Status: OUT
End-to-end workload isolation from infrastructure network layer through secrets delivery is achievable independently of compute substrate: the zero-trust infrastructure stack (default-deny LB + NSG filtering) extends via Private Link to PaaS boundaries, and both AKS and App Service inject secrets through the same Key Vault + managed identity stack operating within that isolation boundary — creating a continuous isolation chain from network edge to application runtime.