What would be the expected behavior for an NSP?

I'm using a network security perimeter in Azure.

In the perimeter there are two resources assigned: A storage Account and An Azure SQL Databse.

I'm using the BULK INSERT dbo.YourTable FROM 'sample_data.csv' getting data from the storage account.

The NSP is enforced for both resources, so the public connectivity is denied for resources outside the perimeter

I have experienced this behavior: the azure SQL CANNOT access the storage account when I run the command. I resolved using:

1. I need to add an outbound rule in the NSP to reach the storage fqdn
2. I need to add an inbound rule in the NSP to allow the public IP of the SQL Azure

When I do 1 and 2, azure SQL is able to pump data from the storage.

IMHO this is not the expected behavior for two resources in the NSP. I expect that, as they are in the same NSP, they can communicate to each other.

I have experienced a different behavior when using keyvault in the same NSP. I'm using the keyvault to get the keys for encryption for the same storage. For the key vault, i didn't have to create any rule to make it able to communicate to the storage, as they are in the same NSP.

I know, Azure SQL is in preview for the NSP and the keyvault in GA, but I want to ask if the experienced behavior (the SQL CANNOT connect to the storage even if in the same NSP) is due to a unstable or unimplemented feature, or I'm missing something? What is the expected behavior?

Thank you community!!