I would like to be able to create a policy and apply it to subscription(s), that would block any created resource from being able to be reached from the public internet. I want my developers to be able to experiment and try out different resources, but I don't want to put my network at risk while they experiment.
Right now I have to play wack-a-mole and identify all the different resources that could get a public IP and create policy around that resource.
I believe it would be in Microsoft's best interest to create a policy that one could apply to a subscription to block all public access as a measure of putting security first and not leaving the potential for public exposure of its customers.