@Mike-E-angelo here the answers:
For now, in AKV you got 2 ways for controlling the network access:
Option #1:
KV Firewall --> If enabled (Selected networks), It's basically a Deny All except the whitelisted. You may only whitelist Azure Virtual Networks and/or Public IPs only since Private IPs are not supported at this time.
We conclude that:
If Firewall is enabled, only whitelisted Vnets + whitelisted Public IPs + Private Endpoint (PE) will access your AKV.
If Firewall's disabled, everything will access your AKV, basically an Allow All.
Option #2:
PublicNetworkAccess (PNA) property --> This feature allows by simply enable/disable it to decide whether you want to restrict public traffic at all or not. Basically, the same you see on Storage.
(PNA) precedes the Firewall, so if set to 'Disabled', it will make the Service ignore any Firewall rule you may have to whitelist Public IPs.
With PNA set to enabled, you ensure that only incoming private traffic will be allowed, for instance PE.
PNA was fairly recently added to our Service, for that reason, we don't yet support the portal option, however, this will soon be added to the GUI and deployment interfaces. Changes are meant to be pushed during August.