PaaS Resources Should All Have Private IP Option
One of the biggest concerns for companies is moving data to publicly accessible resources. Most companies are going to be hybrid cloud for a while as well. They also have sites that access sensitive data.
The game changer for Azure is to allow all storage (data lake store, storage accts, etc.) and app services (besides paying for an ASE) to be private IP with VNET integration...
All of the AWS breaches are from people exposing storage publicly. This same concern lies within Azure blob storage as well. Even worse since Azure blob storage doesn't have the same firewall settings as data lake store and the blob containers don't have ARM REST API properties to create Azure policies to prevent this from happening.
The ultimate solution is to just allow all of these to have private IPs with custom host names so that they don't even have a public endpoint.
Tyler Hoyt commented
I agree that this is a critical requirement. We were happy to see that the Azure hosted postgres component was available now, and included many of the features needed for security compliance. However we can't use it because it must be hosted on the public internet.
The firewall feature is an inadequate substitute for a service to be hosted in a private subnet, but we couldn't even use it because we don't have control over the public IPs that Azure NATs assign to outgoing internet traffic from inside our Azure cloud.