AZ-700: Azure Network Engineer Associate Practice Exam

What the AZ-700 exam covers

• Design, Implement, and Manage Hybrid Networking138 questions
• Design and Implement Core Networking Infrastructure130 questions
• Design and Implement Routing124 questions
• Secure and Monitor Networks121 questions
• Design and Implement Private Access to Azure Services124 questions

Free AZ-700 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 637.

1. Question 1Design, Implement, and Manage Hybrid Networking

   Your organization requires a site-to-site VPN connection between your on-premises datacenter and Azure. The connection must support a throughput of 1.25 Gbps. Which VPN Gateway SKU is the minimum that meets this requirement?

   • AVpnGw1
   • BVpnGw2Correct
   • CBasic
   • DVpnGw3
   ✓ Correct answer: B

   VpnGw2 SKU supports a maximum aggregate throughput of 1.35 Gbps, which exceeds the requirement of 1.25 Gbps. Azure VPN Gateway SKUs are tiered by throughput capacity: VpnGw1 supports up to 650 Mbps, VpnGw2 supports up to 1.35 Gbps, and VpnGw3 supports up to 2.5 Gbps. Choosing the minimum SKU that meets requirements is a cost optimization best practice.

   Why the other options are wrong

   • AVpnGw1 is incorrect because it has a maximum throughput of 650 Mbps, which falls short of the 1.25 Gbps requirement.
   • CBasic is incorrect because the Basic SKU is deprecated and only supports legacy configurations with very limited throughput (less than 100 Mbps).
   • DVpnGw3 is incorrect because while it would meet the requirement, it provides 2.5 Gbps throughput and is more expensive than necessary when VpnGw2 already satisfies the 1.25 Gbps requirement.
2. Question 2Design, Implement, and Manage Hybrid Networking

   You need to configure an Azure VPN Gateway to support both point-to-site and site-to-site connections simultaneously. Which SKU is the minimum required?

   • AVpnGw3
   • BVpnGw1Correct
   • CBasic
   • DVpnGw2
   ✓ Correct answer: B

   VpnGw1 is the minimum SKU required to support both point-to-site and site-to-site VPN connections simultaneously on the same gateway. Azure VPN Gateway architecture allows multiple connection types on a single gateway starting with VpnGw1, enabling organizations to support both remote user access (point-to-site) and branch office connections (site-to-site) without deploying separate gateways. This consolidation reduces infrastructure complexity and management overhead.

   Why the other options are wrong

   • AVpnGw3 is incorrect because while it supports both connection types, it is a higher SKU than necessary; VpnGw1 already provides the capability to host both simultaneously.
   • CBasic is incorrect because the Basic SKU does not support simultaneous point-to-site and site-to-site connections; it can only run one connection type at a time.
   • DVpnGw2 is incorrect because while it supports both connection types, VpnGw1 is the minimum required; upgrading to VpnGw2 would provide unnecessary additional capacity and cost.
3. Question 3Design and Implement Core Networking InfrastructureSelect all that apply

   Fabrikam Inc needs to configure an Azure public IP address. Which TWO statements are true about Standard SKU public IP addresses?

   • AStandard SKU public IPs are open to inbound traffic by default
   • BStandard SKU public IPs support availability zone configurationsCorrect
   • CStandard SKU public IPs are static by defaultCorrect
   • DStandard SKU public IPs can only be associated with Basic Load Balancers
   ✓ Correct answer: B, C

   Standard SKU public IPs are allocated with static assignment by default, ensuring the IP address remains constant throughout the resource's lifecycle. Additionally, Standard SKU public IPs support availability zone configurations, allowing you to specify zone-redundant, zone-specific, or no-zone deployments. These features make Standard SKU public IPs suitable for production workloads requiring predictable IP assignments and high availability across zones.

   Why the other options are wrong

   • AStandard SKU public IPs are open to inbound traffic by default is incorrect because Standard SKU public IPs are not inherently open; they require associated Network Security Groups or firewall rules to permit inbound traffic.
   • DStandard SKU public IPs can only be associated with Basic Load Balancers is incorrect because this statement is inverted; Standard SKU public IPs are associated with Standard SKU load balancers, not Basic load balancers.
4. Question 4Design and Implement Core Networking Infrastructure

   A network engineer needs to configure Azure DNS private zones for name resolution within a virtual network. Virtual machines in the VNet should be able to register their DNS records automatically and resolve names of other VMs in the same VNet. How should the engineer link the private DNS zone to the virtual network?

   • ACreate a DNS forwarding ruleset in a DNS Private Resolver
   • BCreate a virtual network link with auto-registration disabled
   • CCreate a virtual network link with auto-registration enabledCorrect
   • DConfigure a custom DNS server on the virtual network
   ✓ Correct answer: C

   To enable automatic DNS record registration for VMs in a Virtual Network linked to an Azure DNS private zone, you must create a virtual network link with auto-registration enabled. When auto-registration is enabled, VMs deployed in the linked VNet automatically register their DNS records (A records with hostname and private IP) in the private DNS zone. This eliminates the need for manual DNS record creation for each VM and ensures that VMs can resolve each other by hostname. The virtual network link establishes the relationship between the private DNS zone and the VNet, and the auto-registration setting controls whether the zone automatically manages VM DNS records.

   Why the other options are wrong

   • ACreate a DNS forwarding ruleset in a DNS Private Resolver is incorrect because DNS forwarders are used for conditional DNS forwarding, not for automatic VM record registration within a private zone.
   • BCreate a virtual network link with auto-registration disabled is incorrect because disabling auto-registration means VMs will not automatically register their DNS records, requiring manual record management.
   • DConfigure a custom DNS server on the virtual network is incorrect because while custom DNS servers can be configured for name resolution, this does not provide the automatic registration capability that a private zone link with auto-registration enabled provides.
5. Question 5Design and Implement Routing

   You need to configure BGP on an Azure VPN Gateway. What is the default ASN used by Azure VPN Gateways?

   • A64512
   • B65515Correct
   • C12076
   • D65001
   ✓ Correct answer: B

   Azure VPN Gateways are pre-configured with a default Autonomous System Number (ASN) of 65515 for BGP operations. This is a reserved private ASN in the range 64512-65534 that allows Azure gateways to participate in BGP peering with on-premises networks and other Azure components without conflicting with public internet ASNs.

   Why the other options are wrong

   • A64512 is incorrect because this is the beginning of the private ASN range but not Azure's default selection.
   • C12076 is incorrect because this is Microsoft's public ASN used for Azure ExpressRoute peering with service providers, not the default for VPN Gateway BGP.
   • D65001 is incorrect because this is not used as Azure's default VPN Gateway ASN.
6. Question 6Secure and Monitor Networks

   You have an NSG with the following inbound rules: Rule 100 Allow TCP 80 from Any, Rule 200 Deny TCP 80 from 10.0.0.0/8, and the default DenyAllInbound rule. A request arrives on port 80 from IP 10.0.1.5. What happens?

   • AThe traffic is denied by DenyAllInbound
   • BThe traffic is load balanced between Rule 100 and Rule 200
   • CThe traffic is allowed by Rule 100Correct
   • DThe traffic is denied by Rule 200
   ✓ Correct answer: C

   NSG rules are processed in priority order from lowest to highest priority number; Rule 100 has lower (higher priority) number than Rule 200, so it is evaluated first. Rule 100 allows TCP traffic on port 80 from any source, so the incoming traffic on port 80 from IP 10.0.1.5 matches this rule and is allowed. Rule 200 is never evaluated because the traffic has already matched Rule 100 and an allow decision has been made. The DenyAllInbound default rule only applies if no explicit rules allow the traffic.

   Why the other options are wrong

   • AThe traffic is denied by DenyAllInbound is incorrect because the DenyAllInbound default rule only applies when no explicit allow rules match; Rule 100 explicitly allows the traffic before DenyAllInbound is evaluated.
   • BThe traffic is load balanced between Rule 100 and Rule 200 is incorrect because NSG rules are not load balanced; each packet is evaluated against rules in priority order and the first matching rule determines the outcome.
   • DThe traffic is denied by Rule 200 is incorrect because Rule 200 is never evaluated since Rule 100 (which has higher priority) matches first and explicitly allows the traffic; Rule 200 would only be evaluated if Rule 100 did not match.
7. Question 7Secure and Monitor Networks

   Which feature logs all traffic through an NSG for analysis?

   • ANSG flow logsCorrect
   • BActivity log
   • CDiagnostic logs
   • DAzure Advisor
   ✓ Correct answer: A

   NSG flow logs are specifically designed to capture and log all traffic flowing through a Network Security Group. These logs record detailed information about each flow (source IP, destination IP, source port, destination port, protocol, bytes, packets, and whether the flow was allowed or denied). The logs are stored in Azure Storage and can be analyzed for security forensics, compliance reporting, and traffic pattern understanding.

   Why the other options are wrong

   • BActivity log is incorrect because the Activity Log tracks resource management operations (creation, updates, deletions), not traffic flowing through network resources.
   • CDiagnostic logs is incorrect because diagnostic logs are a broader category for various Azure services; they don't specifically capture NSG traffic.
   • DAzure Advisor is incorrect because Advisor provides recommendations for optimizing Azure resources, not traffic logging.
8. Question 8Design and Implement Private Access to Azure ServicesSelect all that apply

   Fabrikam Financial Services is deploying Azure Private Link for their Azure Storage account. Which two statements about Private Endpoints are correct? (Choose two.)

   • APrivate endpoints can only be created in the same region as the Azure Storage account
   • BAfter creating a private endpoint, the storage account's public endpoint is automatically disabled
   • CDNS configuration must be updated to resolve the storage account's FQDN to the private endpoint's private IP addressCorrect
   • DA private endpoint assigns a private IP address from the VNet subnet to the Azure Storage accountCorrect
   ✓ Correct answer: C, D

   These two statements correctly describe how Private Endpoints function. When a private endpoint is created, it receives a private IP address from the target subnet, and this IP must be registered in DNS so that clients resolve the storage account's FQDN to this private IP. Proper DNS configuration is essential for private endpoint functionality.

   Why the other options are wrong

   • APrivate endpoints can only be created in the same region as the Azure Storage account is incorrect because private endpoints can be created in different regions than the Azure service through cross-region private endpoints, allowing flexible architectural designs.
   • BAfter creating a private endpoint, the storage account's public endpoint is automatically disabled is incorrect because creating a private endpoint does not automatically disable the public endpoint; public access remains enabled by default until you explicitly disable it on the storage account firewall.
9. Question 9Design, Implement, and Manage Hybrid NetworkingSelect all that apply

   Tailspin Toys is configuring a Point-to-Site (P2S) VPN using Azure AD authentication. Which two requirements must be met? (Choose two.)

   • AThe Azure VPN Enterprise Application must be authorized in the Azure AD tenantCorrect
   • BThe tunnel type must be set to OpenVPNCorrect
   • CThe VPN gateway must use the Basic SKU
   • DSSTP tunnel type must be selected for Azure AD integration
   ✓ Correct answer: A, B

   Azure AD authentication requires both the Azure VPN Enterprise Application to be granted consent in the tenant (enabling the authentication provider) and OpenVPN tunnel type to be configured (the only tunnel type that supports Azure AD authentication in P2S VPN).

   Why the other options are wrong

   • CThe VPN gateway must use the Basic SKU is incorrect because Basic SKU does not support P2S VPN at all; minimum SKU is Standard or higher.
   • DSSTP tunnel type must be selected for Azure AD integration is incorrect because SSTP does not support Azure AD authentication; OpenVPN is the required tunnel type.
10. Question 10Design, Implement, and Manage Hybrid NetworkingSelect all that apply

    Margie's Travel needs to implement a solution that involves a specific service and a particular feature. Which two components should the administrator configure? (Choose two.)

    • Anetwork virtual appliance
    • Bon-premises DNS forwarding
    • CVPN over ExpressRouteCorrect
    • Dactive-active VPNCorrect
    • Eforced tunneling
    ✓ Correct answer: C, D

    VPN over ExpressRoute allows an IPsec VPN connection to run on top of an ExpressRoute private peering connection, providing an additional layer of encryption and redundancy. This protects data in transit over the dedicated link and creates resilience if the primary connection fails. Active-active VPN configuration ensures that both VPN gateways forward traffic simultaneously, providing redundancy and higher throughput than active-passive setups. In combination with VPN over ExpressRoute, this creates a robust, encrypted hybrid connectivity solution with no single points of failure.

    Why the other options are wrong

    • ANetwork virtual appliance is incorrect because while NVAs provide security services, they do not address the specific need for VPN encryption over ExpressRoute.
    • BOn-premises DNS forwarding is incorrect because DNS configuration is orthogonal to VPN-over-ExpressRoute implementation.
    • EForced tunneling is incorrect because it controls routing policy but is not a core component of VPN over ExpressRoute.

AZ-700 practice exam FAQ