Microsofthspinto Great post, and the ARG queries are super helpful — thank you for sharing this! I had one question/suggestion though:
In environments using Azure Virtual WAN or traditional hub-and-spoke topologies, we often push a 0.0.0.0/0 UDR to all spoke VNets to route internet-bound traffic through a centralized NVA or Azure Firewall in the hub. These routes appear in the effective routes of each VM’s NIC, so the traffic is explicitly routed — even though there may be no NAT Gateway, public IP, or outbound rules on the subnet.
Just for clarity purpose, do you think it might be worth adding a small note or disclaimer that these queries may not fully apply in VWAN or hub-and-spoke setups where 0.0.0.0/0 routing is centrally managed and propagated — or even that this retirement scenario might not directly apply to such architectures, depending on how outbound traffic is controlled?
MicrosoftThank you for the feedback, VikasRay27. You are correct in which regards Azure Virtual WAN - this scenario was not included as it is not fully supported by Azure Resource Graph yet. I will add a note to make it clear.
Regarding traditional hub & spoke approaches, the queries above support this scenario - you just have to replace the "<firewall private IP>" placeholder with the NVA's private IP address.
