I have a Load Balancer with a backend pool of 2 VMs. Each VM has its own Network Interface with a public and a private IP address. I have a Network Security Group set up as a basic firewall, denying anything that's not going to port HTTP(s) or DevOps ports.
The current NSG allows inbound traffic to these ports from any source IP. I would like to only allow traffic to the VMs that goes through the LB first. However, if deny everything but the LB's source IP, I never get a request. From the documentation, I learnt this is intended because the source port and address range applied are from the originating computer, not the load balancer.
Is there a way in Azure to shield the VMs from public HTTP traffic, but allow it if it hits the LB first?