Its not very clear fromt he documentation that adding an ACL also affects internal virtual network communications as well as external endpoint access on the port defined.
If you have two machines in different services connected via the same virtual network and are using the internal subnet IP for communication, the ACL will be applied to the traffic on the internal IP aswell as the external IP/Endpoint you apply it to, even if your not accessing the port via the external IP/endpoint.
Therefore, ensure you allow access for your virtual network subnets if you do plan to allow communication internally as this has caught me out on two occasions now.
I’m sure there’s a good reason as to why the ACL is applied to internal traffic too, but given you don’t need an endpoint defined for internal communication and the ACL is applied to the endpoint it is a little confusing.
Note: This also applies to Site-to-Site links (And assume Point-to-Site, although have not tested)