Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice. The first step in doing so is to create a Network Security Group and apply it to the appropriate resources.
In Azure Console -
In Terraform -
References:
https://learn.microsoft.com/en-us/azure/virtual-machine-scale-sets/
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/virtual_machine_scale_set#network_security_group_id
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/network_security_group