Status: IN
VNet service endpoints are triple-constrained: ARM-only (no classic deployments), subnet-scoped (each subnet independently enabled), and inaccessible from on-premises — requiring IP-based whitelisting for any hybrid connectivity to service-endpoint-secured resources.