I have an Azure Application Gateway in front of an AKS cluster. The cluster has some internal IP addresses published through an Internal Load Balancer, so with ip addresses from the subnet where the cluster resides in.
I have defined a Network Security Group on the subnet of the Gateway and am able to deny/allow all traffic to the internal ip addresses using wildcards.
However, I want to control the traffic more granular, I want to allow one external ip access to a certain backend pool of the Gateway, and another external ip access to another backend pool. I tried to use the Internal Load Balancer ip's in the destination but that doesn't seem to work. In fact, I don't know what the destination ip would be for incoming traffic, as I can't even block incoming traffic when I put the Gateway's ip as destination, only when I use * I can block all incoming traffic.
I could solve it by using multiple Gateways but that gets expensive real fast.
No, you cant do that with NSG (unless you are using multiple gateways). You might be able to do that with some firewall appliance.