Ensure every subnet block is configured with a Network Security Group in Azure Virtual Network

Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice. The first step in doing so is to create a Network Security Group and apply it to the appropriate resources.

Existing Network Security Groups can be added to subnets in the same Resource Group, or new ones can be added in the Network Security Groups console and then associated. To associate an existing Network Security Group to an existing subnet, follow the steps below. For more information on how to create Network Security Groups to meet your organizational needs, see the Azure documentation.

In Azure Console -
From the Network Security Group:

1. Open the Azure Portal and go to Network Security Groups.
2. Select the Network Security Group you wish to add to a subnet.
3. Under Settings, select Subnets.
4. Select the Associate button.
5. Search for the virtual network and subnet.
6. Apply.

From the subnet:

1. Open the Azure Portal and go to Virtual Networks.
2. Select the Virtual Network you wish to edit.
3. Under Settings, select Subnets.
4. Select the subnet you wish to edit.
5. In the Network Security Group drop down, select the security group.
6. Save.

In Terraform -

1. For each azurerm_virtual_network resource, create a subnet block with a security_group identified by ID.
2. Alternatively, create an azurerm_subnet_network_security_group_association to link an azurerm_network_security_group resource.

References:
https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources#create-a-virtual-network
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network#security_group
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association