If you are using NSGs at both the subnet and NIC level, the rules will be evaluated at both levels. For the traffic to be allowed, there should be an allow rule created at both the subnet and NIC levels. If any level doesn’t have an allow rule, the traffic will be dropped. When you assign an NSG to a subnet, the rules will get applied to all NICs that are part of the subnet. You can override this inheritance and have a dedicated rule assigned to a NIC. When you apply NSG to both subnet and NIC, then effective rules come into the picture.