diff --git a/infrastructure/base/main.tf b/infrastructure/base/main.tf
index e03597cdd3..84465f1f2c 100644
--- a/infrastructure/base/main.tf
+++ b/infrastructure/base/main.tf
@@ -39,6 +39,7 @@ module "bastion" {
   project_name            = var.project_name
   bastion_ssh_public_keys = var.bastion_ssh_public_keys
   bastion_subnet_id       = module.network.bastion_subnet_id
+  bastion_nsg_id          = module.network.bastion_nsg_id
   dns_zone                = module.dns.dns_zone
 }
 
diff --git a/infrastructure/base/modules/bastion/main.tf b/infrastructure/base/modules/bastion/main.tf
index 10e34ac711..3226d05743 100644
--- a/infrastructure/base/modules/bastion/main.tf
+++ b/infrastructure/base/modules/bastion/main.tf
@@ -23,6 +23,11 @@ resource "azurerm_network_interface" "bastion_nic" {
   }
 }
 
+resource "azurerm_network_interface_security_group_association" "bastion_nic_nsg_association" {
+  network_interface_id      = azurerm_network_interface.bastion_nic.id
+  network_security_group_id = var.bastion_nsg_id
+}
+
 resource "tls_private_key" "ssh_private_key" {
   algorithm = "RSA"
   rsa_bits  = 4096
diff --git a/infrastructure/base/modules/bastion/variables.tf b/infrastructure/base/modules/bastion/variables.tf
index 13e23e0b6f..e685eb2631 100644
--- a/infrastructure/base/modules/bastion/variables.tf
+++ b/infrastructure/base/modules/bastion/variables.tf
@@ -21,6 +21,10 @@ variable "bastion_subnet_id" {
   description = "The id of the subnet where the bastion host will be placed"
 }
 
+variable "bastion_nsg_id" {
+  description = "The id of the network security group for the bastion host"
+}
+
 variable "dns_zone" {
   description = "The Azure DNS zone where the bastion A record will be added"
 }
diff --git a/infrastructure/base/modules/network/outputs.tf b/infrastructure/base/modules/network/outputs.tf
index 6087b90a6e..fb61cec7ac 100644
--- a/infrastructure/base/modules/network/outputs.tf
+++ b/infrastructure/base/modules/network/outputs.tf
@@ -26,6 +26,10 @@ output "bastion_subnet_id" {
   value = azurerm_subnet.bastion_subnet.id
 }
 
+output "bastion_nsg_id" {
+  value = azurerm_network_security_group.bastion_nsg.id
+}
+
 output "firewall_subnet_id" {
   value = azurerm_subnet.firewall_subnet.id
 }