You can associate or dissociate a network security group from a network interface or subnet.
The NSG has the appropriate rule to block users from accessing the Internet. We just need to associate it with Subnet1.
Reference:
https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group