Hello @Pirko, Kevin J ,
I understand that you have a Vnet with two subnets, where one subnet is an app service with Vnet integration and another subnet with private endpoints to SQL server that host the app service database. You have confirmed that the NSGs applied to both subnets can deny the traffic but the traffic analytics and AzureNetworkAnalytics_CL logs doesn't show any of those flows and you would like to know if this is by design.
Yes, this is by design.
According to NSG flow logs document,
Traffic across a private link - To log traffic while accessing platform as a service (PaaS) resources via private link, enable NSG flow logs on the network security group of the subnet that contains the private link. Because of platform limitations, only traffic at the source VMs can be captured. Traffic at the destination PaaS resource can't be captured.
Also, App services deployed under an Azure App Service plan don't support NSG flow logs. Because of the nature of how virtual network integration operates, the traffic from virtual network integration doesn't show up in Azure Network Watcher or NSG flow logs.
In your setup, you have App service and private link with Paas services which do not support/capture NSG flow logs.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.