Add Network Security Group (NSG) support for Azure Virtual Networks

Adds the ability to create NSGs with security rules and associate them
with subnets, enabling fine-grained network traffic control for Azure
resources deployed into VNets.

New APIs:
- AddNetworkSecurityGroup() on IResourceBuilder<AzureVirtualNetworkResource>
- WithSecurityRule() on IResourceBuilder<AzureNetworkSecurityGroupResource>
- WithNetworkSecurityGroup() on IResourceBuilder<AzureSubnetResource>

New types:
- AzureNetworkSecurityGroupResource (child of VNet)
- AzureSecurityRule (public data class for rule configuration)

Key behaviors:
- NSGs are created before subnets in bicep for correct dependency ordering
- Security rule bicep identifiers are prefixed with NSG name to avoid
  duplicate symbolic names across multiple NSGs
- A single NSG can be shared across multiple subnets
- Duplicate rule names within an NSG are rejected with ArgumentException
- Subnets reference NSGs via id (not inline properties) in generated bicep

Author: eerhardt

playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/Program.cs

@@ -1,6 +1,11 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+#pragma warning disable AZPROVISION001 // Azure.Provisioning.Network is experimental
+
+using Aspire.Hosting.Azure;
+using Azure.Provisioning.Network;
+
 var builder = DistributedApplication.CreateBuilder(args);
 
 // Create a virtual network with two subnets:
@@ -15,6 +20,74 @@
 var natGateway = builder.AddNatGateway("nat");
 containerAppsSubnet.WithNatGateway(natGateway);
 
+// Create Network Security Groups for each subnet
+var acaNsg = vnet.AddNetworkSecurityGroup("aca-nsg")
+    .WithSecurityRule(new AzureSecurityRule
+    {
+        Name = "allow-https-from-azure-lb",
+        Priority = 100,
+        Direction = SecurityRuleDirection.Inbound,
+        Access = SecurityRuleAccess.Allow,
+        Protocol = SecurityRuleProtocol.Tcp,
+        SourceAddressPrefix = "AzureLoadBalancer",
+        SourcePortRange = "*",
+        DestinationAddressPrefix = "*",
+        DestinationPortRange = "443"
+    })
+    .WithSecurityRule(new AzureSecurityRule
+    {
+        Name = "deny-vnet-inbound",
+        Priority = 110,
+        Direction = SecurityRuleDirection.Inbound,
+        Access = SecurityRuleAccess.Deny,
+        Protocol = SecurityRuleProtocol.Asterisk,
+        SourceAddressPrefix = "VirtualNetwork",
+        SourcePortRange = "*",
+        DestinationAddressPrefix = "*",
+        DestinationPortRange = "*"
+    })
+    .WithSecurityRule(new AzureSecurityRule
+    {
+        Name = "deny-internet-inbound",
+        Priority = 4096,
+        Direction = SecurityRuleDirection.Inbound,
+        Access = SecurityRuleAccess.Deny,
+        Protocol = SecurityRuleProtocol.Asterisk,
+        SourceAddressPrefix = "Internet",
+        SourcePortRange = "*",
+        DestinationAddressPrefix = "*",
+        DestinationPortRange = "*"
+    });
+
+var peNsg = vnet.AddNetworkSecurityGroup("pe-nsg")
+    .WithSecurityRule(new AzureSecurityRule
+    {
+        Name = "allow-https-from-vnet",
+        Priority = 100,
+        Direction = SecurityRuleDirection.Inbound,
+        Access = SecurityRuleAccess.Allow,
+        Protocol = SecurityRuleProtocol.Tcp,
+        SourceAddressPrefix = "VirtualNetwork",
+        SourcePortRange = "*",
+        DestinationAddressPrefix = "*",
+        DestinationPortRange = "443"
+    })
+    .WithSecurityRule(new AzureSecurityRule
+    {
+        Name = "deny-all-internet-inbound",
+        Priority = 4096,
+        Direction = SecurityRuleDirection.Inbound,
+        Access = SecurityRuleAccess.Deny,
+        Protocol = SecurityRuleProtocol.Asterisk,
+        SourceAddressPrefix = "Internet",
+        SourcePortRange = "*",
+        DestinationAddressPrefix = "*",
+        DestinationPortRange = "*"
+    });
+
+containerAppsSubnet.WithNetworkSecurityGroup(acaNsg);
+privateEndpointsSubnet.WithNetworkSecurityGroup(peNsg);
+
 // Configure the Container App Environment to use the VNet
 builder.AddAzureContainerAppEnvironment("env")
     .WithDelegatedSubnet(containerAppsSubnet);

playground/AzureVirtualNetworkEndToEnd/AzureVirtualNetworkEndToEnd.AppHost/vnet.module.bicep

@@ -18,6 +18,91 @@ resource vnet 'Microsoft.Network/virtualNetworks@2025-05-01' = {
   }
 }
 
+resource aca_nsg 'Microsoft.Network/networkSecurityGroups@2025-05-01' = {
+  name: take('aca_nsg-${uniqueString(resourceGroup().id)}', 80)
+  location: location
+}
+
+resource aca_nsg_allow_https_from_azure_lb 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'allow-https-from-azure-lb'
+  properties: {
+    access: 'Allow'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '443'
+    direction: 'Inbound'
+    priority: 100
+    protocol: 'Tcp'
+    sourceAddressPrefix: 'AzureLoadBalancer'
+    sourcePortRange: '*'
+  }
+  parent: aca_nsg
+}
+
+resource aca_nsg_deny_vnet_inbound 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'deny-vnet-inbound'
+  properties: {
+    access: 'Deny'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '*'
+    direction: 'Inbound'
+    priority: 110
+    protocol: '*'
+    sourceAddressPrefix: 'VirtualNetwork'
+    sourcePortRange: '*'
+  }
+  parent: aca_nsg
+}
+
+resource aca_nsg_deny_internet_inbound 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'deny-internet-inbound'
+  properties: {
+    access: 'Deny'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '*'
+    direction: 'Inbound'
+    priority: 4096
+    protocol: '*'
+    sourceAddressPrefix: 'Internet'
+    sourcePortRange: '*'
+  }
+  parent: aca_nsg
+}
+
+resource pe_nsg 'Microsoft.Network/networkSecurityGroups@2025-05-01' = {
+  name: take('pe_nsg-${uniqueString(resourceGroup().id)}', 80)
+  location: location
+}
+
+resource pe_nsg_allow_https_from_vnet 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'allow-https-from-vnet'
+  properties: {
+    access: 'Allow'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '443'
+    direction: 'Inbound'
+    priority: 100
+    protocol: 'Tcp'
+    sourceAddressPrefix: 'VirtualNetwork'
+    sourcePortRange: '*'
+  }
+  parent: pe_nsg
+}
+
+resource pe_nsg_deny_all_internet_inbound 'Microsoft.Network/networkSecurityGroups/securityRules@2025-05-01' = {
+  name: 'deny-all-internet-inbound'
+  properties: {
+    access: 'Deny'
+    destinationAddressPrefix: '*'
+    destinationPortRange: '*'
+    direction: 'Inbound'
+    priority: 4096
+    protocol: '*'
+    sourceAddressPrefix: 'Internet'
+    sourcePortRange: '*'
+  }
+  parent: pe_nsg
+}
+
 resource container_apps 'Microsoft.Network/virtualNetworks/subnets@2025-05-01' = {
   name: 'container-apps'
   properties: {
@@ -33,6 +118,9 @@ resource container_apps 'Microsoft.Network/virtualNetworks/subnets@2025-05-01' =
     natGateway: {
       id: nat_outputs_id
     }
+    networkSecurityGroup: {
+      id: aca_nsg.id
+    }
   }
   parent: vnet
 }
@@ -41,6 +129,9 @@ resource private_endpoints 'Microsoft.Network/virtualNetworks/subnets@2025-05-01
   name: 'private-endpoints'
   properties: {
     addressPrefix: '10.0.2.0/27'
+    networkSecurityGroup: {
+      id: pe_nsg.id
+    }
   }
   parent: vnet
   dependsOn: [

src/Aspire.Hosting.Azure.Network/AzureNetworkSecurityGroupResource.cs

@@ -0,0 +1,67 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Aspire.Hosting.ApplicationModel;
+using Azure.Provisioning;
+using Azure.Provisioning.Network;
+
+namespace Aspire.Hosting.Azure;
+
+/// <summary>
+/// Represents an Azure Network Security Group resource.
+/// </summary>
+/// <remarks>
+/// Use <see cref="AzureVirtualNetworkExtensions.AddNetworkSecurityGroup"/> to create an instance
+/// and <see cref="AzureVirtualNetworkExtensions.WithSecurityRule"/> to add security rules.
+/// Associate the NSG with a subnet using <see cref="AzureVirtualNetworkExtensions.WithNetworkSecurityGroup"/>.
+/// </remarks>
+public class AzureNetworkSecurityGroupResource : Resource, IResourceWithParent<AzureVirtualNetworkResource>
+{
+    /// <summary>
+    /// Initializes a new instance of the <see cref="AzureNetworkSecurityGroupResource"/> class.
+    /// </summary>
+    /// <param name="name">The name of the resource.</param>
+    /// <param name="parent">The parent Virtual Network resource.</param>
+    public AzureNetworkSecurityGroupResource(string name, AzureVirtualNetworkResource parent)
+        : base(name)
+    {
+        Parent = parent ?? throw new ArgumentNullException(nameof(parent));
+    }
+
+    /// <summary>
+    /// Gets the parent Azure Virtual Network resource.
+    /// </summary>
+    public AzureVirtualNetworkResource Parent { get; }
+
+    internal List<AzureSecurityRule> SecurityRules { get; } = [];
+
+    /// <summary>
+    /// Converts the current instance to provisioning entities: the NSG and its security rules.
+    /// </summary>
+    internal (NetworkSecurityGroup Nsg, List<SecurityRule> Rules) ToProvisioningEntity()
+    {
+        var nsg = new NetworkSecurityGroup(Infrastructure.NormalizeBicepIdentifier(Name));
+
+        var rules = new List<SecurityRule>();
+        foreach (var rule in SecurityRules)
+        {
+            var ruleIdentifier = Infrastructure.NormalizeBicepIdentifier($"{nsg.BicepIdentifier}_{rule.Name}");
+            var securityRule = new SecurityRule(ruleIdentifier)
+            {
+                Name = rule.Name,
+                Priority = rule.Priority,
+                Direction = rule.Direction,
+                Access = rule.Access,
+                Protocol = rule.Protocol,
+                SourceAddressPrefix = rule.SourceAddressPrefix,
+                SourcePortRange = rule.SourcePortRange,
+                DestinationAddressPrefix = rule.DestinationAddressPrefix,
+                DestinationPortRange = rule.DestinationPortRange,
+                Parent = nsg,
+            };
+            rules.Add(securityRule);
+        }
+
+        return (nsg, rules);
+    }
+}

src/Aspire.Hosting.Azure.Network/AzureSecurityRule.cs

@@ -0,0 +1,61 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Azure.Provisioning.Network;
+
+namespace Aspire.Hosting.Azure;
+
+/// <summary>
+/// Represents a security rule configuration for an Azure Network Security Group.
+/// </summary>
+/// <remarks>
+/// Security rules control inbound and outbound network traffic for subnets associated with the Network Security Group.
+/// Rules are evaluated in priority order, with lower numbers having higher priority.
+/// </remarks>
+public sealed class AzureSecurityRule
+{
+    /// <summary>
+    /// Gets or sets the name of the security rule. This name must be unique within the Network Security Group.
+    /// </summary>
+    public required string Name { get; set; }
+
+    /// <summary>
+    /// Gets or sets the priority of the rule. Valid values are between 100 and 4096. Lower numbers have higher priority.
+    /// </summary>
+    public required int Priority { get; set; }
+
+    /// <summary>
+    /// Gets or sets the direction of the rule.
+    /// </summary>
+    public required SecurityRuleDirection Direction { get; set; }
+
+    /// <summary>
+    /// Gets or sets whether network traffic is allowed or denied.
+    /// </summary>
+    public required SecurityRuleAccess Access { get; set; }
+
+    /// <summary>
+    /// Gets or sets the network protocol this rule applies to.
+    /// </summary>
+    public required SecurityRuleProtocol Protocol { get; set; }
+
+    /// <summary>
+    /// Gets or sets the source address prefix. Use "*" for any.
+    /// </summary>
+    public required string SourceAddressPrefix { get; set; }
+
+    /// <summary>
+    /// Gets or sets the source port range. Use "*" for any.
+    /// </summary>
+    public required string SourcePortRange { get; set; }
+
+    /// <summary>
+    /// Gets or sets the destination address prefix. Use "*" for any.
+    /// </summary>
+    public required string DestinationAddressPrefix { get; set; }
+
+    /// <summary>
+    /// Gets or sets the destination port range. Use "*" for any, or a range like "80-443".
+    /// </summary>
+    public required string DestinationPortRange { get; set; }
+}

src/Aspire.Hosting.Azure.Network/AzureSubnetResource.cs

@@ -82,13 +82,18 @@ public AzureSubnetResource(string name, string subnetName, ParameterResource add
     /// </summary>
     internal AzureNatGatewayResource? NatGateway { get; set; }
 
+    /// <summary>
+    /// Gets or sets the Network Security Group associated with the subnet.
+    /// </summary>
+    internal AzureNetworkSecurityGroupResource? NetworkSecurityGroup { get; set; }
+
     private static string ThrowIfNullOrEmpty([NotNull] string? argument, [CallerArgumentExpression(nameof(argument))] string? paramName = null)
         => !string.IsNullOrEmpty(argument) ? argument : throw new ArgumentNullException(paramName);
 
     /// <summary>
     /// Converts the current instance to a provisioning entity.
     /// </summary>
-    internal SubnetResource ToProvisioningEntity(AzureResourceInfrastructure infra, ProvisionableResource? dependsOn)
+    internal SubnetResource ToProvisioningEntity(AzureResourceInfrastructure infra, ProvisionableResource? dependsOn, Dictionary<AzureNetworkSecurityGroupResource, NetworkSecurityGroup> nsgMap)
     {
         var subnet = new SubnetResource(Infrastructure.NormalizeBicepIdentifier(Name))
         {
@@ -129,6 +134,14 @@ internal SubnetResource ToProvisioningEntity(AzureResourceInfrastructure infra,
             subnet.NatGatewayId = NatGateway.Id.AsProvisioningParameter(infra);
         }
 
+        if (NetworkSecurityGroup is not null &&
+            nsgMap.TryGetValue(NetworkSecurityGroup, out var provisioningNsg))
+        {
+            // Set the NSG reference on the subnet by setting the model's Id property.
+            // This produces the correct bicep: networkSecurityGroup: { id: nsg.id }
+            subnet.NetworkSecurityGroup.Id = provisioningNsg.Id;
+        }
+
         // add a provisioning output for the subnet ID so it can be referenced by other resources
         infra.Add(new ProvisioningOutput(Id.Name, typeof(string))
         {