🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
AZ-700
AZ-700 Microsoft Azure

Network Engineer

The Azure Network Engineer Associate (AZ-700) course teaches candidates how to design, implement, and manage hybrid and core Azure networking, covering routing, security, and private access to services.

120
Minutes
50
Questions
700/1000
Passing Score
$165
Exam Cost
7
Languages

Who Should Take This

It is intended for IT professionals such as network engineers, system administrators, or solutions architects who have hands‑on experience with Azure infrastructure and seek to validate their expertise at the associate level. Learners aim to master hybrid connectivity, routing, security, and private service access to advance their careers and support enterprise cloud deployments.

What's Covered

1 Implementing VPN Gateway, ExpressRoute, Virtual WAN, and hybrid DNS solutions for connecting on-premises networks to Azure.
2 Designing virtual networks, subnets, IP addressing, Azure DNS, and network peering across subscriptions and regions.
3 Configuring user-defined routes, Azure Route Server, BGP, and traffic routing with Azure Load Balancer, Application Gateway, and Azure Front Door.
4 Implementing NSGs, Azure Firewall, Azure DDoS Protection, Network Watcher, and monitoring network performance and connectivity.
5 Configuring private endpoints, Private Link services, service endpoints, and App Service VNet integration for secure private connectivity.

Exam Structure

Question Types

  • Multiple Choice
  • Multiple Response
  • Case Studies
  • Labs

Scoring Method

Scaled score 100-1000, passing score 700

Delivery Method

Proctored exam, 40-60 questions, 100 minutes

Prerequisites

None required. AZ-104 recommended.

Recertification

Renew annually via free Microsoft Learn renewal assessment

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

74 learning goals
1 Domain 1: Design, Implement, and Manage Hybrid Networking
2 topics

Design, implement, and manage VPN connectivity

  • Identify Azure VPN Gateway SKUs, generations, and their throughput, tunnel, and connection limits and describe when to select each SKU for site-to-site and point-to-site VPN scenarios.
  • Describe the components of a site-to-site VPN connection including local network gateways, connection objects, shared keys, and IPsec/IKE policy parameters and identify point-to-site VPN authentication methods including certificate-based, Entra ID, and RADIUS authentication.
  • Configure a site-to-site VPN connection by creating a VPN Gateway, defining local network gateway address spaces, establishing the connection object, and verifying tunnel establishment and data flow.
  • Configure a point-to-site VPN connection by selecting the authentication method, configuring the address pool, generating and distributing client certificates, and validating remote client connectivity.
  • Implement an active-active VPN Gateway deployment by provisioning two public IP addresses, configuring BGP peering with on-premises devices, and verifying failover behavior for high-availability scenarios.
  • Analyze VPN connectivity scenarios and evaluate the tradeoffs among VPN Gateway SKUs, active-active versus active-passive configurations, and policy-based versus route-based gateways to recommend the optimal VPN design for given availability and throughput requirements.

Design, implement, and manage Azure ExpressRoute

  • Identify ExpressRoute connectivity models including CloudExchange co-location, point-to-point Ethernet, any-to-any IPVPN, and ExpressRoute Direct and describe their bandwidth tiers and redundancy characteristics.
  • Describe ExpressRoute peering types including Azure private peering and Microsoft peering, their routing domain scopes, and the role of route filters in controlling advertised prefixes.
  • Identify ExpressRoute Global Reach, FastPath, and encryption capabilities and describe how each feature extends or enhances standard ExpressRoute circuit functionality.
  • Provision an ExpressRoute circuit by selecting a connectivity provider, configuring the circuit SKU and bandwidth, establishing private peering, and linking the circuit to a virtual network gateway.
  • Configure ExpressRoute Global Reach to enable direct connectivity between on-premises sites through ExpressRoute circuits and verify cross-site traffic flow without traversing the public internet.
  • Configure ExpressRoute FastPath to bypass the virtual network gateway for improved data-path performance and enable MACsec encryption on ExpressRoute Direct ports for link-layer security.
  • Evaluate ExpressRoute design decisions by comparing connectivity models, analyzing bandwidth and redundancy requirements, and recommending circuit configurations including Global Reach and FastPath for multi-site enterprise hybrid architectures.
2 Domain 2: Design and Implement Core Networking Infrastructure
4 topics

Design and implement private IP addressing

  • Identify Azure Virtual Network address space concepts including CIDR notation, subnet delegation, reserved addresses per subnet, and the constraints of overlapping address spaces across peered networks.
  • Design an IP addressing plan for a multi-VNet environment by allocating non-overlapping CIDR blocks, sizing subnets for workload requirements, and reserving address space for future growth and gateway subnets.
  • Configure delegated subnets for Azure services including Azure SQL Managed Instance, Azure App Service, and Azure Container Instances and manage subnet service associations and network intent policies.
  • Evaluate IP addressing designs by analyzing address space utilization, identifying potential conflicts in hub-spoke or mesh topologies, and recommending CIDR allocation strategies that balance efficiency with future scalability.

Design and implement name resolution

  • Identify Azure DNS zone types including public and private DNS zones, describe DNS record types, TTL settings, and alias record sets, and explain DNS forwarding and conditional forwarder configurations for hybrid name resolution scenarios.
  • Configure Azure Private DNS zones by creating zones, linking them to virtual networks with auto-registration, and managing DNS records for internal service discovery across peered VNets.
  • Implement DNS forwarding using Azure DNS Private Resolver by configuring inbound and outbound endpoints, creating forwarding rulesets, and establishing conditional forwarding rules for hybrid DNS resolution.
  • Analyze hybrid DNS resolution scenarios and evaluate the tradeoffs among Azure-provided DNS, custom DNS servers, Azure DNS Private Resolver, and conditional forwarding to recommend a name resolution architecture for multi-site hybrid environments.

Design and implement cross-VNet connectivity

  • Identify VNet peering types including regional and global peering, describe peering properties such as traffic forwarding, gateway transit, and non-transitivity, and explain hub-spoke topology components including the role of NVAs or Azure Firewall for inter-spoke traffic routing.
  • Configure VNet peering between virtual networks by establishing bidirectional peering links, enabling gateway transit on the hub, and configuring remote gateway usage on spoke networks for hybrid connectivity.
  • Implement a hub-spoke topology by deploying the hub VNet with a VPN or ExpressRoute gateway, peering spoke VNets with gateway transit, and configuring user-defined routes for spoke-to-spoke communication through the hub.
  • Evaluate cross-VNet connectivity designs by comparing VNet peering, hub-spoke topologies, and Azure Virtual WAN architectures and recommending the optimal approach based on scale, transit routing requirements, and operational complexity.

Design and implement an Azure Virtual Network Gateway

  • Identify Virtual Network Gateway types including VPN Gateway and ExpressRoute Gateway and describe gateway subnet requirements, SKU capabilities, and zone-redundant deployment options.
  • Deploy a VPN Gateway by creating a gateway subnet, provisioning the gateway with the appropriate SKU, assigning public IP addresses, and configuring forced tunneling for internet-bound traffic redirection to on-premises.
  • Deploy an ExpressRoute Gateway by creating a gateway subnet, provisioning the gateway, and linking it to an ExpressRoute circuit for private connectivity to on-premises networks.
  • Assess Virtual Network Gateway deployment scenarios and determine the appropriate gateway type, SKU, and redundancy configuration based on connectivity requirements, bandwidth needs, and service-level objectives.
3 Domain 3: Design and Implement Routing
4 topics

Design and implement Azure Route Server

  • Identify Azure Route Server capabilities including dynamic route injection, BGP peering with network virtual appliances, and the role of Route Server in simplifying NVA integration with Azure routing.
  • Deploy Azure Route Server by provisioning it in a dedicated subnet, establishing BGP peering sessions with NVAs, and enabling branch-to-branch routing for transit scenarios.
  • Configure BGP peering between Azure Route Server and third-party NVAs by specifying ASN values, peer IP addresses, and verifying learned and advertised routes for dynamic route propagation.
  • Evaluate Azure Route Server deployment scenarios and determine when Route Server simplifies NVA routing compared to static UDR management, considering BGP convergence behavior and multi-NVA failover patterns.

Design and implement user-defined routes

  • Identify Azure routing concepts including system routes, default routes, user-defined routes, BGP route propagation, and the route selection priority order that determines next-hop behavior for subnet traffic.
  • Create and associate route tables with subnets, define user-defined routes with next-hop types including virtual appliance, virtual network gateway, and internet, and configure BGP route propagation settings.
  • Implement NVA routing by configuring UDRs to direct traffic through a network virtual appliance, enabling IP forwarding on the NVA NIC, and validating end-to-end traffic flow through the NVA.
  • Troubleshoot routing issues by analyzing effective routes on a NIC, identifying route conflicts between system routes and UDRs, and determining the impact of BGP route propagation on subnet traffic paths.

Design and implement Azure ExpressRoute routing

  • Describe ExpressRoute routing requirements including BGP community tags, route advertisement behavior for private and Microsoft peering, and the impact of AS path prepending on route preference.
  • Configure ExpressRoute route filters to control which Microsoft 365 and Azure PaaS service prefixes are advertised over Microsoft peering and validate the filtered route table.
  • Implement ExpressRoute circuit peering configurations for both private and Microsoft peering by defining primary and secondary subnets, VLAN IDs, and peer ASN values.
  • Analyze ExpressRoute routing scenarios and evaluate route preference manipulation using BGP attributes, local preference, and AS path prepending to optimize traffic flow across multiple ExpressRoute circuits and peering locations.

Design and implement Azure Virtual WAN

  • Identify Azure Virtual WAN components including virtual WAN resource, virtual hubs, hub connections, VPN sites, and ExpressRoute circuits, describe the differences between Basic and Standard tiers, and explain hub route tables, route associations, and route propagation concepts.
  • Deploy an Azure Virtual WAN with a virtual hub by connecting VNet connections, configuring VPN site connections, and establishing ExpressRoute circuit associations for a unified hybrid network.
  • Configure Virtual WAN custom routing by creating custom route tables, defining route associations and propagations, and implementing routing intent policies to control traffic flow between branches, VNets, and the internet.
  • Implement a secured virtual hub by integrating Azure Firewall or a supported third-party security provider within the Virtual WAN hub and configuring routing intent for internet and private traffic inspection.
  • Evaluate Virtual WAN architectures by comparing hub-spoke with VNet peering against Virtual WAN topologies, analyzing routing complexity, transit scenarios, and operational overhead to recommend the optimal approach for large-scale multi-region hybrid networks.
4 Domain 4: Secure and Monitor Networks
4 topics

Design, implement, and manage Azure Firewall

  • Identify Azure Firewall SKUs including Standard and Premium, describe their features such as application rules, network rules, DNAT rules, threat intelligence, TLS inspection, and IDPS, and explain Azure Firewall Manager capabilities for centralized policy management and hierarchical policy inheritance.
  • Deploy Azure Firewall in a hub VNet by creating the firewall subnet, provisioning the firewall instance, configuring DNAT rules for inbound access, network rules for east-west filtering, and application rules for outbound FQDN-based control.
  • Configure Azure Firewall policies using Firewall Manager by creating policy hierarchies, defining rule collection groups with priority ordering, and associating policies with firewall instances across hub VNets and secured virtual hubs.
  • Implement Azure Firewall SNAT and DNAT configurations by defining destination NAT rules for publishing internal services, configuring source NAT behavior for outbound traffic, and managing public IP address assignments.
  • Analyze Azure Firewall deployment scenarios and evaluate the tradeoffs among Azure Firewall Standard, Premium, and third-party NVAs considering TLS inspection, IDPS, cost, throughput, and centralized policy management requirements.

Implement network security groups and application security groups

  • Identify NSG rule components including priority, source, destination, protocol, port ranges, direction, and action, describe how default rules, augmented rules, and service tags control traffic, and explain how application security groups enable role-based NIC grouping for simplified rule definitions.
  • Configure NSG rules by creating inbound and outbound security rules using service tags, ASG references, and IP address ranges and associate NSGs with subnets and NICs for layered traffic filtering.
  • Configure NSG flow logs by enabling flow logging on NSGs, directing logs to a storage account, and using Traffic Analytics to visualize and analyze network traffic patterns and security events.
  • Troubleshoot NSG-related connectivity issues by analyzing effective security rules, correlating flow log data with denied traffic, and determining the correct rule priority and scope adjustments to resolve blocking conditions.

Design and implement Azure DDoS Protection

  • Identify Azure DDoS Protection tiers including DDoS Network Protection and DDoS IP Protection and describe the mitigation capabilities, cost model, and reporting features of each tier.
  • Configure Azure DDoS Protection by enabling a DDoS protection plan on virtual networks, associating public IP resources, and setting up diagnostic logging and alert notifications for attack detection.
  • Evaluate DDoS protection strategies by comparing DDoS Network Protection and DDoS IP Protection tiers and recommending the appropriate tier based on the number of protected resources, cost constraints, and required mitigation reporting.

Monitor networks using Azure Network Watcher and Azure Monitor

  • Identify Azure Network Watcher tools including IP flow verify, next hop, connection troubleshoot, packet capture, connection monitor, and topology and describe how each tool diagnoses specific network issues.
  • Use Network Watcher diagnostic tools to verify IP flow rules, trace next-hop routing decisions, capture packets for analysis, and monitor connection reachability for troubleshooting network connectivity problems.
  • Configure Azure Monitor for network insights by creating metric alerts for VPN Gateway, ExpressRoute, and Azure Firewall, setting up diagnostic settings, and building network monitoring dashboards.
  • Analyze network monitoring data to diagnose performance degradation, identify routing anomalies, and correlate Network Watcher diagnostics with Azure Monitor metrics to determine root causes of hybrid connectivity issues.
5 Domain 5: Design and Implement Private Access to Azure Services
3 topics

Design and implement Azure Private Link and private endpoints

  • Identify Azure Private Link and private endpoint concepts including the Private Link service, private endpoint NIC, private IP assignment, and the DNS resolution requirements for redirecting traffic from public to private endpoints.
  • Describe private endpoint approval workflows including auto-approval and manual approval modes and explain how Private Link service providers control consumer access to their services.
  • Create private endpoints for Azure PaaS services by selecting the target resource, configuring the private endpoint in a VNet subnet, and integrating with Azure Private DNS zones for automatic DNS record registration.
  • Configure Private Link service to expose a custom service behind Azure Standard Load Balancer by creating the Private Link service resource, configuring NAT IP settings, and managing consumer connection approvals.
  • Implement private endpoint DNS integration for hybrid environments by configuring DNS forwarding from on-premises DNS servers to Azure Private DNS zones through a DNS forwarder or Azure DNS Private Resolver.
  • Evaluate private endpoint architectures by analyzing DNS resolution flows, assessing the impact of disabling public access on PaaS services, and recommending Private Link configurations that balance security isolation with operational accessibility for hybrid workloads.

Design and implement service endpoints

  • Identify VNet service endpoint concepts including how service endpoints optimize routing to Azure PaaS services, the supported services, and the differences between service endpoints and private endpoints.
  • Configure VNet service endpoints on subnets and create service endpoint policies to restrict data exfiltration by limiting PaaS resource access to specific Azure Storage accounts or service instances.
  • Compare service endpoints and private endpoints by analyzing their network path behavior, DNS resolution, cross-region support, cost implications, and security posture to recommend the appropriate approach for securing access to Azure PaaS services.

Design and implement Azure App Service and compute VNet integration

  • Identify Azure App Service VNet integration options including regional VNet integration and gateway-required VNet integration and describe how each option enables outbound connectivity from App Service to VNet resources.
  • Configure regional VNet integration for an App Service by selecting a delegated subnet, enabling route-all traffic, and verifying that the App Service can reach private resources including databases and storage accounts within the VNet.
  • Evaluate App Service VNet integration designs by comparing regional integration and gateway-required integration options and analyzing their implications for subnet sizing, routing behavior, and connectivity to on-premises resources through VPN or ExpressRoute gateways.

Hands-On Labs

20 labs ~379 min total Console Simulator

Practice in a simulated cloud console or Python code sandbox — no account needed. Each lab runs entirely in your browser.

Certification Benefits

Salary Impact

$135,000
Average Salary

Related Job Roles

Network Engineer Cloud Network Architect Azure Network Administrator Infrastructure Engineer

Industry Recognition

Microsoft Azure certifications are among the most valued in enterprise IT, with Microsoft holding the second-largest cloud market share globally and serving as the dominant platform in enterprise and hybrid cloud environments.

Scope

Included Topics

  • All domains and task statements in the Microsoft Azure Network Engineer Associate (AZ-700) certification exam guide: Domain 1 Design, Implement, and Manage Hybrid Networking (20-25%), Domain 2 Design and Implement Core Networking Infrastructure (20-25%), Domain 3 Design and Implement Routing (25-30%), Domain 4 Secure and Monitor Networks (15-20%), and Domain 5 Design and Implement Private Access to Azure Services (10-15%).
  • Associate-level networking design, implementation, and management skills for Azure hybrid and cloud-native network architectures including VPN Gateway, ExpressRoute, Virtual Networks, peering, Azure Virtual WAN, route tables, Azure Firewall, NSGs, DDoS Protection, Private Link, and service endpoints.
  • Service-selection and configuration reasoning for common network engineering scenarios requiring hands-on provisioning, deployment, management, and troubleshooting of Azure networking resources.
  • Key Azure networking services: Virtual Network, VPN Gateway, ExpressRoute, Azure Virtual WAN, Azure Firewall, Azure Firewall Manager, Network Security Groups, Application Security Groups, Azure DDoS Protection, Azure Private Link, Azure Private DNS, Azure DNS, Azure Route Server, Azure Load Balancer, Azure Application Gateway, Azure Front Door, Azure Traffic Manager, Network Watcher, Azure Monitor for Networks.

Not Covered

  • Implementation detail depth expected only for Microsoft Azure expert-level certifications such as Azure Solutions Architect Expert (AZ-305) or Azure Cybersecurity Architect Expert (SC-100).
  • Low-level scripting and automation with ARM templates, Bicep, Terraform, or Azure PowerShell beyond basic networking provisioning operations.
  • Current pricing, promotional discounts, and region-specific cost values that change frequently over time.
  • Azure services and features not emphasized by the AZ-700 exam guide, including advanced application delivery controllers, third-party NVA vendor-specific configurations, and detailed BGP route optimization beyond exam scope.
  • Azure AD (Entra ID) identity management, Conditional Access policies, and governance topics covered by identity-focused certifications (SC-300, AZ-104 identity sections).

Official Exam Page

Learn more at Microsoft Azure

Visit

Ready to master AZ-700?

Adaptive learning that maps your knowledge and closes your gaps.

Subscribe to Access

Trademark Notice

Microsoft and Azure are registered trademarks of Microsoft Corporation. Microsoft does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.