It can get confusing to know which route traffic takes to access Paas resources. Without a Private Link or Service Endpoint, it goes straight to Internet to PaaS service. Public access is in the PaaS service firewall is required. If you turn on a Service Endpoint, traffic now routes from your network to the Paas resource with an IP from your VNET. You need to allow the vnet access to your resource, more secure.. If you add custom DNS and setup a private link, it still wont use it with the Service Endpoint enabled. You need to remove the service endpoint to force the traffic to use the custom DNS / private link route, where you can then remove the vnet from the firewall.. It routes through the approved private link directly, no firewall filtering needed. This got confusing, someone turned on a service endpoint and it broke the firewalls, even though the private endpoints were still in place.