diff --git a/pkg/monitor/azure/nsg/nsg.go b/pkg/monitor/azure/nsg/nsg.go
index b2d4c66e26c..9b4be2a75dd 100644
--- a/pkg/monitor/azure/nsg/nsg.go
+++ b/pkg/monitor/azure/nsg/nsg.go
@@ -123,23 +123,20 @@ func (n *NSGMonitor) Monitor(ctx context.Context) []error {
 	workerProfiles, _ := api.GetEnrichedWorkerProfiles(n.oc.Properties)
 	workerSubnets := make([]subnetNSGConfig, 0, len(workerProfiles))
 	workerPrefixes := make([]netip.Prefix, 0, len(workerProfiles))
-	subnetSet := map[string]struct{}{}
+	subnetToMonitor := map[string]struct{}{}
+
 	for _, wp := range workerProfiles {
 		// Customer can configure a machineset with an invalid subnet.
 		// In such case, the subnetID will be empty.
-		//
-		// We do not need to consider profiles with 0 machines.
-		if len(wp.SubnetID) == 0 || wp.Count == 0 {
-			continue
-		}
-
-		// Many profiles can have the same subnet ID.  To minimize the possibility of throttling, we only get it once.
-		if _, ok := subnetSet[wp.SubnetID]; ok {
-			continue
+		// We do not need to monitor any profiles with 0 machines either.
+		// To minimize the possibility of throttling, we only get it once.
+		if len(wp.SubnetID) != 0 && wp.Count != 0 {
+			subnetToMonitor[wp.SubnetID] = struct{}{}
 		}
-		subnetSet[wp.SubnetID] = struct{}{}
+	}
 
-		s, err := n.toSubnetConfig(ctx, wp.SubnetID)
+	for subnetID := range subnetToMonitor {
+		s, err := n.toSubnetConfig(ctx, subnetID)
 		if err != nil {
 			// FP has no access to the subnet
 			return []error{err}
diff --git a/pkg/monitor/azure/nsg/nsg_test.go b/pkg/monitor/azure/nsg/nsg_test.go
index 5e0dbad31ef..db8c181ff77 100644
--- a/pkg/monitor/azure/nsg/nsg_test.go
+++ b/pkg/monitor/azure/nsg/nsg_test.go
@@ -475,19 +475,17 @@ func TestMonitor(t *testing.T) {
 				workerSubnet1.Properties.NetworkSecurityGroup = &nsg2
 				workerSubnet2.Properties.NetworkSecurityGroup = &nsg2
 
-				_1 := mock.EXPECT().
+				mock.EXPECT().
 					Get(ctx, resourcegroupName, vNetName, masterSubnetName, options).
 					Return(masterSubnet, nil)
 
-				_2 := mock.EXPECT().
+				mock.EXPECT().
 					Get(ctx, resourcegroupName, vNetName, workerSubnet1Name, options).
 					Return(workerSubnet1, nil)
 
-				_3 := mock.EXPECT().
+				mock.EXPECT().
 					Get(ctx, resourcegroupName, vNetName, workerSubnet2Name, options).
 					Return(workerSubnet2, nil)
-
-				gomock.InOrder(_1, _2, _3)
 			},
 			mockEmitter: func(mock *mock_metrics.MockEmitter) {
 				mock.EXPECT().EmitGauge(MetricInvalidDenyRule, int64(1), map[string]string{