Hello @Thijs van Haren ,
Yes, it is required to have public network access to link dataverse to Azure Synapse. Also, the storage account must enable Hierarchical namespace. The Synapse workspace must be in the same region as your Azure Data Lake Storage Gen2 account with public network access enabled.
Once you link the dataverse to the synapse, then data is available in the synapse via the new lake database.
This data can query via synapse SQL or synapse spark. This data can be directly accessed from the lake(no data is kept in the synapse)
when you mention, "how to access the storage account when enabling public network access to the workspace", are you talking about a data lake account in general? If yes, apart from the AAD, you can use the Azure private link or Vnet endpoints to access the data lake account.
Regarding your security concerns:
Currently, you can't provide public IPs for the Azure Synapse Link for Dataverse service that can be used in Azure Data Lake firewall settings. Public IP network rules have no effect on requests originating from the same Azure region as the storage account. Services deployed in the same region as the storage account use private Azure IP addresses for communication. Thus, you can't restrict access to specific Azure services based on their public outbound IP address range.
I hope this helps. Please let me know if you have any further questions.
Reference document: [https://video2.skills-academy.com/en-us/power-apps/maker/data-platform/azure-synapse-link-synapse