brute force – Hacking attemps from unkown source

These requests are coming from your private network, not from the public internet.

172.20.76.173 is part of the 172.16.0.0/12 subnet, which is dedicated for private networks. See https://en.wikipedia.org/wiki/Private_network for more info.

Is it possible that the security policy that you created is only applied to the public interface, and not the private interface?