With the NetworkTrafficRules element you can specify how a role communicates with other roles. To be more specific, it can limit which roles can access the internal endpoints of the specific role.
The NetworkTrafficRules element is not a standalone element, but it exists in combination with a WebRole or a WorkerRole. The element NetworkTrafficRules may be provided for more than one role.
A template of a NetworkTrafficRules element looks like this:
<ServiceDefinition ...>
<NetworkTrafficRules>
<OnlyAllowTrafficTo >
<Destinations>
<RoleEndpoint endpointName="<name-of-the-endpoint>"
roleName="<name-of-the-role-containing-the-endpoint>"/>
</Destinations>
<AllowAllTraffic/>
<WhenSource matches="[AnyRule]">
<FromRole
roleName="<name-of-the-role-to-allow-traffic-from>...