for PaaS services you need to distinguish between traffic from the network to the PaaS service (inbound for the PaaS service) and traffic from the PaaS service to the network (outbound for the PaaS service).
For inbound traffic, the PaaS service needs a private endpoint, which takes up 1 IP Address in the subnet
For outbound traffic, the PaaS service needs a complete subnet which it can use to talk to the rest of the network. Sizing of this subnet is usually not documented. I have never run into issues with a /24 subnet, but that might be a huge overkill. Please keep in mind that not all PaaS services allow outbound traffic to the network though. Fortunately, functions and logic apps (running on app service plans) can use this functionality, if you are not using the free version: https://azure.microsoft.com/en-us/pricing/details/app-service/linux/