So I've deployed an Azure Container Instance Group in a private Subnet & VNET where the default inbound rules on the NSG applies.
There isn't a public IP allocated (as expected) however, I am still able to leverage Azure CLI to execute scripts with the following command from a public IP.
az container exec --resource-group myResourceGroup --name myContainer --exec-command /bin/bash
Ideally, the NSG inbound rules should have disallowed such invocation outside of the internal VNET IP address range. Likewise, az container logs
& az container logs attach
is also able to retrieve the logs from the said container instance. My question is therefore, why? How is it that these inbound calls are not blocked?