Azure Virtual Network Manager (AVNM) security admin rules are designed to enforce security policies at scale across multiple virtual networks. These rules are evaluated before Network Security Group (NSG) rules and have a higher priority. By creating a security admin rule that denies inbound RDP (port 3389) traffic from any source other than the AzureBastionSubnet, you can centrally override any permissive RDP rules in individual NSGs. This ensures that all RDP connections must be initiated through the Bastion host, directly addressing the requirement to prevent NSG rules from creating a bypass.

A. Azure Virtual Network Manager connectivity configurations: These configurations are used to define network topology, such as hub-and-spoke or mesh, not for enforcing traffic filtering rules.

C. Azure Firewall application rules: These rules filter outbound traffic based on Fully Qualified Domain Names (FQDNs) for protocols like HTTP/S. They are not used for controlling inbound RDP traffic.

D. Azure Firewall network rules: While Azure Firewall can block RDP, the question's core problem is overriding conflicting NSG rules at scale. AVNM security admin rules are specifically designed for this purpose and take precedence over NSGs.

1. Microsoft Documentation | Azure Virtual Network Manager | Security admin rules: "Security admin rules are high priority rules that are evaluated before NSG rules... With security admin rules

you can enforce

and override NSG rules at scale." This document explicitly states the precedence and purpose of security admin rules

confirming they can override NSGs to enforce a security baseline.

Source: Microsoft Learn

"Security admin rules in Azure Virtual Network Manager

" Introduction section.

2. Microsoft Documentation | Azure Virtual Network Manager | How it works: "A security configuration contains a set of security admin rules that you can apply to one or more network groups... When you apply a security configuration to a virtual network

all the network interfaces (NICs) in the virtual network will have the security admin rules applied. The rules are evaluated before network security groups."

Source: Microsoft Learn

"How security admin rules work with Azure Virtual Network Manager

" How it works section.

3. Microsoft Documentation | Azure Virtual Network Manager | Overview: This document distinguishes between the two main capabilities of AVNM: "Connectivity configuration" and "Security configuration

" clarifying that option A (connectivity) is for topology and option B (security) is for traffic control.

Source: Microsoft Learn

"What is Azure Virtual Network Manager?

" Key benefits section.