NSG pushed to subnets breaks the lab

Question

NSG pushed to subnets breaks the lab

Jun Ye 0

In this lab: https://learn.microsoft.com/en-us/training/modules/secure-and-isolate-with-nsg-and-service-endpoints/3-exercise-network-security-groups

Right after the vNets and subnets were created, there appears to be a policy enforcement linked a NSG to the subnets. I cannot remove the NSG nor can I change the NSG to the intended NSG that's supposed to be in the lab.

Had to use my own subscription.

Jun Ye 0 Reputation points

2025-03-04T22:21:16.1166667+00:00

ignore this answer
Jun Ye 0 Reputation points

2025-03-04T22:21:43.41+00:00

After step 3, only vNet and subnet gets created. No NSG has been created yet.

But in Azure, it shows the subnets are already associated with NSG-westus
Jun Ye 0 Reputation points

2025-03-04T22:23:55.1633333+00:00

Also there should have a step to link the NSG created in LAB: ERP-SERVERS-NSG to the subnets

After section: "Create a security rule for SSH", step 1.
VarunTha 14,850 Reputation points Microsoft External Staff Moderator

2025-03-04T22:34:14.1366667+00:00

Hi Jun Ye,
Could you please share a screenshot of the error for more effective communication?

Thank you.
Jun Ye 0 Reputation points

2025-03-04T23:23:27.0333333+00:00

Varun, this is the screenshot. It was taken right after step 3 when only vNet and subnets are created. I have not done step 4, where ERP-SERVERS-NSG will be created in step 4.

By default, there should have no NSG associated with any newly created subnet, but immediately after the subnet creation, this NSG-west US got associated with the subnets.
Rakesh Gurram 15,715 Reputation points Microsoft External Staff Moderator

2025-03-05T18:44:10.9433333+00:00

Hi Jun Ye,

It appears that an NSG is automatically assigned to your subnets upon creation, likely due to an Azure Policy. However, according to the exercise guidelines, the NSG should be created later. This seems to be a documentation issue, and we will notify the author for correction.
Rakesh Gurram 15,715 Reputation points Microsoft External Staff Moderator

2025-03-07T03:20:49.44+00:00

Hi Jun Ye,

Our internal team is working on it and will get back to you as soon as possible.

1 answer

Your answer

Jun Ye 0 Reputation points

2025-03-04T22:21:16.1166667+00:00

ignore this answer
Jun Ye 0 Reputation points

2025-03-04T22:21:43.41+00:00

After step 3, only vNet and subnet gets created. No NSG has been created yet.

But in Azure, it shows the subnets are already associated with NSG-westus
Jun Ye 0 Reputation points

2025-03-04T22:23:55.1633333+00:00

Also there should have a step to link the NSG created in LAB: ERP-SERVERS-NSG to the subnets

After section: "Create a security rule for SSH", step 1.
VarunTha 14,850 Reputation points Microsoft External Staff Moderator

2025-03-04T22:34:14.1366667+00:00

Hi Jun Ye,
Could you please share a screenshot of the error for more effective communication?

Thank you.
Jun Ye 0 Reputation points

2025-03-04T23:23:27.0333333+00:00

Varun, this is the screenshot. It was taken right after step 3 when only vNet and subnets are created. I have not done step 4, where ERP-SERVERS-NSG will be created in step 4.

By default, there should have no NSG associated with any newly created subnet, but immediately after the subnet creation, this NSG-west US got associated with the subnets.
Rakesh Gurram 15,715 Reputation points Microsoft External Staff Moderator

2025-03-05T18:44:10.9433333+00:00

Hi Jun Ye,

It appears that an NSG is automatically assigned to your subnets upon creation, likely due to an Azure Policy. However, according to the exercise guidelines, the NSG should be created later. This seems to be a documentation issue, and we will notify the author for correction.
Rakesh Gurram 15,715 Reputation points Microsoft External Staff Moderator

2025-03-07T03:20:49.44+00:00

Hi Jun Ye,

Our internal team is working on it and will get back to you as soon as possible.

Answer 1

Hi Jun Ye,

We contacted the content author and received confirmation that the default NSG created by policy can be ignored, as it does not affect the lab's functionality. In this lab, the NSG assigned to the NICs of the VMs takes precedence over any NSG assigned to the VNet or subnet.

Additionally, please be aware that SSH connections may temporarily fail after the NSG rules are applied. If this happens, waiting a minute or so should resolve the issue and allow the connection to work as expected.

Please Accept the Answer so that it will be useful for others in the community.

Share via

NSG pushed to subnets breaks the lab

1 answer

Your answer