@David Beitler As per Network Security Group Flow Logging behavior, this is expected and as per design i.e.,
Note: Rules are of two types - terminating & non-terminating, each with different logging behaviors.
NSG Deny rules are terminating. The NSG denying the traffic will log it in Flow logs and processing in this case would stop after any NSG denies traffic.
NSG Allow rules are non-terminating, which means even if one NSG allows it, processing will continue to the next NSG. The last NSG allowing traffic will log the traffic to Flow logs.
Hope this helps. Please let us know if you have further questions/concerns. Thank you!
Remember:
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Want a reminder to come back and check responses? Here is how to subscribe to a notification.