Allow network security to allow or deny other network security groups
Amazon Web Services allows a security group to allow or deny other security groups (including itself). This allows you to easily group NICs (VMs) into the same "VLAN", or to allow one "server role" to access another "server role" (for example allow the WAP security group to access the ADFS security group)
Mario Lopez [MSFT] commented
This is also on our roadmap for NSGs with the grouping mechanism for easy NSG Rule definition.
Thanks for suggesting we'll keep you informed.