Thank you for reaching out.
Based on your question above.
I'm getting the feeling that I can't filter traffic between Vnets unless I use another product (Azure Firewall). Is my assumption correct? Or should I be able to filter traffic between peering Vnets with just a Network Security Group?
You can filter traffic within the peering VNETS using Network Security Groups.
Based on the screenshot provided above. The highlighted rule AllowVnetInBound and AllowVnetOutBound are allowing the communication within the virtual networks. As the VirtualNetwork service tag is used as Source and Destination in the rule. This service tag includes the virtual network address space (all IP address ranges defined for the virtual network), all connected on-premises address spaces, peered virtual networks. This is currently documented here.
I think in order to restrict all the traffic betweenthe Virtual Networks. Depending on your requirements you can either set these AllowVnetInBound and AllowVnetOutBound rules to Deny and add a custom rule with priority say 100 to allow traffic from host A and host C specifically where you will use host A and host C's IP as Source and Destination in either of the NSG associated with their subnets.
The changes above will also block the traffic flow within the VNET themselves, if this not desired and you just want to block the traffic between the peered VNET1 and VNET2. You can implement the rules in the following way. Where rule allowing communication between Host A and Host C has lower priority and rule Denying the traffic between VNET1 and VNET2 has higher priority but lower than the AllowVnetInBound rule.
Hope this answers your query. Please let me know if you have any additional questions. Thank you!
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.