[Question] 02 Secure Development: Express Route coverage and reference architectures

[Stijnc]

Could you elaborate on certain items in the secure development Express route documentation.
items include;

• not multiple nic's on ER connected VM's
• EnableIPForwarding flag not set to true
• Only resources of type Microsoft.Network/* must be added to the ER network
• no virtual network peerings on an ER connected vnet
• no other gateway type present

How do you position these recommendations (with High and Medium severity) against the existing reference architectures?
examples;

• hub and spoke
• ER and VPN failover
• DMZ in Azure

Thanks for the clarification.