I am working with this article and have setup the network diagram described in the article itself and gone a little further by adding a NSG.
Given the below diagram and context I am struggling to understand why I can hit my API directly when the NSG is only configured with the default rules of ALLOW VNET INBOUND, ALLOW AZURE LOAD BALANCER INBOUND and DENY ALL INBOUND
In advance I will own to being truly terrible at networking, despite hours of studying.
NSGs are not inline for App Service traffic destined for the App Service's public IP address, even if the App Services is VNET-integrated. If you have deployed APIM in front of the App Service, you still need to only allow APIM to connect to the App Service--which can be accomplished with client certificates.
See: https://docs.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions APIM certs setup: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates
