Respond to PR feedback

Author: eerhardt

src/Aspire.Hosting.Azure.Network/AzureSubnetResource.cs

@@ -134,9 +134,14 @@ internal SubnetResource ToProvisioningEntity(AzureResourceInfrastructure infra,
             subnet.NatGatewayId = NatGateway.Id.AsProvisioningParameter(infra);
         }
 
-        if (NetworkSecurityGroup is not null &&
-            nsgMap.TryGetValue(NetworkSecurityGroup, out var provisioningNsg))
+        if (NetworkSecurityGroup is not null)
         {
+            if (!nsgMap.TryGetValue(NetworkSecurityGroup, out var provisioningNsg))
+            {
+                throw new InvalidOperationException(
+                    $"The Network Security Group '{NetworkSecurityGroup.Name}' referenced by subnet '{Name}' was not found in the parent Virtual Network's NetworkSecurityGroups collection.");
+            }
+
             // Set the NSG reference on the subnet by setting the model's Id property.
             // This produces the correct bicep: networkSecurityGroup: { id: nsg.id }
             subnet.NetworkSecurityGroup.Id = provisioningNsg.Id;

src/Aspire.Hosting.Azure.Network/AzureVirtualNetworkExtensions.cs

@@ -439,6 +439,15 @@ public static IResourceBuilder<AzureSubnetResource> WithNetworkSecurityGroup(
         ArgumentNullException.ThrowIfNull(builder);
         ArgumentNullException.ThrowIfNull(nsg);
 
+        if (nsg.Resource.Parent != builder.Resource.Parent)
+        {
+            throw new ArgumentException(
+                $"The Network Security Group '{nsg.Resource.Name}' belongs to Virtual Network '{nsg.Resource.Parent.Name}', " +
+                $"but the subnet '{builder.Resource.Name}' belongs to Virtual Network '{builder.Resource.Parent.Name}'. " +
+                $"The NSG and subnet must belong to the same Virtual Network.",
+                nameof(nsg));
+        }
+
         builder.Resource.NetworkSecurityGroup = nsg.Resource;
         return builder;
     }

tests/Aspire.Hosting.Azure.Tests/AzureVirtualNetworkExtensionsTests.cs

@@ -402,4 +402,66 @@ public void WithSecurityRule_DuplicateName_Throws()
 
         Assert.Contains("allow-https", exception.Message, StringComparison.OrdinalIgnoreCase);
     }
+
+    [Fact]
+    public async Task MultipleNSGs_WithSameRuleName_GeneratesDistinctBicepIdentifiers()
+    {
+        using var builder = TestDistributedApplicationBuilder.Create(DistributedApplicationOperation.Publish);
+
+        var vnet = builder.AddAzureVirtualNetwork("myvnet");
+
+        var nsg1 = vnet.AddNetworkSecurityGroup("nsg-one")
+            .WithSecurityRule(new AzureSecurityRule
+            {
+                Name = "allow-https",
+                Priority = 100,
+                Direction = SecurityRuleDirection.Inbound,
+                Access = SecurityRuleAccess.Allow,
+                Protocol = SecurityRuleProtocol.Tcp,
+                SourceAddressPrefix = "*",
+                SourcePortRange = "*",
+                DestinationAddressPrefix = "*",
+                DestinationPortRange = "443"
+            });
+
+        var nsg2 = vnet.AddNetworkSecurityGroup("nsg-two")
+            .WithSecurityRule(new AzureSecurityRule
+            {
+                Name = "allow-https",
+                Priority = 100,
+                Direction = SecurityRuleDirection.Inbound,
+                Access = SecurityRuleAccess.Allow,
+                Protocol = SecurityRuleProtocol.Tcp,
+                SourceAddressPrefix = "VirtualNetwork",
+                SourcePortRange = "*",
+                DestinationAddressPrefix = "*",
+                DestinationPortRange = "443"
+            });
+
+        vnet.AddSubnet("subnet1", "10.0.1.0/24")
+            .WithNetworkSecurityGroup(nsg1);
+        vnet.AddSubnet("subnet2", "10.0.2.0/24")
+            .WithNetworkSecurityGroup(nsg2);
+
+        var manifest = await AzureManifestUtils.GetManifestWithBicep(vnet.Resource);
+
+        await Verify(manifest.BicepText, extension: "bicep");
+    }
+
+    [Fact]
+    public void WithNetworkSecurityGroup_DifferentVNet_Throws()
+    {
+        using var builder = TestDistributedApplicationBuilder.Create(DistributedApplicationOperation.Publish);
+
+        var vnet1 = builder.AddAzureVirtualNetwork("vnet1");
+        var vnet2 = builder.AddAzureVirtualNetwork("vnet2");
+
+        var nsg = vnet1.AddNetworkSecurityGroup("web-nsg");
+        var subnet = vnet2.AddSubnet("web-subnet", "10.0.1.0/24");
+
+        var exception = Assert.Throws<ArgumentException>(() => subnet.WithNetworkSecurityGroup(nsg));
+
+        Assert.Contains("vnet1", exception.Message);
+        Assert.Contains("vnet2", exception.Message);
+    }
 }

tests/Aspire.Hosting.Azure.Tests/Snapshots/AzureVirtualNetworkExtensionsTests.MultipleNSGs_WithSameRuleName_GeneratesDistinctBicepIdentifiers.verified.bicep

@@ -0,0 +1,90 @@
+@description('The location for the resource(s) to be deployed.')
+param location string = resourceGroup().location
+
+resource myvnet 'Microsoft.Network/virtualNetworks@2025-05-01' = {
+  name: take('myvnet-${uniqueString(resourceGroup().id)}', 64)
+  properties: {
+    addressSpace: {
+      addressPrefixes: [
+        '10.0.0.0/16'
+      ]
+    }
+  }
+  location: location
+  tags: {
+    'aspire-resource-name': 'myvnet'
+  }
+}
+
+resource nsg_one 'Microsoft.Network/networkSecurityGroups@2025-05-01' = {
+  name: take('nsg_one-${uniqueString(resourceGroup().id)}', 80)
+  location: location
+}
+
+resource nsg_one_allow_https 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'allow-https'
+  properties: {
+    access: 'Allow'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '443'
+    direction: 'Inbound'
+    priority: 100
+    protocol: 'Tcp'
+    sourceAddressPrefix: '*'
+    sourcePortRange: '*'
+  }
+  parent: nsg_one
+}
+
+resource nsg_two 'Microsoft.Network/networkSecurityGroups@2025-05-01' = {
+  name: take('nsg_two-${uniqueString(resourceGroup().id)}', 80)
+  location: location
+}
+
+resource nsg_two_allow_https 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'allow-https'
+  properties: {
+    access: 'Allow'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '443'
+    direction: 'Inbound'
+    priority: 100
+    protocol: 'Tcp'
+    sourceAddressPrefix: 'VirtualNetwork'
+    sourcePortRange: '*'
+  }
+  parent: nsg_two
+}
+
+resource subnet1 'Microsoft.Network/virtualNetworks/subnets@2025-05-01' = {
+  name: 'subnet1'
+  properties: {
+    addressPrefix: '10.0.1.0/24'
+    networkSecurityGroup: {
+      id: nsg_one.id
+    }
+  }
+  parent: myvnet
+}
+
+resource subnet2 'Microsoft.Network/virtualNetworks/subnets@2025-05-01' = {
+  name: 'subnet2'
+  properties: {
+    addressPrefix: '10.0.2.0/24'
+    networkSecurityGroup: {
+      id: nsg_two.id
+    }
+  }
+  parent: myvnet
+  dependsOn: [
+    subnet1
+  ]
+}
+
+output subnet1_Id string = subnet1.id
+
+output subnet2_Id string = subnet2.id
+
+output id string = myvnet.id
+
+output name string = myvnet.name