@Ayan Mullick , on enabling Service Endpoints, the traffic remains in the Microsoft backbone network, allowing access to PaaS resources only from its own VNet, but the PaaS endpoint is still accessed via the public IP of the service. So, when you select allow for a particular VNET in the "access restriction" policy then your app will be accessed by only resources that are deployed in that particular VNET. Consequently, the operating principle of the VNet Service Endpoints does not extend to on-premises world even in the presence of connectivity with Azure (VPN or ExpressRoute).
But with deploying Azure Private Link you can instead access the PaaS resources via a private IP address of your VNet, which it is potentially also accessible from:
- On-premises systems via Azure ExpressRoute private peering or Azure VPN gateways.
- Systems on VNet in peering.
----------
Please do not forget to "Accept the answer" wherever the information provided helps you to help others in the community.