Apologize if my answer was not clear. To summarize my answer, there is one option only available currently that is the first option.
1 - implement an App Service Environment (which incurs additional charges)
- The single tenant App Service Environment(ASE) hosts Isolated SKU App Service plans directly in your Azure Virtual Network (VNet). As given in the document.
If you use the ASE single tenant, your App Service sits in a virtual network which then can be connected to other vnets and on-premise (using a hub and spoke setup if needed) and also be used to generate flow logs from its NSG.
Regarding flow logs, the NSGs would provide you with flow logs for any traffic leaving/entering the ASE VNET to any other VNET or private resource. The link that you shared is a restriction only when using Azure Private Endpoint. Please refer to this document for ASE which has more details regarding the network setup for the same.
I hope this helps. Please let me know if you have further questions. Thank you!