Hi @grajee ,
in NSG Security Rules the VirtualNetwork
is a service tag. The definition of this service tag and the scope of VirtualNetwork
is explained here: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags
The virtual network address space (all IP address ranges defined for the virtual network), all connected on-premises address spaces, peered virtual networks, virtual networks connected to a virtual network gateway, the virtual IP address of the host, and address prefixes used on user-defined routes. This tag might also contain default routes.
If you have a defined VNet peering with another foreign subscription this foreign vNet is in scope of the NSG service tag VirtualNetwork
. It doesn't matter if the VNet is part of the own or foreign subscription as long it is defined/configured. Even on-premises network IP ranges can be part or the VirtualNetwork
if they are connected.
----------
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)
Regards
Andreas Baumgarten