Skip to main content
Back to the Azure Footguns Database
SecurityMediumCommonAZF-0092

A subnet with no NSG leaves every workload in it with zero network filtering

Azure does not require an NSG on a subnet. Without one there is no subnet-level network filter at all, and every workload inside relies entirely on whatever other controls happen to exist.

Footgun ID
AZF-0092 (Azure Footgun No. 92)
Azure service
Azure Virtual Network
Resource type
Microsoft.Network/virtualNetworks/subnets
Updated
July 9, 2026

What it is

A virtual network subnet with no network security group associated. NSGs are Azure's basic packet filter, and a subnet without one enforces no inbound or outbound rules at that layer. Anything deployed into the subnet is protected only by NIC-level NSGs, application firewalls, or topology, if those exist. Often they don't, and the subnet is simply open.

Impact (security)
No subnet-level inbound or outbound filtering for anything deployed there; one public IP or one compromised neighbor reaches every workload in the subnet
Basis: Azure behavior (authored assessment). Figures are estimates, not measurements.

Why it happens

Azure lets you create a subnet with no NSG and never complains. The portal's VNet creation flow doesn't force the association, az network vnet subnet create doesn't require it, and most infrastructure-as-code examples omit it because the deployment works fine without one.

The NSG and the subnet are also separate resources with a separate association step, so they drift apart naturally: a subnet gets added to an existing VNet during an incident, a template gets copied without the networkSecurityGroup block, or an NSG gets detached "temporarily" for troubleshooting and never reattached. Nothing breaks, so nothing gets noticed.

One legitimate wrinkle: a handful of Azure-managed reserved subnets (GatewaySubnet, AzureFirewallSubnet, AzureFirewallManagementSubnet, AzureBastionSubnet, RouteServerSubnet) are special cases where Azure either disallows a user NSG or requires its own documented rule set, and subnets delegated to a PaaS service hand their networking to that service. Those are fine. The problem is every other subnet, the ones carrying your VMs and private endpoints.

What it costs / blast radius

There is no direct cost; NSGs are free. The blast radius is defense-in-depth with a floor missing. If a VM in an NSG-less subnet picks up a public IP, every port it listens on is on the internet with nothing in the path. Inside the network, a compromised workload can reach every port on every neighbor in the subnet, and often across peered networks too, because there is no subnet-level rule to stop lateral movement. When an incident does happen, there are also no NSG flow logs at that layer to reconstruct what moved where. (Authored assessment of Azure behavior.)

See it

Find them: subnets with no NSG, skipping Azure's reserved and delegated subnets
Resources
| where type =~ 'microsoft.network/virtualnetworks'
| mv-expand subnet = properties.subnets
| extend subnetName = tostring(subnet.name)
| where subnetName !in~ ('GatewaySubnet', 'AzureFirewallSubnet',
    'AzureFirewallManagementSubnet', 'AzureBastionSubnet', 'RouteServerSubnet')
| where isnull(subnet.properties.networkSecurityGroup)
| where isnull(subnet.properties.delegations)
    or array_length(subnet.properties.delegations) == 0
| project vnet = name, subnet = subnetName, resourceGroup, subscriptionId,
          addressPrefix = tostring(subnet.properties.addressPrefix)
Fix: create an NSG (or reuse one) and associate it with the subnet
az network nsg create \
  --resource-group rg-prod --name nsg-app-subnet

az network vnet subnet update \
  --resource-group rg-prod --vnet-name corp-vnet \
  --name app-subnet --network-security-group nsg-app-subnet

How StratoLens helps

StratoLens checks every subnet in every VNet across all your subscriptions for a missing NSG association, automatically skipping the reserved and delegated subnets that are legitimate special cases, so the findings you see are the real gaps. It runs continuously inside your own tenant; the subnet added during last quarter's incident gets flagged without anyone remembering to look.

Start Your 28-Day Free Trial

Every feature unlocked. Deploys to your Azure tenant. No data leaves your tenant.

Available now on the Azure Marketplace.

Not ready to install anything? Browse the Azure Footguns Database: 55+ documented ways Azure quietly costs money or creates risk.

Request a demo

StratoLens catches the cost waste, access risk, and config drift across your whole Azure estate, from inside your own tenant, so your data never leaves it.