I've got an azure sftp container instance properly set up finally but I ran into a wall while configuring security for it (much like the person here).
My basic flow is this:
PIP on Azure ->
-> Load balancer using PIP to be reached by the wider web ->
-> Load balancing rule to backend subnet ->
-> SFTP container group living on that subnet ->
-> SFTP container in that group
Nothing special and I verified before associating the NSG that the network is operating as intended. Connection to the SFTP server is functioning properly. The problem is, after associating the NSG with the container group's subnet, I was still able to connect to it without any configured rules. Even after applying a rule @ priority 100 to deny all traffic, to rule out something I may miss from the default rules, I can still get in.
After reading how NSG flow logs don't include container instances, I'm torn between believing users have NSGs working with container groups but are missing logs, and the possibility that NSGs don't work with container groups at all. If anyone has any guidance on properly using NSGs here, please let me know. Otherwise, if there's another tool I should be using, please recommend it (Azure Firewall is included in the container group tutorial, but I believe completely overkill for what I need and also prohibitively expensive).
EDIT: Adding picture of NSG rules -
