Q. I created a Network Security Group on my subnet but now VMs will not provision correctly, why?
A. I have seen environments create super restrictive Network Security Groups that basically block every communication except between machines within the subnet. When this happens creating a VM takes a very long amount of time and if you look in detail you will see that the deployment gets stuck provisioning the extensions as they require HTTPS outbound. Therefore always enable an outbound HTTPS rule at minimum to enable full provisioning (and this will also allow the VMs to update from the Internet). Also remember you will need to be able to manage and communicate so you will likely want to enable WS-Man and maybe even RDP from a set of IP addresses where you will manage from. More detail on the problem associated with a deny all for outbound can be found at https://blogs.msdn.microsoft.com/mast/2016/04/27/vm-stuck-in-updating-when-nsg-rule-restricts-outbound-internet-connectivity/.