Status: OUT
Azure networking enforces zero-trust at two orthogonal layers — a foundational infrastructure IP (168.63.129.16) that must be preserved for DNS and health probes, and a dual-layer filtering model (LB default-deny + NSG statefulness) that blocks all other traffic by default — creating a posture where infrastructure services are implicitly trusted while application traffic requires explicit allowlisting at both layers.