NSGs contain a list of security rules that allow or deny network traffic depending on the source and destination address, port and protocol. You can assign NSGs on either device or subnet level. For instance, you can block any internet-bound traffic by assigning an NSG with a "block any traffic to destination 0.0.0.0/0" rule.