Azure load balancer security group attached to NAT pools

Question

I'm looking to lock down a set of Azure load balancer NAT rules to certain CIDR address ranges via network security groups, for the purpose of not directly exposing SSH/RDP ports to the internet. The load balancer is bound to a frontend static IP and configured with load balancing rules and inbound nat pools.

Stack is configured via Azure Resource Manager templates.

Answer 1

Assigning a network security group on the subnet does work as expected. Adding a network security group to a NIC on the scale set didn't work, possibly a limitation or is different than the virtual machine ARM resource.