Hi @grajee ,
in NSG Security Rules the
VirtualNetwork is a service tag. The definition of this service tag and the scope of
VirtualNetwork is explained here: https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags
The virtual network address space (all IP address ranges defined for the virtual network), all connected on-premises address spaces, peered virtual networks, virtual networks connected to a virtual network gateway, the virtual IP address of the host, and address prefixes used on user-defined routes. This tag might also contain default routes.
If you have a defined VNet peering with another foreign subscription this foreign vNet is in scope of the NSG service tag
VirtualNetwork. It doesn't matter if the VNet is part of the own or foreign subscription as long it is defined/configured. Even on-premises network IP ranges can be part or the
VirtualNetwork if they are connected.
(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)