Azure Virtual Machine has no public IP yet can access the internet

I have a Virtual Machine which is connected to a Virtual Network. The Virtual network has 2 attached devices, and Virtual Network Gateway and a Network Interface.

Only the Virtual Network Gateway has a Public IP address (apparently used so Point-to-Site can access it).

The Virtual Network has two Subnets, a Gateway Subnet so I can VPN to it and an "Internal Subnet" one used to connect azure resources to each other internally.

So the configuration for the Virtual Machine shows no Public IP address, but it does show the Virtual Network it is connected to.

So how come my Virtual Machine still connect to the outside world?

If I do an ifconfig it shows:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
    inet 192.168.10.4  netmask 255.255.255.0  broadcast 192.168.10.255
    inet6 fe80::222:48ff:fe07:e7da  prefixlen 64  scopeid 0x20<link>
    ether 00:22:48:07:e7:da  txqueuelen 1000  (Ethernet)
    RX packets 47292  bytes 58161743 (58.1 MB)
    RX errors 0  dropped 0  overruns 0  frame 0
    TX packets 14277  bytes 2886277 (2.8 MB)
    TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

So clearly it shows it is connected to my subnet in the Virtual Network via the Network Interface which has no Public IP.

I wonder because, when I set up the Network Security Group, I allow port 22 so I can SSH through my VPN, the NSG says this is exposed to the outside world, is it the NSG that is still allowing the internet in? or the fact that I've allowed port 80 on the NSG. If so do I even need an NSG to open these ports if I'm connecting through the Virtual Networt Gateway?

How do I only expose port 22 to my internal subnets (a.k.a my Virtual Network Gateway) and not the outside world?