Allow VM Extension to talk directly to vault without internet access
Many customers do not want to grant their IaaS VMs direct access to the internet. Forced tunneling prevents the Azure Backup Service from protecting Azure IaaS VMs. If the Azure Backup VM Extension was allowed to talk directly the Recovery Service Vault through internal traffic in the datacenter, VMs would not need Internet access for backups to complete successfully.
Andrew Herbert commented
Totally agree - whilst it's getting 'easier' to make functionality such as this work using Firewall appliances, it's less-than ideal, and sadly isn't limited to Azure Backup - we have the same problem with Key Vault (used to encrypt the VMs and as a EKM for SQL TDE) and even basic VM Extension installation which needs to pull the installation files from storage via the internet.