Azure Route Server and NVA: Enforcing VNet Traffic - plus Terraform Code

I recently discovered some knowledge gaps regarding Azure Route Server (ARS) during a discussion with a cloud architect, so I decided to explore it in depth using my personal lab environment. Lab Topology The test environment includes: Hub Virtual Network containing both an NVA (Network Virtual Appliance) and Azure Route Server Two Spoke VNets, each peered only with the hub BGP enabled between the NVA and Azure Route Server Spoke-to-spoke traffic routed through the NVA The goal: understand how Azure Route Server can dynamically manage routing and its advantages over static approaches. Why Use Azure Route Server? Limitations of Standard VNet Peering Default VNet peering provides full connectivity but lacks traffic filtering capabilities. Enterprises often require inspection or filtering of inter-VNet traffic. Traditional Solutions Traffic can be redirected through: Azure Firewall (Microsoft's native solution) Third-party NVAs: Cisco ASR/ASA, Palo Alto NGFW, FortiGate NGFW, F5 Load Balan