diff --git a/arm/Microsoft.Network/virtualNetworks/deploy.bicep b/arm/Microsoft.Network/virtualNetworks/deploy.bicep
index 45bc866028..890d255ed0 100644
--- a/arm/Microsoft.Network/virtualNetworks/deploy.bicep
+++ b/arm/Microsoft.Network/virtualNetworks/deploy.bicep
@@ -11,6 +11,10 @@ param addressPrefixes array
 @minLength(1)
 param subnets array
 
+@description('Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group.')
+@minLength(1)
+param nsgResourceGroup string = resourceGroup().name
+
 @description('Optional. DNS Servers associated to the Virtual Network.')
 param dnsServers array = []
 
@@ -116,7 +120,7 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-05-01' = {
       name: item.name
       properties: {
         addressPrefix: item.addressPrefix
-        networkSecurityGroup: contains(item, 'networkSecurityGroupName') ? (empty(item.networkSecurityGroupName) ? null : json('{"id": "${resourceId('Microsoft.Network/networkSecurityGroups', item.networkSecurityGroupName)}"}')) : null
+        networkSecurityGroup: contains(item, 'networkSecurityGroupName') ? (empty(item.networkSecurityGroupName) ? null : json('{"id": "${resourceId(nsgResourceGroup, 'Microsoft.Network/networkSecurityGroups', item.networkSecurityGroupName)}"}')) : null
         routeTable: contains(item, 'routeTableName') ? (empty(item.routeTableName) ? null : json('{"id": "${resourceId('Microsoft.Network/routeTables', item.routeTableName)}"}')) : null
         serviceEndpoints: contains(item, 'serviceEndpoints') ? (empty(item.serviceEndpoints) ? null : item.serviceEndpoints) : null
         delegations: contains(item, 'delegations') ? (empty(item.delegations) ? null : item.delegations) : null
diff --git a/arm/Microsoft.Network/virtualNetworks/readme.md b/arm/Microsoft.Network/virtualNetworks/readme.md
index 7c5811cb68..4fe7f5e8bd 100644
--- a/arm/Microsoft.Network/virtualNetworks/readme.md
+++ b/arm/Microsoft.Network/virtualNetworks/readme.md
@@ -31,6 +31,7 @@ This template deploys a virtual network (vNet).
 | `name` | string |  |  | Required. The Virtual Network (vNet) Name. |
 | `roleAssignments` | array | `[]` |  | Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11' |
 | `subnets` | array |  |  | Required. An Array of subnets to deploy to the Virual Network. |
+| `nsgResourceGroup` | string | `[resourceGroup().name]` |  | Optional. Resource Group where NSGs are deployed, if different than VNET Resource Group. |
 | `tags` | object | `{object}` |  | Optional. Tags of the resource. |
 | `virtualNetworkPeerings` | _[virtualNetworkPeerings](virtualNetworkPeerings/readme.md)_ array | `[]` |  | Optional. Virtual Network Peerings configurations |
 | `workspaceId` | string |  |  | Optional. Resource ID of log analytics. |