diff --git a/src/azure-cli/HISTORY.rst b/src/azure-cli/HISTORY.rst
index 59fae05291c..0eca45e60cc 100644
--- a/src/azure-cli/HISTORY.rst
+++ b/src/azure-cli/HISTORY.rst
@@ -16,6 +16,7 @@ Release History
 * `az acr update`: Add `--endpoint-protocol` parameter to support specifying the endpoint protocol for the registry (#33089)
 * `az acr login`: Fix regional endpoint matching for registries with DNL suffix (#33381)
 * `az acr config content-trust/show/update`: Add deprecation labels and notices (#33174)
+* `az acr network-rule list`: Fix `virtualNetworkRules` entries always showing `virtualNetworkResourceId` as null; add `virtualNetworkSubnetResourceId` field to output (#33660)
 
 **AKS**
 
diff --git a/src/azure-cli/azure/cli/command_modules/acr/network_rule.py b/src/azure-cli/azure/cli/command_modules/acr/network_rule.py
index a10ac905b5a..2219086711f 100644
--- a/src/azure-cli/azure/cli/command_modules/acr/network_rule.py
+++ b/src/azure-cli/azure/cli/command_modules/acr/network_rule.py
@@ -50,7 +50,11 @@ def _format_registry_response(response):
     network_rule_set = properties.get('networkRuleSet', {})
 
     virtual_network_rules = [
-        {'virtualNetworkResourceId': rule.get('id'), 'action': rule.get('action', 'Allow')}
+        {
+            'virtualNetworkResourceId': rule.get('virtualNetworkSubnetResourceId') or rule.get('id'),
+            'virtualNetworkSubnetResourceId': rule.get('virtualNetworkSubnetResourceId') or rule.get('id'),
+            'action': rule.get('action', 'Allow')
+        }
         for rule in (network_rule_set.get('virtualNetworkRules') or [])
     ]
     ip_rules = [
@@ -93,7 +97,7 @@ def acr_network_rule_add(cmd,
     if subnet or vnet_name:
         virtual_network_rules = list(rules.get('virtualNetworkRules') or [])
         subnet_id = _validate_subnet(cmd.cli_ctx, subnet, vnet_name, resource_group_name)
-        virtual_network_rules.append({'id': subnet_id, 'action': 'Allow'})
+        virtual_network_rules.append({'virtualNetworkSubnetResourceId': subnet_id, 'action': 'Allow'})
         rules['virtualNetworkRules'] = virtual_network_rules
 
     if ip_address:
@@ -122,7 +126,8 @@ def acr_network_rule_remove(cmd,
         virtual_network_rules = list(rules.get('virtualNetworkRules') or [])
         subnet_id = _validate_subnet(cmd.cli_ctx, subnet, vnet_name, resource_group_name).lower()
         rules['virtualNetworkRules'] = [
-            x for x in virtual_network_rules if x.get('id', '').lower() != subnet_id
+            x for x in virtual_network_rules
+            if (x.get('virtualNetworkSubnetResourceId') or x.get('id') or '').lower() != subnet_id
         ]
 
     if ip_address:
diff --git a/src/azure-cli/azure/cli/command_modules/acr/tests/latest/test_acr_network_rule_commands.py b/src/azure-cli/azure/cli/command_modules/acr/tests/latest/test_acr_network_rule_commands.py
index 44fdca871c2..f20a193b598 100644
--- a/src/azure-cli/azure/cli/command_modules/acr/tests/latest/test_acr_network_rule_commands.py
+++ b/src/azure-cli/azure/cli/command_modules/acr/tests/latest/test_acr_network_rule_commands.py
@@ -51,6 +51,7 @@ def test_acr_network_rule(self, resource_group, resource_group_location):
                          self.check('provisioningState', 'Succeeded'),
                          self.check('networkRuleSet.defaultAction', '{deny_action}'),
                          self.check('networkRuleSet.virtualNetworkRules[0].virtualNetworkResourceId', subnet_id),
+                         self.check('networkRuleSet.virtualNetworkRules[0].virtualNetworkSubnetResourceId', subnet_id),
                          self.check('networkRuleSet.virtualNetworkRules[0].action', '{allow_action}'),
                          self.check('networkRuleSet.ipRules', [])])
 
@@ -60,12 +61,14 @@ def test_acr_network_rule(self, resource_group, resource_group_location):
                          self.check('provisioningState', 'Succeeded'),
                          self.check('networkRuleSet.defaultAction', '{deny_action}'),
                          self.check('networkRuleSet.virtualNetworkRules[0].virtualNetworkResourceId', subnet_id),
+                         self.check('networkRuleSet.virtualNetworkRules[0].virtualNetworkSubnetResourceId', subnet_id),
                          self.check('networkRuleSet.virtualNetworkRules[0].action', '{allow_action}'),
                          self.check('networkRuleSet.ipRules[0].ipAddressOrRange', '{ip_address}'),
                          self.check('networkRuleSet.ipRules[0].action', '{allow_action}')])
 
         self.cmd('acr network-rule list -g {rg} -n {registry_name}',
                  checks=[self.check('virtualNetworkRules[0].virtualNetworkResourceId', subnet_id),
+                         self.check('virtualNetworkRules[0].virtualNetworkSubnetResourceId', subnet_id),
                          self.check('virtualNetworkRules[0].action', '{allow_action}'),
                          self.check('ipRules[0].ipAddressOrRange', '{ip_address}'),
                          self.check('ipRules[0].action', '{allow_action}')])