IPSEC VPN with Azure NSGs

Hi All,

I wonder if anyone can help with this :

Do i require inbound Azure NSG rules from the SRC to DST networks over the Azure NSG

Or do I require The External IP going to the internal DST and other way around for inbound NSG ?

I dont see why I would need the internal to internal NSGs as those packets should be encrypted ?