I'm working with Azure, and I have 2 VNETs, each in its own resource group
Peering
+
|
|
|
|
+------------------------------+ | +-------------------------------------+
| Test Resource Group | | | Prod Resource Group |
| | | | |
| +----------------------+ | v | +-----------------------------+ |
| | Test VNET | | | | Prod VNET | |
| | <--------------------+ | |
| | | | | | | |
| | +--------------------> | |
| | | | | | | |
| | | | | | | |
| +----------------------+ | | +-----------------------------+ |
| | | |
+------------------------------+ +-------------------------------------+
What I want to do is lock down the peering, such that traffic between the VNETs is restricted to a particular port on a particular VM, without affecting any of the existing firewall rules that are in place.
Would adding an NSG (Network Security Group) to the subnets allow me to do this?
Depending on your requirement, Network Security Groups is one of the built in way of restricting network access. They also have firewall appliances that you could use if you have a requirement for logging.
Best practice for NSG is to cast more general restrictions on your network, and more granular restrictions on the NICs of your VMs. Do some planning on how you would want to have it setup, read some best practices, and you'll be successful.