Microsoft Study Guide

AZ-700: Azure Network Engineer Associate Study Guide

The AZ-700 Azure Network Engineer Associate exam validates your ability to design, implement, and manage Azure networking solutions, spanning hybrid connectivity, core VNet infrastructure, routing, network security, and private access to PaaS services. It is aimed at network engineers who plan and operate Azure networks and work alongside architects, security pros, and cloud admins. Expect scenario-based questions on VPN/ExpressRoute, VNet design, UDRs and BGP, NSGs and Azure Firewall, and Private Link/private endpoints.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice AZ-700 questions free Create free account

Domain 1: Design, Implement, and Manage Hybrid Networking

Key concepts you must know · 156 practice questions

Azure VPN Gateway SKUs scale by aggregate throughput: VpnGw1 up to 650 Mbps, VpnGw2 up to 1 Gbps, VpnGw3 up to 1.25 Gbps (Generation 1); choose the smallest SKU that meets the requirement.
A VPN Gateway requires a dedicated subnet named exactly GatewaySubnet (recommended /27 or larger) plus a public IP address.
Active-active VPN Gateway provisions two gateway instances, each with its own public IP and IPsec tunnel, giving redundancy and higher aggregate throughput with no failover delay; this requires two public IP addresses.
ExpressRoute provides a dedicated private connection that bypasses the public internet, offering consistent latency and bandwidth; peering (private and Microsoft) is established at the provider edge.
ExpressRoute FastPath bypasses the ExpressRoute gateway in the data path, reducing latency and improving performance for traffic to VMs in the VNet.
ExpressRoute Global Reach connects two on-premises sites to each other through the Microsoft backbone (site-to-site via ExpressRoute circuits).
Route filters on Microsoft peering let you select which BGP communities (Azure PaaS service prefixes/regions) the ExpressRoute circuit advertises and consumes.
ExpressRoute gateway SKUs scale capacity: UltraPerformance is the highest-throughput SKU, appropriate when FastPath or maximum bandwidth is needed.
For ExpressRoute resiliency, deploy two circuits in different peering locations and connect each to the ExpressRoute gateway in the target VNet.
ExpressRoute with a VPN Gateway configured as a failover path is the recommended pattern for backup connectivity if the circuit goes down.
Azure Virtual WAN Standard SKU hubs support User VPN (P2S), Site-to-site VPN, and ExpressRoute; the Basic SKU only supports Site-to-site VPN.
Point-to-Site VPN supports RADIUS server authentication, Microsoft Entra ID authentication, and Azure-issued certificate authentication.
OpenVPN (TLS over port 443) is the P2S tunnel type that works across Windows, macOS, Linux, iOS, and Android, making it the cross-platform choice with certificate auth.
Customer or provider edge routers must establish BGP sessions with Microsoft over ExpressRoute; monitor ExpressRoute BGP availability to confirm session health.

Domain 2: Design and Implement Core Networking Infrastructure

Key concepts you must know · 142 practice questions

Azure reserves 5 addresses in every subnet (network address, default gateway, two for Azure DNS mapping, broadcast), so a /24 yields 251 usable and a /23 yields 507 usable addresses.
A /21 CIDR provides 2,048 total addresses (2,043 usable after Azure reserves 5), the smallest block that meets a 2,000-host requirement.
VNet peering automatically updates route tables in both VNets for layer-3 connectivity; no additional routing configuration is needed, but NSGs still apply.
VNet peering is non-transitive: VNet-A peered to B and B peered to C does not allow A-to-C; you need a direct peering or a transit gateway/NVA (hub-and-spoke).
Global VNet peering connects VNets across Azure regions with private-IP, full-bandwidth connectivity over the Microsoft backbone.
For spoke VMs to reach on-premises via the hub gateway, enable 'Allow gateway transit' on the hub-side peering and 'Use remote gateways' on the spoke-side peering.
Azure Private DNS zones require a virtual network link to each VNet that needs to resolve records in the zone; without the link, resolution fails.
With auto-registration enabled on a Private DNS zone link, an A record (and PTR) is created automatically for each VM in the linked VNet.
Azure DNS Private Resolver uses an inbound endpoint (in a delegated subnet) to receive queries from on-premises, paired with a conditional forwarder on the on-premises DNS server pointing to that inbound endpoint IP.
Alias record sets let you point an apex/zone domain (contoso.com) directly at Azure resources like Front Door, Traffic Manager, or a public IP; A records map names to IPv4 addresses.
NS records delegate a DNS zone to authoritative name servers; they are required when delegating a subdomain or the zone itself.
Standard SKU public IPs are static by default, support availability zones, and are the SKU required for zone-redundant and Standard Load Balancer scenarios.
Subnet delegation hands a subnet over to a specific Azure service (such as App Service VNet integration or SQL Managed Instance) so the service can inject its resources.
Azure Application Gateway WAF_v2 tier adds Web Application Firewall protection plus autoscaling; Azure Front Door provides global HTTP/HTTPS load balancing with WAF and instant failover, while Traffic Manager does DNS-based global routing.

Domain 3: Design and Implement Routing

Key concepts you must know · 144 practice questions

A user-defined route (UDR) with next hop set to an NVA's private IP forces subnet traffic through the appliance; UDRs are the primary mechanism to steer traffic.
An NVA must have IP forwarding enabled on its Azure NIC to forward (route) packets between subnets or networks.
Azure route selection is longest-prefix-match first; when prefix lengths tie, priority is UDR > BGP > system routes.
A 0.0.0.0/0 UDR pointing to an NVA sends all traffic leaving the subnet (including internet-bound) to the NVA unless a more specific route exists.
If a UDR next hop points to a virtual appliance that is unavailable or to a target that cannot deliver, the traffic is dropped silently.
To force internet egress through Azure Firewall, associate a route table with a 0.0.0.0/0 route whose next hop is the firewall's private IP.
Azure Route Server must be deployed in a dedicated subnet named exactly RouteServerSubnet sized /27 or larger, and it uses a fixed ASN of 65515.
Route Server enables dynamic route exchange between NVAs and the VNet/gateway via BGP, programming NVA-learned routes into the VNet system routes and reducing the need for static UDRs.
BGP peering requires the peer BGP IP address and the BGP ASN to be configured consistently on both ends of the connection.
For spoke-to-spoke traffic through a hub firewall with Route Server, the NVA must advertise the spoke prefixes back to the Route Server via BGP, and branch-to-branch must be enabled for branch transit.
Disabling BGP route propagation on a subnet route table prevents gateway-learned on-premises routes from being added, commonly used together with a 0.0.0.0/0 UDR to force traffic through an NVA.
Valid next-hop types for a UDR include Virtual network gateway, Virtual appliance, Virtual network, Internet, and None (None drops the traffic).
To force gateway/on-premises traffic through an NVA, associate a route table with the GatewaySubnet containing a UDR for the on-premises prefixes pointing to the NVA.
Route Server with branch-to-branch lets it exchange routes between an NVA and the VPN Gateway, enabling transit between branches and the NVA-connected networks.

Domain 4: Secure and Monitor Networks

Key concepts you must know · 132 practice questions

NSGs are applied at the subnet or NIC level; to allow inbound HTTP, create an allow rule for TCP port 80 with source set to the Internet service tag.
Azure Firewall must be deployed in a dedicated subnet named exactly AzureFirewallSubnet, with a recommended minimum size of /26 to allow autoscale.
Azure Firewall rule processing order is DNAT rules first, then network rules, then application rules.
Azure Firewall application rules filter outbound traffic by target FQDN; network rules handle layer-4 IP/port; NAT rules provide inbound DNAT.
Azure Firewall Premium supports TLS inspection for outbound traffic, allowing the firewall to decrypt and inspect HTTPS payloads.
Azure Web Application Firewall (WAF) operates at layer 7 to protect web apps from OWASP Top 10 threats like SQL injection and XSS, integrated with Application Gateway or Front Door.
DDoS Network Protection adds adaptive tuning, attack analytics, per-resource metrics, alerting, and cost protection with a financial SLA on top of the always-on platform protection.
Azure Firewall Manager centrally manages firewall policies and security across multiple firewalls, hubs, and Virtual WAN deployments.
Network Watcher Connection troubleshoot tests one-time reachability between a source and destination IP/port; Connection monitor provides continuous, ongoing connectivity monitoring with metrics and alerts.
IP flow verify checks whether a packet is allowed or denied to/from a VM and names the NSG rule responsible; NSG diagnostics help analyze effective rules.
Packet capture in Network Watcher records traffic on a VM for deep inspection, storing captures in a storage account or local file.
NSG flow logs require a configured storage account, and traffic analytics additionally requires a Log Analytics workspace to visualize and analyze the logs.
When evaluating overlapping NSG rules, rules are processed by priority (lowest number first), and the first matching rule wins, so a lower-numbered allow rule (e.g., Rule 100) takes precedence.
Service tags (such as Internet, AzureLoadBalancer, VirtualNetwork) represent groups of IP prefixes and simplify NSG and firewall rule creation by removing the need to maintain explicit IP ranges.

Domain 5: Design and Implement Private Access to Azure Services

Key concepts you must know · 154 practice questions

A private endpoint projects a PaaS service into your VNet as a NIC with a private IP, so traffic to services like Azure SQL or storage stays off the public internet.
Service endpoints keep traffic on the Azure backbone and present the subnet/VNet identity to the service's firewall, but the service is still reached over its public endpoint, unlike private endpoints which assign a private IP.
Creating a private endpoint does not automatically disable the service's public endpoint; you must explicitly disable public network access (e.g., on the storage account) to block public access.
For a service's public FQDN to resolve to the private endpoint IP, create the corresponding privatelink Private DNS zone (e.g., privatelink.database.windows.net or privatelink.blob.core.windows.net), link it to the VNet, and integrate the private endpoint with it.
Private endpoints are reachable from peered VNets, globally peered VNets, and on-premises networks connected via VPN or ExpressRoute.
Azure Private Link service lets you publish your own service privately: place VMs behind a Standard Load Balancer, then create a Private Link service linked to that load balancer's frontend.
Private endpoint network policies (network security group/route table support on the private endpoint subnet) must be enabled to apply NSGs or UDRs to private endpoint traffic.
App Service VNet integration gives the app a NIC in a delegated subnet for outbound access to VNet resources; to route all outbound traffic through the VNet, enable the VNET_ROUTE_ALL (Route All) setting.
To restrict a storage account to a subnet, configure a Microsoft.Storage service endpoint on the subnet and add a matching VNet rule in the storage account firewall.
Azure Bastion requires a dedicated subnet named exactly AzureBastionSubnet with a /26 minimum prefix; all Bastion SKUs let you connect to VMs using only their private IP.
Bastion Standard SKU adds features beyond Basic such as host scaling, native client support, IP-based connections, and shareable links.
A service endpoint adds an optimized route in the subnet route table that sends traffic directly to the PaaS service over the Azure backbone.
DNS Private Resolver bidirectional resolution uses an inbound endpoint to receive on-premises queries and an outbound endpoint with forwarding rules to forward queries to on-premises DNS servers.
Subnet service-endpoint policies control which specific service resources (for example, particular storage accounts) can be reached from the subnet over service endpoints, preventing data exfiltration to rogue accounts.

AZ-700 exam tips

Memorize the dedicated subnet names and minimum sizes that the exam loves to test: GatewaySubnet, RouteServerSubnet (/27, ASN 65515), AzureFirewallSubnet (/26), and AzureBastionSubnet (/26).
For routing questions, apply the rule order every time: longest prefix match first, then source priority UDR > BGP > system route; many questions hinge on this tie-breaker.
Practice subnet math knowing Azure reserves 5 IPs per subnet (so /24 = 251 usable, /23 = 507 usable); the exam often asks for the smallest CIDR meeting a host count.
Clearly distinguish service endpoints (subnet identity, public endpoint, backbone route) from private endpoints (private IP NIC, private DNS zone needed) - the difference drives many Private Link answers.
Match the diagnostic tool to the symptom: IP flow verify for NSG allow/deny, Connection troubleshoot for one-time reachability, Connection monitor for continuous monitoring, and Packet capture for deep traffic analysis.

Study guide FAQ

How many questions are on the AZ-700 and what score do I need to pass?

The exam typically presents 40-60 questions and you must score 700 out of 1000 to pass. You have 120 minutes, which includes time for case studies and multi-part scenario items.

What is the difference between a service endpoint and a private endpoint?

A service endpoint keeps traffic on the Azure backbone and presents your subnet's identity to the PaaS service firewall, but you still reach the service via its public endpoint. A private endpoint projects the service into your VNet as a NIC with a private IP, requiring a privatelink Private DNS zone, and lets you fully disable public access.

When should I choose ExpressRoute over a VPN Gateway?

Choose ExpressRoute when you need a dedicated, private connection that bypasses the public internet with consistent latency and bandwidth (and SLA-backed). Use a site-to-site VPN Gateway for lower-cost, internet-based connectivity, or as a failover path behind ExpressRoute. Global Reach links on-premises sites to each other through the Microsoft backbone.

How does Azure decide which route wins when multiple routes match?

Azure first selects the route with the longest prefix match (most specific). If prefix lengths are equal, it falls back to source priority: user-defined routes beat BGP-learned routes, which beat default system routes. A UDR next hop of None, or pointing to an unavailable appliance, causes traffic to be dropped silently.

Test yourself: 728 AZ-700 practice questions