The public and private plane network connectivity are complimentary to each other with public plane mostly permitted by public IP address assignment and IP access restriction rules while private plan consolidates and becomes the default path for traffic. By placing resources in a virtual network with subnets each for different address ranges, inbound and outbound access to those resources is secured. As resources are assigned to subnets, traffic can be contained within the virtual network. By providing inbound and outbound access only to the virtual network, resources eliminate their accessibility from the internet. This improves security for those resources, but some cannot do away with public IP connectivity between them. One way to provide internet access is with the use of a NAT Gateway that consolidates traffic and issues an outbound IP address conforming to an IP CIDR prefix that works well with IP ACLs. This is the equivalent of vnet integration in public plane. For example, a Layer-7 resource such as Azure application gateway or frontdoor could allow its frontend and backend to communicate via a NAT gateway and its access remains internal to resource.
Azure Network Address Translation (NAT) Gateway is a fully managed and highly resilient NAT service that provides outbound connectivity to the internet through the deployment of a NAT gateway resource. A NAT gateway can be used so that instances in a private subnet can connect to services outside the VPC, but external services cannot initiate a connection with those instances. A NAT gateway can be attached to multiple subnets within a virtual network to provide outbound connectivity to the internet.  Some benefits of NAT include the reuse of private IP addresses, enhancing of security for private networks by keeping internal addressing private from the external network, and connecting many hosts to the global Internet using a smaller number of public (external) IP address, thereby conserving IP address space.
If the virtual network address space has multiple address ranges defined, Azure creates an individual route for each address range. Azure automatically routes traffic between subnets using the routes created for each address range. Gateways don’t need to be defined for Azure to route traffic between subnets. The system default route specifies the 0.0.0.0/0 address prefix. If Azure’s default routes are not overridden, Azure routes traffic for any address not specified by an address range within a virtual network to the Internet. There's one exception to this routing. If the destination address is for one of Azure's services, Azure routes the traffic directly to the service over Azure's backbone network, rather than routing the traffic to the Internet. Traffic between Azure services doesn't traverse the Internet, regardless of which Azure region the virtual network exists in, or which Azure region an instance of the Azure service is deployed in. Azure's default system route for the 0.0.0.0/0 address prefix can be overridden with a custom route.
An Azure NAT Gateway in a subnet can provide outbound connectivity for all private resources in that subnet. This includes traffic from other subnets within the same virtual network, but they must be associated. A NAT gateway can be attached to multiple subnets for outbound connectivity. It can be assigned up to 16 public IP addresses or a /28 size public IP prefix. It takes precedence over a load balancer with or without outbound rules. It becomes the next hop type for all internet destined traffic. A NAT gateway can't span beyond a single virtual network. It provides source network address translation (SNAT) for private instances within subnets of an Azure virtual network.

Codibg exercise:

https://1drv.ms/w/s!Ashlm-Nw-wnWhNQR3xNXIC3CG665Tg?e=jVlorS