Hi Ben,
I barely use NSG's on NICs, but only on Subnets.
Keep in mind that all VNET-to-the-same-VNET traffic is default ALLOWED by the default rules. If you want to restrict traffic from one subnet to another subnet in the same VNET you should insert a NEW rule above the default rules (eg. priority 4000) to DENY all traffic from the complete address space from the VNET.
After which you can ALLOW traffic from 1 subnet to the other by creating a new rule (with priority 200) . eg: Front-Ends-SN to DB-SN.
Hope this helps and is relatable to your situation.
KR