Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice. The first step in doing so is to create a Network Security Group and apply it to the appropriate resources.
Existing Network Security Groups can be added to subnets in the same Resource Group, or new ones can be added in the Network Security Groups console and then associated. To associate an existing Network Security Group to an existing subnet, follow the steps below. For more information on how to create Network Security Groups to meet your organizational needs, see the Azure documentation.
In Azure Console -
From the Network Security Group:
From the subnet:
In Terraform -
References:
https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-restrict-network-access-to-resources#create-a-virtual-network
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_network#security_group
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association