This is described here:
For inbound traffic, Azure processes the rules in a network security group associated to a subnet first, if there is one, and then the rules in a network security group associated to the network interface, if there is one.
For outbound traffic, Azure processes the rules in a network security group associated to a network interface first, if there is one, and then the rules in a network security group associated to the subnet, if there is one.
Maybe this is helpful.
Regards
Andreas Baumgarten
(Please don't forget to Accept as answer if the reply is helpful)