I have deployed an Azure VM using the classic model, added a PIP (instance-level IP), and associated the VM with a Network Security Group. All looks ok.
I added a deny-all inbound policy for the NSG so that all traffic to the VM will be blocked (just as a test). However, it seems to have zero effect on the PIP, and I can still connect through SSH, HTTP, HTTPS, etc on the PIP. The deny-all policy is the only one in the NSG (except the default ones), has a priority of 100, and blocks all traffic from any source, any protocol, any port, and destined for any inbound port.
What can I do, aside from configuring the VM's software firewall, to block traffic to the VM's PIP? Is there any option to do this from Azure, and not from the VM itself (as this could mean permanently being blocked from the VM if an IP changes).
UPDATE: I removed all ACL endpoints, stopped/deallocated the VM, restarted it, tried connecting to the new PIP, still works, despite my NSG having the deny-all policy.