Disclaimer: I am a consultant at Amazon Web Services, and this is my personal blog. The opinions expressed here are solely mine and do not reflect the views of Amazon Web Services (AWS). Any statements made should not be considered official endorsements or statements by AWS.
Network Security Group (NSG) defines a set of access rules to control the incoming and outgoing traffic for an Azure Resource. We can think of it as a firewall in Azure. We can apply this NSG to either of the two levels.
NSG acts as a filter for the inbound and outbound traffic for the resource.
Any web request made to an azure resource (configured with NSG) has to pass all the filters to enter the resource, and the same applies to outgoing requests as well.
Typically, NSG rules look like this in Azure.