diff --git a/src/azure-cli/azure/cli/command_modules/vm/_template_builder.py b/src/azure-cli/azure/cli/command_modules/vm/_template_builder.py
index b18847cac25..91f2a386e43 100644
--- a/src/azure-cli/azure/cli/command_modules/vm/_template_builder.py
+++ b/src/azure-cli/azure/cli/command_modules/vm/_template_builder.py
@@ -193,7 +193,7 @@ def build_nic_resource(_, name, location, tags, vm_name, subnet_id, private_ip_a
     return nic
 
 
-def build_nsg_resource(_, name, location, tags, nsg_rule):
+def build_nsg_resource(cmd, name, location, tags, nsg_rule):
     nsg = {
         'type': 'Microsoft.Network/networkSecurityGroups',
         'name': name,
@@ -203,7 +203,7 @@ def build_nsg_resource(_, name, location, tags, nsg_rule):
         'dependsOn': []
     }
 
-    if nsg_rule != 'NONE':
+    if nsg_rule != 'NONE' and not cmd.cli_ctx.config.getboolean('vm', 'disable_nsg_rule', fallback=False):
         rule_name = 'rdp' if nsg_rule == 'RDP' else 'default-allow-ssh'
         rule_dest_port = '3389' if nsg_rule == 'RDP' else '22'
 
diff --git a/src/azure-cli/azure/cli/command_modules/vm/custom.py b/src/azure-cli/azure/cli/command_modules/vm/custom.py
index baa3865d866..510f4004c15 100644
--- a/src/azure-cli/azure/cli/command_modules/vm/custom.py
+++ b/src/azure-cli/azure/cli/command_modules/vm/custom.py
@@ -3016,7 +3016,7 @@ def _get_public_ip_address_allocation(value, sku):
             if load_balancer_sku and load_balancer_sku.lower() == 'standard' and nsg is None and os_type:
                 nsg_name = '{}NSG'.format(vmss_name)
                 master_template.add_resource(build_nsg_resource(
-                    None, nsg_name, location, tags, 'rdp' if os_type.lower() == 'windows' else 'ssh'))
+                    cmd, nsg_name, location, tags, 'rdp' if os_type.lower() == 'windows' else 'ssh'))
                 nsg = "[resourceId('Microsoft.Network/networkSecurityGroups', '{}')]".format(nsg_name)
                 vmss_dependencies.append('Microsoft.Network/networkSecurityGroups/{}'.format(nsg_name))