@WinTechie , Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity. You don't need to apply any NSGs to the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion.
Ref: https://zcusa.951200.xyz/en-us/azure/bastion/bastion-overview
But, if you choose to use an NSG with your Azure Bastion resource, you must create all of the following ingress and egress traffic rules. Omitting any of the following rules in your NSG will block your Azure Bastion resource from receiving necessary updates in the future and therefore open up your resource to future security vulnerabilities.
Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP. So, 3389/22 are must.
----------
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.