Can anyone please help here. I want to implement very simple way to restrict (deny) access from Internet to web service (because it is backend, and I want access it from front-end site). For this I want to use Network Security Group / Web Site Access Restrictions.
Here is what I did:
1) I created vnet (say vnet-1) with 2 subnets (subnet-frontend, subnet-backend)
2) I put backend Web Service app (which is docker/ubuntu based) in this subnet-backend and front end Web Service (same docker/ununtu) into sebnet-frontend
3) I added restrictions for backend service (portal Networking>Access Restrictions) to only accept requests from vnet-1/subnet-frontend.
Result is if I go to backend site, then I'm getting 403. This is good.
4) Now, I added NSG, with high priority records to deny inbound requests from Internet and from AzureLoadBalancer and associated it with vnet-1/subnet-backend.
5) Now, I went to backend Web Service (again portal Networking>Access Restrictions) and accepted requests from my internet IP addess.
Result: I can access backend site, i.e. NSG rules are ignored.
My questions here are:
a) Why is it, NSG (in the way I setup them) is not limiting access to my backend site here from my internet IP address?
b) Can I suppress this 403 Access Denied using vnet/subnet/NSG. I want it be as if this site does not exist at all for internet users?
Thank you very much in advance,