Outbound Internet filtering in Transit VNet architecture


I’m concerning about designing a solution for Outbound Internet traffic in Azure environment (same case for AWS too). Instead of using the firewalling solutions for this purpose I’d like to use ZWS and Cloud Connectors.

For cost reason I’ve decided to use the ‘Transit VNet’ model with a LB in front of connectors.

I’m wondering if I can have the granularity on the security policies we want to create for the workloads:
→ is it possible in this case to create rules workload by workload (for each VM for example)?
→ or should we have rules by VNet/Subnet?
→ do we have the visibility into the network information in our environment (VNet, Subnet, …) when setting the rules?
→ what about the security for PaaS services? is there a possibility to create rules based on the Azure services instead of using network information?

Kind regards