Need Alternative approach to make the private AML Compute instance works with the terminals

Question

Hi

We have hosted the resources in our Azure Landing Zone Subscription where the public network access is disabled on the Management Group Policy Level, hosted with the virtual networks - private endpoints.

Our Company has strictly restricted the every functionality with the Azure Firewall so we have whitelisted the required FQDNs/hosts related to AML Compute functionality mentioned in this Microsoft document:

https://learn.microsoft.com/en-us/azure/machine-learning/how-to-access-azureml-behind-firewall?view=azureml-api-2&tabs=ipaddress%2Cpublic#basic-configuration

If we allow Service Tag in Azure Firewall, the AML Compute instance works with only the Office network.

If we allow a bunch of Public IPs given in this MS Link, the AML Compute instance - terminals are working from both Office and Public Network (integrated with Z-scaler VPN).

My Problems are:

1. As mentioned in the document, the public IPs may change weekly. How do we get notifications and does it can't be hectic to update the firewall on weekly basis because few companies like us has a process of raising the request to network team to allow these Microsoft Azure Public IPs in the firewall to make working of the virtual network hosted aml compute instance?
2. If Service Tags allowed, we are unable to access the aml compute terminals over the public internet routed through company's Z-Scaler VPN.