* Force tunnel to NVA You can specify a 0.0.0.0/0 route in the defaultRouteTable with next hop Virtual Network Connection. Then specify the specific IP of the NVA. This will force all internet-bound traffic to be sent to a Network Virtual Appliance deployed in a spoke Virtual Network. For more detailed instructions, please consider the alternate workflow described here: Route traffic through NVAs by using custom settings – Azure Virtual WAN | Microsoft Docs.
* Force tunnel to Azure Firewall in the Hub You can use Firewall Manager to configure Virtual WAN to send all internet-bound traffic via Azure Firewall deployed in the Virtual WAN hub. For configuration steps and a tutorial, please reference following documents (Install Azure Firewall in a Virtual WAN hub – Azure Virtual WAN | Microsoft Docs and to configure routing Tutorial: Secure your virtual hub using Azure Firewall Manager | Microsoft Docs) Alternatively, this can also be configured via Routing Policies and Routing Intent. For more information on Routing policies please read the following document How to configure Virtual WAN Hub routing policies – Azure Virtual WAN | Microsoft Docs.
* Force tunnel to Third party provider: You can use Firewall Manager to send internet traffic via a third-party security provider. For more information on this capability, please read the following: Deploy an Azure Firewall Manager security partner provider | Microsoft Docs.
* Force tunnel to a branch You can configure one of your branches (Site-to-site VPN, ExpressRoute Circuit or Network Virtual Appliance in the Virtual WAN Hub) to advertise the 0.0.0.0/0 route to Virtual WAN. Your on-premises device will have to be configured to do that.
The info is form Microsoft and can be very helpful.