used for param files as variable. Could you please advice.

0 Votes 0 ·
AlanKinane avatar image
1 Vote"
AlanKinane answered AlanKinane edited

You can use PowerShell or ARM templates (JSON) to achieve this.

Yes, I agree with Eric. I suspect the easiest option for you given that you already have your NSG resource created is to get the resource ID of this and pass it in to your ARM template as a parameter and then associate this to the new network interface resource in the JSON as in the below example (lines 28-30).

        {
             "name": "[parameters('networkInterfaceName')]",
             "type": "Microsoft.Network/networkInterfaces",
             "apiVersion": "2021-03-01",
             "location": "[parameters('location')]",
             "dependsOn": [
                 "[concat('Microsoft.Network/publicIpAddresses/', parameters('publicIpAddressName'))]"
             ],
             "properties": {
                 "ipConfigurations": [
                     {
                         "name": "ipconfig1",
                         "properties": {
                             "subnet": {
                                 "id": "[variables('subnetRef')]"
                             },
                             "privateIPAllocationMethod": "Static",
                             "publicIpAddress": {
                                 "id": "[resourceId(resourceGroup().name, 'Microsoft.Network/publicIpAddresses', parameters('publicIpAddressName'))]",
                                 "properties": {
                                     "deleteOption": "[parameters('pipDeleteOption')]"
                                 }
                             }
                         }
                     }
                 ],
                 "enableAcceleratedNetworking": "[parameters('enableAcceleratedNetworking')]",
                 "networkSecurityGroup": {
                     "id": "[parameters('nsgId')]"
                 }
             }
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EricBoyd avatar image
1 Vote"
EricBoyd answered EricBoyd commented

Hi @JulieM-2552

We automate all of our Azure Virtual Desktop deployments for customers using Azure Resource Manager (ARM) templates or Bicep. You can associate an existing Network Security Group by Id with the NIC of the VM, or you can create the Network Security Group and configure the security rules inline too.

Here's the ARM/Bicep reference documentation for the Microsoft.Network/networkinterfaces resource type and you specifically want to look for the networkSecurityGroup property. https://docs.microsoft.com/en-us/azure/templates/microsoft.network/networkinterfaces?tabs=bicep#networkinterfacepropertiesformat


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @JulieM-2552

Since you commented that you are using PowerShell, you can use the -NetworkSecurityGroupId property of the New-AzNetworkInterface cmdlet to pass in the id of the existing network security group or one you just created. https://docs.microsoft.com/en-us/powershell/module/az.network/new-aznetworkinterface?view=azps-7.3.2

You could also not delete the Nic when you delete the VM, and you could just attach the existing Nic using the Get-AzNetworkInterface cmdlet to get the existing Nic Id and passing that into the Add-AzVMNetworkInterface cmdlet as you create the VM.

Having said that, I would encourage you to check out the declarative, desired-state style options like ARM templates and Bicep for your infrastructure deployments going forward. It reduces the complexity of conditional logic, control flow, and error handling that you must do in the imperative options like PowerShell and CLI. I love and use the command line tools all the time for work with resources ad hoc, but for infrastructure deployments, I much prefer handing off some of the complexity to the Azure Resource Manager.



0 Votes 0 ·
JulieM-2552 avatar image
0 Votes"
JulieM-2552 answered

Thanks a lot @AlanKinane and anonymous user for your help.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.