diff --git a/internal/services/compute/snapshot_resource.go b/internal/services/compute/snapshot_resource.go
index 0b0cd11d7228..02bfa92a18aa 100644
--- a/internal/services/compute/snapshot_resource.go
+++ b/internal/services/compute/snapshot_resource.go
@@ -9,6 +9,7 @@ import (
 	"log"
 	"time"
 
+	"github.com/hashicorp/go-azure-helpers/lang/pointer"
 	"github.com/hashicorp/go-azure-helpers/lang/response"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/commonschema"
 	"github.com/hashicorp/go-azure-helpers/resourcemanager/tags"
@@ -83,6 +84,20 @@ func resourceSnapshot() *pluginsdk.Resource {
 				ForceNew: true,
 			},
 
+			"network_access_policy": {
+				Type:         pluginsdk.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice(snapshots.PossibleValuesForNetworkAccessPolicy(), false),
+				Default:      string(snapshots.NetworkAccessPolicyAllowAll),
+			},
+
+			"public_network_access": {
+				Type:         pluginsdk.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice(snapshots.PossibleValuesForPublicNetworkAccess(), false),
+				Default:      string(snapshots.PublicNetworkAccessEnabled),
+			},
+
 			"source_resource_id": {
 				Type:     pluginsdk.TypeString,
 				Optional: true,
@@ -170,6 +185,14 @@ func resourceSnapshotCreateUpdate(d *pluginsdk.ResourceData, meta interface{}) e
 		properties.Properties.CreationData.StorageAccountId = utils.String(v.(string))
 	}
 
+	if v, ok := d.GetOk("network_access_policy"); ok {
+		properties.Properties.NetworkAccessPolicy = pointer.To(snapshots.NetworkAccessPolicy(v.(string)))
+	}
+
+	if v, ok := d.GetOk("public_network_access"); ok {
+		properties.Properties.PublicNetworkAccess = pointer.To(snapshots.PublicNetworkAccess(v.(string)))
+	}
+
 	diskSizeGB := d.Get("disk_size_gb").(int)
 	if diskSizeGB > 0 {
 		properties.Properties.DiskSizeGB = utils.Int64(int64(diskSizeGB))
@@ -228,6 +251,18 @@ func resourceSnapshotRead(d *pluginsdk.ResourceData, meta interface{}) error {
 				return fmt.Errorf("setting `encryption_settings`: %+v", err)
 			}
 
+			networkAccessPolicy := snapshots.NetworkAccessPolicyAllowAll
+			if props.NetworkAccessPolicy != nil {
+				networkAccessPolicy = *props.NetworkAccessPolicy
+			}
+			d.Set("network_access_policy", string(networkAccessPolicy))
+
+			publicNetworkAccess := snapshots.PublicNetworkAccessEnabled
+			if props.PublicNetworkAccess != nil {
+				publicNetworkAccess = *props.PublicNetworkAccess
+			}
+			d.Set("public_network_access", string(publicNetworkAccess))
+
 			incrementalEnabled := false
 			if props.Incremental != nil {
 				incrementalEnabled = *props.Incremental
diff --git a/internal/services/compute/snapshot_resource_test.go b/internal/services/compute/snapshot_resource_test.go
index ffa02bfe8239..3797ffaabb36 100644
--- a/internal/services/compute/snapshot_resource_test.go
+++ b/internal/services/compute/snapshot_resource_test.go
@@ -33,6 +33,34 @@ func TestAccSnapshot_fromManagedDisk(t *testing.T) {
 	})
 }
 
+func TestAccSnapshot_networkAccessPolicy(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_snapshot", "test")
+	r := SnapshotResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.networkAccessPolicy(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+	})
+}
+
+func TestAccSnapshot_publicNetworkAccess(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_snapshot", "test")
+	r := SnapshotResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.publicNetworkAccess(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+	})
+}
+
 func TestAccSnapshot_requiresImport(t *testing.T) {
 	data := acceptance.BuildTestData(t, "azurerm_snapshot", "test")
 	r := SnapshotResource{}
@@ -245,11 +273,13 @@ resource "azurerm_managed_disk" "test" {
 }
 
 resource "azurerm_snapshot" "test" {
-  name                = "acctestss_%d"
-  location            = azurerm_resource_group.test.location
-  resource_group_name = azurerm_resource_group.test.name
-  create_option       = "Copy"
-  source_uri          = azurerm_managed_disk.test.id
+  name                  = "acctestss_%d"
+  location              = azurerm_resource_group.test.location
+  resource_group_name   = azurerm_resource_group.test.name
+  create_option         = "Copy"
+  source_uri            = azurerm_managed_disk.test.id
+  network_access_policy = "AllowAll"
+  public_network_access = "Enabled"
 
   tags = {
     Hello = "World"
@@ -694,3 +724,65 @@ resource "azurerm_snapshot" "test" {
 }
 `, data.RandomInteger, data.Locations.Primary)
 }
+
+func (SnapshotResource) networkAccessPolicy(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_managed_disk" "test" {
+  name                 = "acctestmd-%d"
+  location             = azurerm_resource_group.test.location
+  resource_group_name  = azurerm_resource_group.test.name
+  storage_account_type = "Standard_LRS"
+  create_option        = "Empty"
+  disk_size_gb         = "10"
+}
+
+resource "azurerm_snapshot" "test" {
+  name                  = "acctestss_%d"
+  location              = azurerm_resource_group.test.location
+  resource_group_name   = azurerm_resource_group.test.name
+  create_option         = "Copy"
+  source_uri            = azurerm_managed_disk.test.id
+  network_access_policy = "AllowAll"
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger)
+}
+
+func (SnapshotResource) publicNetworkAccess(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "test" {
+  name     = "acctestRG-%d"
+  location = "%s"
+}
+
+resource "azurerm_managed_disk" "test" {
+  name                 = "acctestmd-%d"
+  location             = azurerm_resource_group.test.location
+  resource_group_name  = azurerm_resource_group.test.name
+  storage_account_type = "Standard_LRS"
+  create_option        = "Empty"
+  disk_size_gb         = "10"
+}
+
+resource "azurerm_snapshot" "test" {
+  name                  = "acctestss_%d"
+  location              = azurerm_resource_group.test.location
+  resource_group_name   = azurerm_resource_group.test.name
+  create_option         = "Copy"
+  source_uri            = azurerm_managed_disk.test.id
+  public_network_access = "Disabled"
+}
+`, data.RandomInteger, data.Locations.Primary, data.RandomInteger, data.RandomInteger)
+}
diff --git a/website/docs/r/snapshot.html.markdown b/website/docs/r/snapshot.html.markdown
index 9bd1becba3af..9110a0fbbdbf 100644
--- a/website/docs/r/snapshot.html.markdown
+++ b/website/docs/r/snapshot.html.markdown
@@ -65,6 +65,10 @@ The following arguments are supported:
 
 * `incremental_enabled` - (Optional) Specifies if the Snapshot is incremental. Changing this forces a new resource to be created.
 
+* `network_access_policy` - (Optional) Policy for accessing the disk via network. Possible values are `AllowAll`, `AllowPrivate`, or `DenyAll`. Defaults to `AllowAll`.
+
+* `public_network_access` - (Optional) Policy for controlling export on the disk. Possible values are `Enabled` or `Disabled`. Defaults to `Enabled`.
+
 * `tags` - (Optional) A mapping of tags to assign to the resource.
 
 ---