In an Azure network security group, is denying all traffic before the "AllowVnetInbound" and "AllowAzureLoadBalancerInbound" rules good practice?
The only real reason to do this is if you want to ensure that you are in complete control of the rules governing traffic flow, and not defaulting into using the built in rules. In the scenario you showed, intra-vnet traffic is not allowed, as the "AllowVnetInboundTraffic" rule is blocked. You would then need to explicitly define any rules you want to allow traffic between machines on the same (or peered) vNets, if you apply this rule to a subnet.