diff --git a/config.tpl.yml b/config.tpl.yml
index ca6f91c44..ee5ad9fac 100644
--- a/config.tpl.yml
+++ b/config.tpl.yml
@@ -69,7 +69,29 @@ network:
         name: compute
         address_prefixes: "10.0.16.0/20"
         create: true
-
+  # Specify the Application Security Groups mapping if already existing
+# asg:
+#   resource_group: # name of the resource group containing the ASG. Default to the resource group containing azhop resources
+#   names: # list of ASG names mapping to the one defined in az-hop
+#     asg-ssh: asg-ssh
+#     asg-rdp: asg-rdp
+#     asg-jumpbox: asg-jumpbox
+#     asg-ad: asg-ad
+#     asg-ad-client: asg-ad-client
+#     asg-lustre: asg-lustre
+#     asg-lustre-client: asg-lustre-client
+#     asg-pbs: asg-pbs
+#     asg-pbs-client: asg-pbs-client
+#     asg-cyclecloud: asg-cyclecloud
+#     asg-cyclecloud-client: asg-cyclecloud-client
+#     asg-nfs-client: asg-nfs-client
+#     asg-telegraf: asg-telegraf
+#     asg-grafana: asg-grafana
+#     asg-robinhood: asg-robinhood
+#     asg-ondemand: asg-ondemand
+#     asg-deployer: asg-deployer
+#     asg-guacamole: asg-guacamole
+    
 #  peering: # This list is optional, and can be used to create VNet Peerings in the same subscription.
 #    - vnet_name: #"VNET Name to Peer to"
 #      vnet_resource_group: #"Resource Group of the VNET to peer to"
diff --git a/docs/deploy/define_environment.md b/docs/deploy/define_environment.md
index fb6560ba3..6a3eb89d8 100644
--- a/docs/deploy/define_environment.md
+++ b/docs/deploy/define_environment.md
@@ -74,6 +74,27 @@ network:
         name: compute
         address_prefixes: "10.0.16.0/20"
         create: true
+# asg:
+#   resource_group: # name of the resource group containing the ASG. Default to the resource group containing azhop resources
+#   names: # list of ASG names mapping to the one defined in az-hop
+#     asg-ssh: asg-ssh
+#     asg-rdp: asg-rdp
+#     asg-jumpbox: asg-jumpbox
+#     asg-ad: asg-ad
+#     asg-ad-client: asg-ad-client
+#     asg-lustre: asg-lustre
+#     asg-lustre-client: asg-lustre-client
+#     asg-pbs: asg-pbs
+#     asg-pbs-client: asg-pbs-client
+#     asg-cyclecloud: asg-cyclecloud
+#     asg-cyclecloud-client: asg-cyclecloud-client
+#     asg-nfs-client: asg-nfs-client
+#     asg-telegraf: asg-telegraf
+#     asg-grafana: asg-grafana
+#     asg-robinhood: asg-robinhood
+#     asg-ondemand: asg-ondemand
+#     asg-deployer: asg-deployer
+#     asg-guacamole: asg-guacamole
 
 #  peering: # This list is optional, and can be used to create VNet Peerings in the same subscription.
 #    - vnet_name: #"VNET Name to Peer to"
diff --git a/tf/network/main.tf b/tf/network/main.tf
index 88e897dab..8c0071eb6 100644
--- a/tf/network/main.tf
+++ b/tf/network/main.tf
@@ -17,6 +17,8 @@ provider "azurerm" {
   features {}
 }
 
+data "azurerm_subscription" "primary" {}
+
 data "azurerm_resource_group" "rg" {
   count    = local.create_rg ? 0 : 1
   name     = local.resource_group
@@ -27,12 +29,13 @@ resource "azurerm_resource_group" "rg" {
   count    = local.create_rg ? 1 : 0
   name     = local.resource_group
   location = local.location
+
   tags = merge( local.common_tags, local.extra_tags)
 
   lifecycle {
     ignore_changes = [
-      tags["CreatedOn"]
+      tags
     ]
-  }
+  }  
 }
 
diff --git a/tf/network_security_group.tf b/tf/network_security_group.tf
index 75568cdd0..97814183a 100644
--- a/tf/network_security_group.tf
+++ b/tf/network_security_group.tf
@@ -12,15 +12,15 @@ resource "time_sleep" "wait_forsubnets" {
 # Application security groups
 resource "azurerm_application_security_group" "asg" {
   for_each = local.create_nsg ? local.asgs : local.empty_map
-  name                = each.key
-  resource_group_name = local.create_rg ? azurerm_resource_group.rg[0].name : data.azurerm_resource_group.rg[0].name
-  location            = local.create_rg ? azurerm_resource_group.rg[0].location : data.azurerm_resource_group.rg[0].location
+  name                = each.value
+  resource_group_name = local.create_nsg ? (local.create_rg ? azurerm_resource_group.rg[0].name     : data.azurerm_resource_group.rg[0].name )     : local.asg_resource_group
+  location            = local.create_nsg ? (local.create_rg ? azurerm_resource_group.rg[0].location : data.azurerm_resource_group.rg[0].location ) : data.azurerm_resource_group.rg[0].location
 }
 
 data "azurerm_application_security_group" "asg" {
   for_each = local.create_nsg ? local.empty_map : local.asgs
-  name                = each.key
-  resource_group_name = local.create_rg ? azurerm_resource_group.rg[0].name : data.azurerm_resource_group.rg[0].name
+  name                = each.value
+  resource_group_name = local.create_nsg ? azurerm_resource_group.rg[0].name : local.asg_resource_group
 }
 
 # Read subnets data so we can dynamically retrieve all CIDR for the NSG rules
diff --git a/tf/variables_local.tf b/tf/variables_local.tf
index 96f67f805..e002e7c07 100644
--- a/tf/variables_local.tf
+++ b/tf/variables_local.tf
@@ -141,12 +141,37 @@ locals {
 
     # Application Security Groups
     create_nsg = try(local.configuration_yml["network"]["create_nsg"], local.create_vnet )
-    default_asgs = ["asg-ssh", "asg-rdp", "asg-jumpbox", "asg-ad", "asg-ad-client", "asg-lustre", "asg-lustre-client", "asg-pbs", "asg-pbs-client", "asg-cyclecloud", "asg-cyclecloud-client", "asg-nfs-client", "asg-telegraf", "asg-grafana", "asg-robinhood", "asg-ondemand", "asg-deployer", "asg-guacamole"]
-    asgs = { for v in local.default_asgs : v => v }
+    # If create NSG then use the local resource group otherwise use the configured one. Default to local resource group
+    asg_resource_group = local.create_nsg ? local.resource_group : try(length(local.configuration_yml["network"]["asg"]["resource_group"]) > 0 ? local.configuration_yml["network"]["asg"]["resource_group"] : local.resource_group, local.resource_group )
+
+    _default_asgs = {
+        asg-ssh = "asg-ssh"
+        asg-rdp = "asg-rdp"
+        asg-jumpbox = "asg-jumpbox"
+        asg-ad = "asg-ad"
+        asg-ad-client = "asg-ad-client"
+        asg-lustre = "asg-lustre"
+        asg-lustre-client = "asg-lustre-client"
+        asg-pbs = "asg-pbs"
+        asg-pbs-client = "asg-pbs-client"
+        asg-cyclecloud = "asg-cyclecloud"
+        asg-cyclecloud-client = "asg-cyclecloud-client"
+        asg-nfs-client = "asg-nfs-client"
+        asg-telegraf = "asg-telegraf"
+        asg-grafana = "asg-grafana"
+        asg-robinhood = "asg-robinhood"
+        asg-ondemand = "asg-ondemand"
+        asg-deployer = "asg-deployer"
+        asg-guacamole = "asg-guacamole"
+    }
+    #asgs = local.create_nsg ? local._default_asgs :  try(local.configuration_yml["network"]["asg"]["names"], local._default_asgs)
+    asgs = try(local.configuration_yml["network"]["asg"]["names"], local._default_asgs)
+    #asgs = { for v in local.default_asgs : v => v }
     empty_array = []
     empty_map = { for v in local.empty_array : v => v }
 
     # VM name to list of ASGs associations
+    # TODO : Add mapping for names
     asg_associations = {
         ad        = ["asg-ad", "asg-rdp"]
         ccportal  = ["asg-ssh", "asg-cyclecloud", "asg-telegraf", "asg-ad-client"]