We have a self-hosted agent within a Devops VM Scale Set ["VMSS"] (Hosted in azure).
This VMSS is tied to a VNET (VNET1), and we have separate webapps, sql etc connected via VNET2.
In the middle of these, there is a Keyvault with Firewall/Network policies allowing access from VNET1 and VNET 2.
However, when we try to read/write (via terraform plan) to Keyvault from the VMSS (VNET1), we are shown ForbiddenByFirewall with an external facing IP address.
Are we missing something? Should it have an external IP? We've also tried Private Endpoints to no avail (But these also won't work for us as we have VNETS bound to ServerFarms)