Associate a Network Security Group (NSG) to subnet

Assuming you use Powershell, Set-AzureNetworkSecurityGroupToSubnet cmdlet in service management mode will associate a NSG to a subnet.

Update:

PS> Switch-AzureMode AzureServiceManagement
PS> (Get-AzureVNetSite -VNetName "Group vnetnsg vnetnsg").Subnets

Name     AddressPrefix ExtensionData
----     ------------- -------------
default  10.0.0.0/24
subnet-1 10.0.1.0/24

PS> New-AzureNetworkSecurityGroup -Name "NsgOnSubnet" -Location "West Europe"

Name        Location    Label
----        --------    -----
NsgOnSubnet West Europe

PS> Set-AzureNetworkSecurityGroupToSubnet -Name NsgOnSubnet -VirtualNetworkName "Group vnetnsg vnetnsg" -SubnetName "subnet-1"
PS> Get-AzureNetworkSecurityGroupAssociation -VirtualNetworkName "Group vnetnsg vnetnsg" -SubnetName "subnet-1"

Name        Location    Label
----        --------    -----
NsgOnSubnet West Europe

This Microsoft article explains where NSGs can be applied in both Classic and ARM deployment methods, and neither specify the entire VNet; the closest option you have is the Subnet, which ought to provide the same functionality; even if you have to apply the same NSG to multiple subnets, if you have more than one.

If you want to block traffic between VMs in the same subnet, you'd need to apply the NSG against the VM (classic) or NIC (ARM).

There's a great ARM template here which shows how to set up NSGs and apply them to subnets. If you wanted to do the same to a NIC, see the below extract (assumes the NSG has already been created):

{
  "apiVersion": "2015-06-15",
  "type": "Microsoft.Network/networkInterfaces",
  "name": "nicName",
  "location": "[resourceGroup().location]",
  "properties": {
    "ipConfigurations": [
      {
        "name": "yourNICName",
        "properties": {
          "networkSecurityGroup": {
            "id": "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('yourNSGName'))]"
          },
          "privateIPAllocationMethod": "Dynamic",
          "subnet": {
            "id": "[variables('yourSubnetRef')]"
          }
        }
      }
    ]
  }
},

For VNET and Network Security Group Created using the Resource Manager Deployment Model

New-AzureRmResourceGroup -Name TestResourceGroup -Location centralus
$frontendSubnet = New-AzureRmVirtualNetworkSubnetConfig -Name frontendSubnet -AddressPrefix "10.0.1.0/24"

$virtualNetwork = New-AzureRmVirtualNetwork -Name MyVirtualNetwork -ResourceGroupName TestResourceGroup -Location
centralus -AddressPrefix "10.0.0.0/16" -Subnet $frontendSubnet

$rdpRule = New-AzureRmNetworkSecurityRuleConfig -Name rdp-rule -Description "Allow RDP" -Access Allow -Protocol
Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix Internet -SourcePortRange * -DestinationAddressPrefix *
-DestinationPortRange 3389

$networkSecurityGroup = New-AzureRmNetworkSecurityGroup -ResourceGroupName TestResourceGroup -Location centralus
-Name "NSG-FrontEnd" -SecurityRules $rdpRule

Set-AzureRmVirtualNetworkSubnetConfig -Name frontendSubnet -VirtualNetwork $virtualNetwork -AddressPrefix
"10.0.1.0/24" -NetworkSecurityGroup $networkSecurityGroup
$virtualNetwork | Set-AzureRmVirtualNetwork

This example creates a resource group with one virtual network containing just one subnet. It then creates a network security group with an allow rule for RDP traffic. The Set-AzureRmVirtualNetworkSubnetConfig cmdlet is used to modify the in-memory representation of the frontend subnet so that it points to the newly created network security group. The Set-AzureRmVirtualNetwork cmdlet is then called to write the modified state back to the service.