diff --git a/main.tf b/main.tf
index 455966d..ea40558 100644
--- a/main.tf
+++ b/main.tf
@@ -116,6 +116,13 @@ resource "azurerm_mssql_firewall_rule" "sql" {
   end_ip_address   = each.value.end_ip_address
 }
 
+resource "azurerm_mssql_virtual_network_rule" "sql" {
+  for_each  = var.virtual_network_rules
+  name      = each.key
+  server_id = azurerm_mssql_server.sqlsrv.id
+  subnet_id = each.value.subnet_id
+}
+
 resource "azurerm_private_endpoint" "sqlsrv_pe" {
   count               = var.create_private_endpoint == true ? 1 : 0
   location            = azurerm_mssql_server.sqlsrv.location
diff --git a/variables.tf b/variables.tf
index a2a5d5e..983e4c1 100644
--- a/variables.tf
+++ b/variables.tf
@@ -109,6 +109,15 @@ variable "firewall_rules" {
   default     = {}
 }
 
+variable "virtual_network_rules" {
+  type = map(object({
+    subnet_id = optional(string)
+  }))
+  description = "Map of objects containing information on virtual network rules to be created. A service endpoint for Microsoft.Sql is required at the target subnet."
+  default     = {}
+
+}
+
 variable "databases" {
   type = map(object({
     sku_name                    = optional(string),           # Sku name for database. Many possibilities .Defaults to "GP_S_Gen5_1" which means serverless 1 vcore.