@Donald-Muncy , I hope all is well. Let's take your questions in order...
Setting up a lab environment and a budget - You can certainly do so if you would like, and there are several options available to you.. Take a look at this article to see how a budget can be setup and used to control spending:
A word of caution however, penetration testing is a very elastic term, and can be interpreted and implemented in a variety of ways... Microsoft has language in their terms of service that specifically prohibits certain activities on their platforms... you just need to make sure that you understand what you are doing & how you are doing it...
Azure Forced tunneling IS NOT covered in the AZ-500 course, as it is not part of the outline.
It is covered in the AZ-700 course however, which is where it makes more sense to address it.
Link to the outline is below:
The section you want is the following:
Design and implement routing (25–30%)
Design, implement, and manage VNet routing
• Design and implement user-defined routes (UDRs)
• Associate a route table with a subnet
• Configure forced tunneling
• Diagnose and resolve routing issues
• Design and implement Azure Route Server
We currently DO NOT have a course for the AZ-700 exam...