Update articles/firewall/forced-tunneling.md

adstuart · vhorne · web-flow · commit f91020910549 · 2023-02-07T15:59:44.000Z
yes the important point is to capture that you do not have the choice to deploy or not deploy in forced tunnel mode, when putting azfw in vwan

Co-authored-by: Vic &lt;15256338+vhorne@users.noreply.github.com&gt;
diff --git a/articles/firewall/forced-tunneling.md b/articles/firewall/forced-tunneling.md
@@ -16,7 +16,7 @@ When you configure a new Azure Firewall, you can route all Internet-bound traffi
 Azure Firewall provides automatic SNAT for all outbound traffic to public IP addresses. Azure Firewall doesn’t SNAT when the destination IP address is a private IP address range per IANA RFC 1918. This logic works perfectly when you egress directly to the Internet. However, with forced tunneling enabled, Internet-bound traffic is SNATed to one of the firewall private IP addresses in the AzureFirewallSubnet. This hides the source address from your on-premises firewall. You can configure Azure Firewall to not SNAT regardless of the destination IP address by adding *0.0.0.0/0* as your private IP address range. With this configuration, Azure Firewall can never egress directly to the Internet. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md).
 
 > [!IMPORTANT]
-> If you deploy Azure Firewall inside of a Virtual WAN Hub (Secured Virtual Hub), please note that advertising the default route over Express Route or VPN Gateway is not currently supported. A fix is being investigated.
+> If you deploy Azure Firewall inside of a Virtual WAN Hub (Secured Virtual Hub), advertising the default route over Express Route or VPN Gateway is not currently supported. A fix is being investigated.
 
 ## Forced tunneling configuration
 
