Status: OUT
Azure provides end-to-end network isolation from infrastructure to individual PaaS instances: the zero-trust infrastructure stack (default-deny LB + NSG dual filtering + infrastructure IP preservation) secures the VNet perimeter, while Private Link (backbone routing + per-resource mapping + private DNS) extends isolation to individual service instances with no public internet traversal.