You are designing a hub-spoke network topology in Azure. You need to ensure that all traffic between spokes is inspected by a network virtual appliance (NVA) deployed in the hub. What should you configure?
UDRs force traffic to the NVA for inspection.
Why this answer
Option D is correct because the NVA in the hub can be used as a next hop for inter-spoke traffic via user-defined routes. Option A is wrong because VNet peering does not inspect traffic. Option B is wrong because Azure Firewall is a managed service, not an NVA (though it could inspect, the question specifically says NVA).
Option C is wrong because VPN gateway does not inspect traffic.