Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to protect your Azure resource from external malicious attacks.
I see that you would like to make use of TCP and UDP connections.
This means, we cannot use Azure App Gateway or Azure Front Door, which offer the users with WAF Protection.
However, if you are infrastructure is using HTTP, HTTPS, WebSocket, and HTTP/2 over TCP/UDP, you may consider the above.
You can consider the DDoS IP Protection for better security over the Public IP of the VM.
Please note that this feature is still in preview
DDoS IP Protection is a pay-per-protected IP model. DDoS IP Protection contains the same core engineering features as DDoS Network Protection, but will differ in the following value-added services: DDoS rapid response support, cost protection, and discounts on WAF.
Refer to this for SKU Comparison
In case you can get static IPs of the remote resources, you can go ahead with NSGs as well.
Please feel free to let me know should you have any further queries on this.
Cheers,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.