Use Azure NSG and Azure Service Tags to block internet and allow to Azure Portal

My Client got a requirement to block internet access inside a Subnet \ Vnet only using NSG and allow connection only to Azure Portal. Client is using Azure Private Endpoints to enable private access to Azure Storage , Databricks and other services hence other resource access from within the VMs inside VM is working as expected. The requirement from security team is to lock Azure Vnet & Subnet from internet and enable only direct Portal access.