Azure is continually evolving. This is a personal collection best practice that pop up in various blogs, videos and, of course, the Azure documentation. 

https://docs.microsoft.com/en-gb/azure/architecture/best-practices/naming-conventions

NSGs contain a list of security rules that allow or deny network traffic depending on the source and destination address, port and protocol. You can assign NSGs on either device or subnet level. For instance, you can block any internet-bound traffic by assigning an NSG with a "block any traffic to destination 0.0.0.0/0" rule.