Status: IN
Azure default-deny enforcement spans both governance and network layers through independent mechanisms: the network layer closes traffic by default (Standard LB inbound + storage firewall), while governance uses Policy's explicit-deny system with cumulative most-restrictive evaluation — both cascade through separate hierarchies (subnet/NSG vs management group tree) and must be independently opened.