I was able to run an experiment by allowing mcr.microsoft.com. We wants to use the curated environment AS-IS, no custom packages will be installed.
For the security reason I don't want to whitelist the application firewall rules:
Latest versions of training curated environments referencing the images from MCR. Only AzureFrontDoor service tag is required for those.