hspinto Great post, and the ARG queries are super helpful — thank you for sharing this! I had one question/suggestion though:
In environments using Azure Virtual WAN or traditional hub-and-spoke topologies, we often push a 0.0.0.0/0 UDR to all spoke VNets to route internet-bound traffic through a centralized NVA or Azure Firewall in the hub. These routes appear in the effective routes of each VM’s NIC, so the traffic is explicitly routed — even though there may be no NAT Gateway, public IP, or outbound rules on the subnet.
Just for clarity purpose, do you think it might be worth adding a small note or disclaimer that these queries may not fully apply in VWAN or hub-and-spoke setups where 0.0.0.0/0 routing is centrally managed and propagated — or even that this retirement scenario might not directly apply to such architectures, depending on how outbound traffic is controlled?