diff --git a/examples/azure/sonar_deployment/TODOS b/examples/azure/sonar_deployment/TODOS
deleted file mode 100644
index c50842241..000000000
--- a/examples/azure/sonar_deployment/TODOS
+++ /dev/null
@@ -1,46 +0,0 @@
-next:
-    Azure kms equivalent - value with keys (az keyvault key encrypt --value "$val" --vault-name eytan-remove-me --name eytan-remove-me --algorithm RSA-OAEP)
-    Investigate CTT on azure
-    Make sure the new disk approach is robust against termiantion and userdata change
-    unify the disk approach for aws & azure
-    azure nat - for each subnet
-    federation - remove commented out
-    change gw group ebs details name and schema
-    rename vpc in example
-Azure tasks:
-    reorganize the example directory structure
-        and create hadr example
-    release the new modules (change module source to point to tf registry)
-    research:
-        # tbd: verify how a customer would pass on his creds to this provider https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
-        Consider changing Azure/network/azurerm to Azure/vnet/azurerm module
-    Get a complete list of permissions we need in azure
-    change the "elastic" terminology
-        "create_and_attach_public_elastic_ip". Elastic means nothing in the context of azure
-    compare all code aws vs azure
-    Terraform apply kay vault sporadic failures
-        https://github.com/hashicorp/terraform-provider-azurerm/issues/18309
-    vm roles
-        Give "azurerm_role_assignment" resource minimal permissions
-        Allow passing role_definition_name from outside
-    Vault (secret)
-        Reduce access policy to minimum
-        p1 - We currently use azure vault's secrets. We should probably use azure vault's keys instead.
-    destroy fails the first time it runs
-        A lot of times, the first destory fails with some vault voodoo (and additional destory solves this)
-        https://github.com/hashicorp/terraform-provider-azurerm/issues/19322#issuecomment-1433175455
-    tf cloud
-        Make it work
-    tarball location
-        create storage account and backend to manage it
-        backend
-    check audit
-    
-    Split disks to 3:
-        apps - 15.0 GB
-        data - 20.0 GB
-        logs - 1.0 GB
-    
-docs playground
-    remove keypair from globals, making them none aws modules
-    create single vault for all secrets
diff --git a/examples/azure/sonar_deployment/networking.tf b/examples/azure/sonar_deployment/networking.tf
index bffc1bd0f..e6d41c3be 100644
--- a/examples/azure/sonar_deployment/networking.tf
+++ b/examples/azure/sonar_deployment/networking.tf
@@ -81,12 +81,13 @@ resource "azurerm_nat_gateway" "nat_gw" {
   idle_timeout_in_minutes = 10
 }
 
-resource "azurerm_subnet_nat_gateway_association" "nat_gw_vnet_association" {
-  subnet_id      = module.network[0].vnet_subnets[0]
-  nat_gateway_id = azurerm_nat_gateway.nat_gw.id
-}
-
 resource "azurerm_nat_gateway_public_ip_association" "nat_gw_public_ip_association" {
   nat_gateway_id       = azurerm_nat_gateway.nat_gw.id
   public_ip_address_id = azurerm_public_ip.nat_gw_public_ip.id
 }
+
+resource "azurerm_subnet_nat_gateway_association" "nat_gw_vnet_association" {
+  count          = length(local.subnet_prefixes)
+  subnet_id      = module.network[0].vnet_subnets[count.index]
+  nat_gateway_id = azurerm_nat_gateway.nat_gw.id
+}
\ No newline at end of file
diff --git a/modules/azurerm/agentless-gw/variables.tf b/modules/azurerm/agentless-gw/variables.tf
index 29d5afaab..3bf3847f6 100644
--- a/modules/azurerm/agentless-gw/variables.tf
+++ b/modules/azurerm/agentless-gw/variables.tf
@@ -35,13 +35,16 @@ variable "subnet_id" {
   }
 }
 
-
 variable "security_group_ids" {
   type        = list(string)
-  description = "AWS security group Ids to attach to the instance. If provided, no security groups are created and all allowed_*_cidrs variables are ignored."
+  description = "Security group ids to attach to the instance. If provided, no security groups are created and all allowed_*_cidrs variables are ignored."
+  validation {
+    condition     = length(var.security_group_ids) == 0 || length(var.security_group_ids) == 1
+    error_message = "Can't contain more than a single element"
+  }
   validation {
-    condition     = alltrue([for item in var.security_group_ids : substr(item, 0, 3) == "sg-"])
-    error_message = "One or more of the security group Ids list is invalid. Each item should be in the format of 'sg-xx..xxx'"
+    condition     = alltrue([for item in var.security_group_ids : can(regex(".*Microsoft.Network/networkSecurityGroups/.*", item))])
+    error_message = "One or more of the security group ids list is invalid. Each item should match the pattern '.*Microsoft.Network/networkSecurityGroups/<network-security-group-name>"
   }
   default = []
 }
diff --git a/modules/azurerm/hub/variables.tf b/modules/azurerm/hub/variables.tf
index 0193b5022..cfbe98786 100644
--- a/modules/azurerm/hub/variables.tf
+++ b/modules/azurerm/hub/variables.tf
@@ -37,10 +37,14 @@ variable "subnet_id" {
 
 variable "security_group_ids" {
   type        = list(string)
-  description = "Security group Ids to attach to the instance. If provided, no security groups are created and all allowed_*_cidrs variables are ignored."
+  description = "Security group ids to attach to the instance. If provided, no security groups are created and all allowed_*_cidrs variables are ignored."
   validation {
-    condition     = alltrue([for item in var.security_group_ids : substr(item, 0, 3) == "sg-"])
-    error_message = "One or more of the security group Ids list is invalid. Each item should be in the format of 'sg-xx..xxx'"
+    condition     = length(var.security_group_ids) == 0 || length(var.security_group_ids) == 1
+    error_message = "Can't contain more than a single element"
+  }
+  validation {
+    condition     = alltrue([for item in var.security_group_ids : can(regex(".*Microsoft.Network/networkSecurityGroups/.*", item))])
+    error_message = "One or more of the security group ids list is invalid. Each item should match the pattern '.*Microsoft.Network/networkSecurityGroups/<network-security-group-name>"
   }
   default = []
 }
diff --git a/modules/azurerm/sonar-base-instance/variables.tf b/modules/azurerm/sonar-base-instance/variables.tf
index d867b97f3..849c17518 100644
--- a/modules/azurerm/sonar-base-instance/variables.tf
+++ b/modules/azurerm/sonar-base-instance/variables.tf
@@ -46,7 +46,7 @@ variable "security_groups_config" {
 
 variable "security_group_ids" {
   type        = list(string)
-  description = "AWS security group Ids to attach to the instance. If provided, no security groups are created and all allowed_*_cidrs variables are ignored."
+  description = "security group ids to attach to the instance. If provided, no security groups are created and all allowed_*_cidrs variables are ignored."
   validation {
     condition     = length(var.security_group_ids) == 0 || length(var.security_group_ids) == 1
     error_message = "Can't contain more than a single element"