I'm looking to lock down a set of Azure load balancer NAT rules to certain CIDR address ranges via network security groups, for the purpose of not directly exposing SSH/RDP ports to the internet. The load balancer is bound to a frontend static IP, configured with load balancing rules and inbound nat pools attached to a scale set.
Stack is configured via Azure Resource Manager templates.