The creation of a bastion-nsg is confusing because you can't attach an NSG to a Bastion service private endpoint AFAICT

[LanceBraswell]

Using the v2 Landing Zone, I see there is a bastion-nsg created and the rules allow egress to the other NSGs (app-nsg, db-nsg, lbr-nsg). And the app-nsg, db-nsg, lbr-nsg NSGs all allow ingress from bastion-nsg. But I don't see how you can attach an NSG to a Bastion service private endpoint. If this is true, I don't see how they could be used with the Bastion Service. The only way bastion-nsg would be used is if there is a plain old jumphost VM Instance serving as a traditional "bastion" which could have the bastion-nsg attached to its private endpoint.

I'm trying to understand if I am missing something or if that is the correct intention of the bastion-nsg (i.e. use with VM Instance service as a jumphost and not with the Bastion service)?

[andrecorreaneto]

Hi Lance, you got it right. The bastion-nsg applies to a jump host, not the Bastion service. A Bastion service endpoint isn't NSG aware yet.

[LanceBraswell]

Thank you for the clarification. I closed the issue.