Azure NSG Challenge : When NIC and Subnet Rules Collide

A) The outbound RDP connection will succeed.

Because Azure NSGs are stateful, only outbound rules are evaluated for outbound traffic. The inbound deny rule at the subnet level doesn't impact return traffic from an outbound-initiated session.

B) NSG Best Practices to Avoid Misconfiguration:

Remember: A response traffic to an outbound is considered as a "reply" traffic, not as an "inbound" traffic.
An inbound traffic is a traffic which originated outside the subnet where NSG is applied.

1) Use subnet NSGs for broad control, and NIC NSGs for fine-grained access.

2) Be aware and follow Azure’s stateful behavior—don’t block return traffic by mistake.

3) Prefer service tags and ASGs over hardcoded IPs.

4) Regularly audit traffic using NSG Flow Logs and Network Watcher.

5) Follow the principle of least privilege—only allow what's truly needed.