Destination has the same settings as Source besides the Protocol setting, as this is already defined by the Source setting.

Note that all port and protocol settings get disabled when choosing a service template, because the standard ports are used. When you create a rule for a network service that doesn't use the standard ports, use a custom setting. This is how a new network rule looks:

Network security groups can be associated with multiple network interface cards and multiple subnets. That means that all security rules defined in that security group apply to the complete network traffic in all associated subnets.

By default, all subnets are routed. To implement basic security based on NSGs, it's best practice to implement traffic flow control between subnets first. After connecting to an on-premise network via VPN or ExpressRoute (see Chapter 4, Implementing Azure Networks), it's also very important to ensure that all unnecessary traffic from the Internet is blocked and that all Internet-facing services/virtual machines are isolated by, for example, a DMZ.