Default NSG for all Azure Subscriptions via Terraform

Question

I am trying to implement a strategy where I can create a NSG in one Azure subscription and use the same NSG resource to attach to any VMs or NICs created in other subscriptions and resource groups.

How can this implementation work via Terraform where I want to attach a single (default) NSG (created in a separate subscription) to multiple VMs and NICs in other subscriptions?

Answer 1

Default NSG for all Azure Subscriptions via Terraform:

Rules defined for a certain network security group with some network security rules will only apply to that resource group. As a result of this limitation for network security groups, it is not feasible to access an NSG in subscriptions other than the existing ones.

You cannot access an NSG that exists in one subscription in another, even though it is provided in the same region.

If you need to add network security in other subscriptions, you can consider the following methods:

1. Add multiple subscriptions in provider using alias while deploying Terraform code, as mentioned article by @Jeff Brown.

provider "azurerm"{
alias = "xx"
subscription = "subscription1"
features{}
}
provider "azurerm"{
alias = "xxdev"
subscription = "subscription2"
features{}
}
resource "azurerm_network_security_group" "example"{
//Add configuration
}

Note: Include azurerm providers to deploy the same NSG or any Azure resource across multiple subscriptions provided by subscription Ids.

2. terraform import can be used to import existing resources from anywhere.

terraform import azurerm_network_security_group.<NSG> <ResourceID>

Output: