Azure NSG not blocking traffic to subnetted ACI

Question

I've got an azure sftp container instance properly set up finally but I ran into a wall while configuring security for it (much like the person here).

My basic flow is this:

PIP on Azure ->

-> Load balancer using PIP to be reached by the wider web ->

-> Load balancing rule to backend subnet ->

-> SFTP container group living on that subnet ->

-> SFTP container in that group

Nothing special and I verified before associating the NSG that the network is operating as intended. Connection to the SFTP server is functioning properly. The problem is, after associating the NSG with the container group's subnet, I was still able to connect to it without any configured rules. Even after applying a rule @ priority 100 to deny all traffic, to rule out something I may miss from the default rules, I can still get in.

After reading how NSG flow logs don't include container instances, I'm torn between believing users have NSGs working with container groups but are missing logs, and the possibility that NSGs don't work with container groups at all. If anyone has any guidance on properly using NSGs here, please let me know. Otherwise, if there's another tool I should be using, please recommend it (Azure Firewall is included in the container group tutorial, but I believe completely overkill for what I need and also prohibitively expensive).

EDIT: Adding picture of NSG rules -

Answer 1

After my validation, currently, the NSG associated with the ACI subnet does not work in this scenario for the SFTP container service behind an Azure load balancer. This NSG rule does not block the client's public IP address and it works like without it.

As a workaround, you could restrict the SFTP access with NGINX reverse proxy like this blog or add a service like Azure Application gateway reverse proxy to direct your public-facing traffic to your backend instance.