尝试通过 Biceps 部署 Azure Keyvault - 需要 Azure 服务绕过防火墙？

我正在使用以下二头肌模板来部署密钥保管库。关于网络配置，我希望防火墙允许来自特定 IP 范围的子网的连接。

resource kv 'Microsoft.KeyVault/vaults@2023-07-01' = {
  name: vaultName
  location: location
  properties: {
    tenantId: subscription().tenantId
    enableRbacAuthorization: true
    publicNetworkAccess: null
    enabledForDeployment: false
    enabledForDiskEncryption: false
    enabledForTemplateDeployment: false
    enableSoftDelete: true
    softDeleteRetentionInDays: 30
    sku: {
      name: 'standard'
      family: 'A'
    }
    networkAcls: {
      defaultAction: 'Deny'
      bypass: 'None'
      ipRules: [for ip in allowIps: { value:ip }]
      virtualNetworkRules: [
        {
          id: allowSubnet
        }
      ]
    }
  }
}

resource key 'Microsoft.KeyVault/vaults/keys@2023-07-01' = {
  parent: kv
  name: guid(vaultName, 'ssh-key')
  properties: {
    keySize: 4096
    keyOps: [
      'encrypt'
      'decrypt'
    ]
    kty: 'RSA'
    rotationPolicy: {
      lifetimeActions: [
        {
          trigger: {
            timeBeforeExpiry: 'P30D'
          }
          action: {
            type: 'notify'
          }
        }
        {
          trigger: {
            timeBeforeExpiry: 'P7D'
          }
          action: {
            type: 'rotate'
          }
        }
      ]
      attributes: {
        expiryTime: 'P1Y10D'
      }
    }
  }
}

当我部署这个时，我收到一条错误消息。我已编辑了保管库名称和我的用户主体 ID。剩余的应用程序 ID 是我用于部署的Azure Powershell Module。 IP 地址

20.61.103.227

属于我们的基础设施所在的 NL（西欧地区）的 Azure 数据中心。

The deployment 'main' failed with error(s). Showing 2 out of 2 error(s). Status Message: [ForbiddenByFirewall (Forbidden)] Request was not allowed by
     | NSP rules and the client address is not authorized and caller was ignored because bypass is set to None Client address: 20.61.103.227 Caller:
     | name=KeyVault/ManagementPlane;appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=<MY_USER_PRINCIPAL_ID> Vault:
     | <MY_KEY_VAULT_NAME>;location=westeurope (Code:ForbiddenByFirewall)  Status Message: At least one resource deployment operation failed. Please list
     | deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details. (Code: DeploymentFailed)  - [ForbiddenByFirewall
     | (Forbidden)] Request was not allowed by NSP rules and the client address is not authorized and caller was ignored because bypass is set to None Client address:
     | 20.61.103.227 Caller: name=KeyVault/ManagementPlane;appid=1950a258-227b-4e31-a9cf-717495945fc2;oid=<MY_USER_PRINCIPAL_ID> Vault:
     | <MY_KEY_VAULT_NAME>;location=westeurope (Code:ForbiddenByFirewall)   CorrelationId: 9e157b78-937a-4fd3-861c-3617c62efcc7

如果在库模板中我设置了

bypass: 'AzureServices'

，它就可以工作。不过，这实际上意味着，如果我想要无错误的部署，让受信任的 Azure 服务绕过保管库防火墙不再是可选的。您对此有何看法？您觉得这样可以接受吗？

此外，我是连接到白名单 IP 范围的 VPN。我不知道为什么这还不够。

任何对此的想法将不胜感激，谢谢！