[ARG Improvment] Update `Publicly Accessible Redis Caches`

[Elgin-Lee]

When an Azure Cache for Redis instance is configured with a virtual network, it isn't publicly addressable.

This needs to be added into the ARG logic

https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/cache-how-to-premium-vnet

Candidate ARG query:

  resources
  | where type =~ 'Microsoft.Cache/Redis'
  | extend publicNetworkAccess = tolower(properties.publicNetworkAccess)
  | extend sku = properties.sku.name
  | extend enableNonSslPort = properties.enableNonSslPort
  | extend minimumTlsVersion = properties.minimumTlsVersion
  | extend hostname = properties.hostName
  | extend subnetId = properties.subnetId
  | where isempty(subnetId)  // Only caches WITHOUT VNet integration
  | where publicNetworkAccess != 'disabled'  // Only caches with public access enabled
  | project
      id,
      name,
      type,
      location,
      resourceGroup,
      publicNetworkAccess,
      sku,
      enableNonSslPort,
      minimumTlsVersion,
      hostname,
      subnetId,
      subscriptionId

---

We should also update the description, triage guidance, and severity of the ARG scan YAML template.

Azure Cache for Redis does not support truly anonymous or unauthenticated access. Authentication is always required to connect and use the cache, either by:

• Using Access Keys (shared secret keys), or
• Using Microsoft Entra (Azure AD) Authentication, which offers password-free, token-based authentication integrated with Azure AD and supports role-based access control (RBAC) via Redis Access Control Lists (ACLs).

Key Points on Access Control for Azure Redis Cache:

• Redis ACLs allow fine-grained control over which users or applications can execute which commands and access which keys.
• Azure Cache for Redis supports built-in access policies (Data Owner, Data Contributor, Data Reader) that are assigned via Azure RBAC using Microsoft Entra identities.
• You cannot disable authentication entirely to allow anonymous or unauthenticated access.
• Public network access (internet exposure) controls connectivity at the network level but does not bypass any authentication requirements. Even if public network access is enabled, clients must authenticate with either access keys or Microsoft Entra credentials before accessing the cache.