Using network security group on subnet level. By default almost everything is allowed so I've added few rules to allow incoming particular traffic ( see details below ) and added one rule above default rules to deny anything else...

I observe real problems on applications level and checked the logs. I've noticed that the user deny rule blocks outgoing traffic.
Network 172 is destination ( outside Azure subnets )
Network 10.22.128 is Azure subnets
This behaviour is really bad and makes Network Security Groups useless:
