Status: OUT
AKS in custom VNet inherits the full Azure zero-trust infrastructure stack: control plane NSG rules (TCP 443, 4443, 9988) operate within a dual-layer filtering model where the foundational infrastructure IP 168.63.129.16 — serving both DNS resolution and health probes — must be preserved while all other traffic defaults to deny, creating a four-layer dependency chain from infrastructure IP through network filtering to control plane access.