diff --git a/pkg/install/deploystorage.go b/pkg/install/deploystorage.go
index c0f85e302..5713eb505 100644
--- a/pkg/install/deploystorage.go
+++ b/pkg/install/deploystorage.go
@@ -214,7 +214,7 @@ func (i *Installer) deployStorageTemplate(ctx context.Context, installConfig *in
 							},
 						},
 					},
-					Name:     to.StringPtr(infraID + "-controlplane-nsg"),
+					Name:     to.StringPtr(infraID + subnet.NSGControlPlaneSuffix),
 					Type:     to.StringPtr("Microsoft.Network/networkSecurityGroups"),
 					Location: &installConfig.Config.Azure.Region,
 				},
@@ -222,7 +222,7 @@ func (i *Installer) deployStorageTemplate(ctx context.Context, installConfig *in
 			},
 			{
 				Resource: &mgmtnetwork.SecurityGroup{
-					Name:     to.StringPtr(infraID + "-node-nsg"),
+					Name:     to.StringPtr(infraID + subnet.NSGNodeSuffix),
 					Type:     to.StringPtr("Microsoft.Network/networkSecurityGroups"),
 					Location: &installConfig.Config.Azure.Region,
 				},
diff --git a/pkg/util/subnet/const.go b/pkg/util/subnet/const.go
new file mode 100644
index 000000000..d554f1f50
--- /dev/null
+++ b/pkg/util/subnet/const.go
@@ -0,0 +1,10 @@
+package subnet
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+// Network security group constants
+const (
+	NSGControlPlaneSuffix = "-controlplane-nsg"
+	NSGNodeSuffix         = "-node-nsg"
+)
diff --git a/pkg/util/subnet/subnet.go b/pkg/util/subnet/subnet.go
index 5190d20ef..474f66f8f 100644
--- a/pkg/util/subnet/subnet.go
+++ b/pkg/util/subnet/subnet.go
@@ -86,9 +86,9 @@ func NetworkSecurityGroupID(oc *api.OpenShiftCluster, subnetID string) (string,
 
 	switch {
 	case strings.EqualFold(subnetID, oc.Properties.MasterProfile.SubnetID):
-		return oc.Properties.ClusterProfile.ResourceGroupID + "/providers/Microsoft.Network/networkSecurityGroups/" + infraID + "-controlplane-nsg", nil
+		return oc.Properties.ClusterProfile.ResourceGroupID + "/providers/Microsoft.Network/networkSecurityGroups/" + infraID + NSGControlPlaneSuffix, nil
 	case strings.EqualFold(subnetID, oc.Properties.WorkerProfiles[0].SubnetID):
-		return oc.Properties.ClusterProfile.ResourceGroupID + "/providers/Microsoft.Network/networkSecurityGroups/" + infraID + "-node-nsg", nil
+		return oc.Properties.ClusterProfile.ResourceGroupID + "/providers/Microsoft.Network/networkSecurityGroups/" + infraID + NSGNodeSuffix, nil
 	default:
 		return "", fmt.Errorf("unknown subnetID %q", subnetID)
 	}
diff --git a/pkg/util/subnet/subnet_test.go b/pkg/util/subnet/subnet_test.go
index 4329a2f69..aee86ac1e 100644
--- a/pkg/util/subnet/subnet_test.go
+++ b/pkg/util/subnet/subnet_test.go
@@ -178,13 +178,13 @@ func TestNetworkSecurityGroupID(t *testing.T) {
 		{
 			name:      "master",
 			subnetID:  "/subscriptions/subscriptionId/resourceGroups/vnetResourceGroup/providers/Microsoft.Network/virtualNetworks/vnet/subnets/master",
-			wantNSGID: "/subscriptions/subscriptionId/resourceGroups/clusterResourceGroup/providers/Microsoft.Network/networkSecurityGroups/aro-controlplane-nsg",
+			wantNSGID: "/subscriptions/subscriptionId/resourceGroups/clusterResourceGroup/providers/Microsoft.Network/networkSecurityGroups/aro" + NSGControlPlaneSuffix,
 		},
 		{
 			name:      "worker",
 			infraID:   "test-1234",
 			subnetID:  "/subscriptions/subscriptionId/resourceGroups/vnetResourceGroup/providers/Microsoft.Network/virtualNetworks/vnet/subnets/worker",
-			wantNSGID: "/subscriptions/subscriptionId/resourceGroups/clusterResourceGroup/providers/Microsoft.Network/networkSecurityGroups/test-1234-node-nsg",
+			wantNSGID: "/subscriptions/subscriptionId/resourceGroups/clusterResourceGroup/providers/Microsoft.Network/networkSecurityGroups/test-1234" + NSGNodeSuffix,
 		},
 		{
 			name:     "invalid",