ARM template set OS disk networking

Question

ARM template set OS disk networking

Luke Rosser 165

I'm trying to disable public network access on an OS disk for a VM using ARM. I am selecting the image using publisher, offer, sku and version when the VM is created. I can't see any way to configure networking on the disk when creating it as part of the VM definition, and I am unable to update the disk after it is created by the VM.

What I have tried:

Creating the disk through the VM resource and setting networking on the VM OS disk definition (not supported)
Creating the disk before the VM and attaching it as the OS disk (publisher, offer, sku and version aren't supported)
Letting the VM create the disk and updating it with ARM in the same template or with a nested template (conflicts/expects it to be a creation and asks for more info)

When attempting to update the OS disk after the VM creates it through this code:


        {
            "type": "Microsoft.Resources/deployments",
            "apiVersion": "2025-04-01",
            "name": "os-disk-networking",
            "dependsOn": [
                "[resourceId('Microsoft.Compute/virtualMachines', variables('vm_name'))]"
            ],
            "properties": {
                "mode": "Incremental",
                "template": {
                    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
                    "contentVersion": "1.0.0.0",
                    "resources": [
                        {
                            "type": "Microsoft.Compute/disks",
                            "apiVersion": "2025-01-02",
                            "name": "[concat(variables('vm_name'), '-osdisk')]",
                            "location": "[parameters('location')]",
                            "properties": {
                                "networkAccessPolicy": "DenyAll",
                                "publicNetworkAccess": "Disabled"
                            }
                        }
                    ]
                }
            }
        }

I get an error:

Required parameter 'creationData' is missing (null). (Code: InvalidParameter, Target: creationData)

The disk name matches the name given to the OS disk in the VM definition:

                    "osDisk": {
                        "osType": "Windows",
                        "name": "[concat(variables('vm_name'), '-osdisk')]",
                        "createOption": "FromImage",
                        "caching": "ReadWrite",
                        "managedDisk": {
                            "storageAccountType": "StandardSSD_LRS"
                        },
                        "deleteOption": "Detach",
                        "diskSizeGB": "[parameters('vm_os_disk_size')]"
                    }

Answer accepted by question author

2 additional answers

Your answer

Answer 1

Hello @Luke Rosser

I've made some changes to the template as below and this worked out for me pretty well to update the Network settings for OS disk of an existing VM.

Kindly test this out and let us know if this also fails for you.

{
  "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "diskName": {
      "type": "String",
      "metadata": {
        "description": "Name of the existing disk"
      }
    },
    "location": {
      "type": "String",
      "metadata": {
        "description": "Location of the disk (e.g., 'eastus')"
      }
    },
    "osType": {
      "type": "String",
      "metadata": {
        "description": "OS type (e.g., 'Linux')"
      }
    },
    "hyperVGeneration": {
      "type": "String",
      "metadata": {
        "description": "HyperV generation (e.g., 'V2')"
      }
    },
    "diskSizeGB": {
      "type": "int",
      "metadata": {
        "description": "Disk size in GB (e.g., 30)"
      }
    },
    "publicNetworkAccess": {
      "type": "String",
      "allowedValues": ["Enabled", "Disabled"]
    },
    "networkAccessPolicy": {
      "type": "String",
      "allowedValues": ["AllowAll", "AllowPrivate", "DenyAll"],
      "defaultValue": "DenyAll"
    },
    "dataAccessAuthMode": {
      "type": "String",
      "defaultValue": "None",
      "allowedValues": ["None", "AzureActiveDirectory"]
    },
    "imageReference": {
      "type": "object",
      "metadata": {
        "description": "Image reference from disk's creationData"
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.Compute/disks",
      "apiVersion": "2025-01-02",
      "name": "[parameters('diskName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Premium_LRS"
      },
      "properties": {
        "osType": "[parameters('osType')]",
        "hyperVGeneration": "[parameters('hyperVGeneration')]",
        "creationData": {
          "createOption": "FromImage",
          "imageReference": "[parameters('imageReference')]"
        },
        "diskSizeGB": "[parameters('diskSizeGB')]",
        "encryption": {
          "type": "EncryptionAtRestWithPlatformKey"
        },
        "publicNetworkAccess": "[parameters('publicNetworkAccess')]",
        "networkAccessPolicy": "[parameters('networkAccessPolicy')]",
        "dataAccessAuthMode": "[parameters('dataAccessAuthMode')]"
      }
    }
  ]
}

Luke Rosser 165 Reputation points

2026-02-19T09:57:19.7766667+00:00

Hi Ankit. Thank you for this. Whilst I do think it will work, how do I retrieve the image reference ID? For example we are using:

'publisher': 'MicrosoftWindowsDesktop', 'offer': 'windows-11': 'sku', 'win11-24h2-avd', 'version': 'latest'

The only way I can see to get the image ID is to deploy a VM and check the output which makes keeping up with versioning awkward compared to passing in the above
Luke Rosser 165 Reputation points

2026-02-19T13:36:40.92+00:00

I'll accept this as the answer as it seems to be the only way to do this through ARM. It'd be better if there was a way of getting the image reference without deploying a VM first but it does work.

In the end I've opted to update the OS disk networking using the SDK through the system that is triggering the deployment after the deployment completes.
Ankit Yadav 12,205 Reputation points Microsoft External Staff Moderator

2026-02-20T00:57:02.36+00:00

Yes for the OS disk image id, you’ll need to create it as part of the VM deployment process. It can either be generated during VM creation or created from a snapshot of an existing VM, but in both cases, it’s done after the VM creation.

Answer 2

Marcin Policht 82,360 MVP Volunteer Moderator

Try creating the OS disk first, then in a separate ARM deployment (or a separate step after the VM is deployed), update the disk’s networking properties. The update template should include only the updatable properties:

Do not include creationData, diskSizeGB, sku, or any creation-related fields. This should ensure ARM performs a PATCH on the existing OS disk instead of trying to create a new disk.

If you prefer CLI, the same update can be done with:

az disk update --name <disk-name> --resource-group <resource-group> --set networkAccessPolicy=DenyAll publicNetworkAccess=Disabled

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Luke Rosser 165

Hi Marcin,

As I mentioned in my post I tried that with no success unfortunately. I tried doing it in the same template with a dependson the VM creation and also as a nested deployment. The definition only included properties but it still errored saying creationData was required.


                        {
                            "type": "Microsoft.Compute/disks",
                            "apiVersion": "2025-01-02",
                            "name": "[concat(variables('vm_name'), '-osdisk')]",
                            "location": "[parameters('location')]",
                            "properties": {
                                "networkAccessPolicy": "DenyAll",
                                "publicNetworkAccess": "Disabled"
                            }
                        }

Marcin Policht 82,360 Reputation points MVP Volunteer Moderator

2026-02-17T15:59:20.69+00:00
Apologies for not being clear - I'm referring to a separate deployment. First create the VM, let Azure create the OS disk, then in a second deployment (or via CLI/PowerShell), update the disk’s networking properties. For example:

az disk update --name <vm-name>-osdisk --resource-group <rg> --set networkAccessPolicy=DenyAll publicNetworkAccess=Disabled

Or in a separate ARM template that runs after the VM deployment has completed:

{ "type": "Microsoft.Compute/disks", "apiVersion": "2025-01-02", "name": "<vm-name>-osdisk", "location": "<location>", "properties": { "networkAccessPolicy": "DenyAll", "publicNetworkAccess": "Disabled" } }

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Luke Rosser 165 Reputation points

2026-02-17T16:02:44.8066667+00:00

Hi Marcin, thanks for clarifying. Is that not what doing a nested deployment should do? In my template it's a separate nested deployment that runs after the VM has finished creating but I still get the creationData error. I want this to be one process/trigger if possible.

Also I'm not sure if it's just me but your json example is empty
Marcin Policht 82,360 Reputation points MVP Volunteer Moderator

2026-02-17T17:48:27.83+00:00
It seem like a quirk in the Q&A platform - I updated the JSON content - hopefully you can access it now.

Regarding your question, AFAIK, in ARM, a nested deployment is still part of the same top-level deployment transaction. Even if you add dependsOn and the nested deployment runs after the VM resource, the entire template is validated and planned before execution. At validation time, the OS disk created via createOption: FromImage does not yet exist as a standalone resource in ARM’s dependency graph, so when your nested template declares Microsoft.Compute/disks with that name, ARM interprets it as a new resource definition.

If you want this to be a single trigger from your pipeline or automation, you could run two sequential deployments executed one after the other - e.g.

az deployment group create --resource-group <rg> --template-file vm.json az deployment group create --resource-group <rg> --template-file disk-update.json

That is still one automated process, but it is two ARM deployment executions.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Ankit Yadav 12,205 Reputation points Microsoft External Staff Moderator

2026-02-18T04:20:38.8966667+00:00

Hello @Luke Rosser

We noticed you marked the answer as "Not Helpful." We're here to assist you with your query. @Marcin Policht has posted a follow-up response; please review it and let us know if it addresses your issue.

We would also like to connect with you via a Teams meeting to resolve the issue quickly. We've sent you a Private Message regarding your email to protect your privacy. Please check your messages and share the details so we can provide better assistance over here.
Luke Rosser 165 Reputation points

2026-02-18T10:10:04.1966667+00:00

Hi Marcin. I've just tested that, doing two separate deployments, and I get the same error where it expects creationData.

Ankit thanks for following up, I'll reply and get a Teams call scheduled.

Answer 3

Might not be helpful, but in similar situation using Bicep I determined the best option was to utilise a Runbook every evening.

It works fine and answers the problem. Obviously we could use other methods to get the runbook fired by a deployment event.

Regards

$Disks = Get-AzDisk | Where-Object { 
    $_.PublicNetworkAccess -eq 'Enabled'
    } 
    Foreach ($disk in $Disks) { 
        Write-OutPut "Disk $($disk) has network access enabled.  Disabling ..."
        try {
        $disk | New-AzDiskUpdateConfig -PublicNetworkAccess "Disabled" -NetworkAccessPolicy "DenyAll" `
        | Update-AzDisk -ResourceGroupName $($disk.ResourceGroupName) -DiskName $($disk.Name) 
        Write-OutPut "Disk Updated with Deny Network Access Policy"
        } catch {
            Write-OutPut "Runbook Failed to update Disk.  Please investigate."
        }
}

Luke Rosser 165 Reputation points

2026-02-18T10:54:35.29+00:00

Thanks Tim that's a good suggestion. Worst case we can orchestrate something around our deployment to go and set the network rules afterwards but I'm hoping to avoid writing that as this feels like something you should be able to do in ARM

Share via

ARM template set OS disk networking

2 additional answers

Your answer