Private access without a public endpoint
You can connect privately via VPN or ExpressRoute without exposing a public IP. Virtual Private Network (VPN): private tunnel to Azure. Azure ExpressRoute: private connectivity via a dedicated connection. VM can stay private (no public endpoint). Private connectivity still uses VNet/subnet/NIC.