This set of Azure Network Security Group inbound rules came from a "best practice" blog.
I understand this to mean there isn't any way for any network traffic to pass the "DropAll" rule and reach the "AllowVNetInbound" rule. Do I understand that correctly?
I can imagine a few cases where you might want to deny all inbound traffic from the vNet, but I can't imagine why that would be considered a best practice. (I understand best practice to mean always do this unless there's a seriously compelling reason not to.) What am I missing here?
The only real reason to do this is if you want to ensure that you are in complete control of the rules governing traffic flow, and not defaulting into using the built in rules. In the scenario you showed, intra-vnet traffic is not allowed, as the "AllowVnetInboundTraffic" rule is blocked. You would then need to explicitly define any rules you want to allow traffic between machines on the same (or peered) vNets, if you apply this rule to a subnet.