How to connect Azure Web Application (App Service/Website) to Network Security Group?

I'm not sure if I'm missing something simple, or if I'm trying to do the impossible.

I have a Tomcat site deployed on Azure using the Web+Mobile App Services model. This is NOT a VM. I would like to be able to apply firewall rules (network security group) to this App Service.

Here is what I have done within my Resource Group:

1. Taken my existing App Service (Tomcat) and upgraded it to S1 machine size.
2. Created a VNET with default settings. This included creating a subnet named "default". All address space suggestions were left at Azure default prompts.
3. Used the Network settings blade on the App Service to select the VNET I just created.
4. Created a Network Security Group - added an incoming rule to deny HTTP port 80 from ANY source.
5. Associated NSG created above with the default subnet
6. Waited for everything to propogate
7. Tested hitting the App Service on HTTP Port 80, and got results returned.

This was not what I was hoping to see. To debug this I tested:

1. Create a Tomcat Virtual Machine
2. On the VM Network blade, associated the VM with the "default" subnet, and specifically removed the Network Security Group from the VM (leaving it on the subnet - just making sure it's not explicitly attached to the VM)
3. Tested HTTP access to the VM - traffic rejected
4. Tested HTTP access to the App Service - traffic still permitted
5. Changed the Network Security Group rule to allow
6. Tested HTTP access to the VM and traffic permitted

How do I get the App Service to use the Network Security Group the way the Virtual Machine does? Am I missing somewhere how to configure the subnet on the App Service? Is there another way to associate the NSG with the App Service?

I don't have budget/need to build an ASE. All I need to do is put a firewall in front of my App Service to block out the ports I'm not wanting to see used.

Thanks.