...
Many networked Azure services provide access control through a resource firewall. When we turn on the resource firewall on the services, it will generate a default deny rule.
Or, we can allow access from public IP addresses : for example, an IP address from on-premises infra (1.2.3.4).
...
How to manage access for VNet :
...
Example of design:
...