AZ-700 Study Guide 2026: Complete Azure Network Engineer Exam Prep
Everything you need to pass the AZ-700 Azure Network Engineer Associate exam — all domains, a study plan, hands-on lab strategy, and what shows up on test day.
Quick Summary
- • AZ-700 is an Associate-level exam with 40–60 questions, 120 minutes, 700/1000 passing score
- • Covers 6 domains spanning core networking, hybrid connectivity, load balancing, security, monitoring, and private access
- • Highly practical exam requiring significant hands-on Azure networking experience
- • Exam cost: $165 USD
What is the AZ-700 Exam?
AZ-700 is the Microsoft Azure Network Engineer Associate certification. It validates that you can plan, implement, and manage Azure networking solutions including hybrid network connectivity, load balancing, network security, private access, and network monitoring.
Passing AZ-700 earns the Microsoft Certified: Azure Network Engineer Associate credential. It is the specialist networking certification in the Azure certification path, sitting naturally above AZ-104 for those who want deep networking expertise in Azure environments.
AZ-700 is a highly technical exam. It expects deep understanding of IP addressing, routing, BGP, ExpressRoute, Virtual WAN, and Azure networking service interactions. Candidates with traditional networking backgrounds (CCNA, CompTIA Network+) find the networking concepts familiar, but Azure-specific implementations require dedicated study time.
| Detail | Information |
|---|---|
| Exam Code | AZ-700 |
| Credential Earned | Azure Network Engineer Associate |
| Number of Questions | 40–60 questions |
| Time Limit | 120 minutes |
| Passing Score | 700 out of 1000 |
| Exam Price | $165 USD |
| Exam Level | Associate |
| Prerequisites | None (AZ-104 experience strongly recommended) |
AZ-700 Exam Domains & Weightings
AZ-700 spans six technical domains. Core networking infrastructure and private access are the two largest areas.
Domain 1: Design and Implement Core Networking Infrastructure
20–25%- • Virtual Networks (VNets) — address space planning, subnets, custom DNS, service endpoints
- • VNet Peering — local and global peering, hub-and-spoke topology, transit routing
- • Public IP addresses — SKUs (Basic/Standard), allocation methods, IP prefixes
- • Azure DNS — public zones, private zones, conditional forwarders, split-brain DNS
- • Azure Virtual Network Manager — network groups, configuration deployments at scale
- • Cross-subscription and cross-tenant VNet peering scenarios
Domain 2: Design and Implement Hybrid Networking
10–15%- • VPN Gateway — SKUs, site-to-site VPN, point-to-site VPN, VNet-to-VNet
- • VPN tunnel types — IKEv2, OpenVPN, SSTP for P2S connections
- • BGP with VPN Gateway — AS numbers, BGP peering, route advertisement
- • Azure Virtual WAN — standard vs. basic, hubs, branch connectivity
- • High availability for VPN — active-active gateways, zone-redundant gateways
Domain 3: Design and Implement Azure ExpressRoute
10–15%- • ExpressRoute circuits — SKUs, peering types (private, Microsoft), circuit redundancy
- • ExpressRoute connectivity models — CloudExchange colocation, point-to-point Ethernet, any-to-any (IPVPN)
- • ExpressRoute Global Reach — connecting on-premises sites via ExpressRoute
- • ExpressRoute FastPath — bypass gateway for high-bandwidth scenarios
- • ExpressRoute Direct — dedicated 10Gbps/100Gbps ports, Macsec encryption
- • Route filters for Microsoft peering — controlling BGP route advertisements
Study tip: Know the difference between private peering (Azure resources) and Microsoft peering (Microsoft 365/Azure PaaS public endpoints) — this is a frequent exam topic.
Domain 4: Load Balancing and Network Security
20–25%- • Azure Load Balancer — Standard vs. Basic SKU, frontend IP, backend pools, health probes, load balancing rules
- • Application Gateway — WAF, URL routing, SSL termination, autoscaling, zones
- • Azure Front Door — global load balancing, CDN, WAF, caching, private link origins
- • Azure Traffic Manager — DNS-based routing, routing methods (performance, priority, weighted, geographic)
- • Network Security Groups — inbound/outbound rules, ASGs, service tags, augmented security rules
- • Azure Firewall — DNAT, SNAT, network rules, application rules, policy hierarchy, Premium (IDPS, TLS)
- • Azure Web Application Firewall (WAF) — managed rule sets, custom rules, exclusions
- • DDoS Protection — DDoS Network Protection vs. IP Protection, mitigation policies
Study tip: Master the load balancer selection decision tree: regional vs. global, L4 vs. L7, HTTP(S) vs. any protocol. This appears in scenario questions constantly.
Domain 5: Monitor and Troubleshoot Network Resources
10–15%- • Azure Network Watcher — Connection Monitor, packet capture, IP flow verify, NSG flow logs
- • Network Performance Monitor (replaced by Connection Monitor)
- • VPN Gateway diagnostics — troubleshooting S2S and P2S connection failures
- • Azure Monitor for networking — metrics, alerts, diagnostic settings for network resources
- • Traffic Analytics — analyzing NSG flow logs, identifying patterns
Domain 6: Design and Implement Private Access to Azure Services
15–20%- • Azure Private Endpoint — private IP access to PaaS services, DNS integration
- • Azure Private Link Service — expose your own service via Private Link
- • Service Endpoints — VNet routing to Azure PaaS (vs. Private Endpoint comparison)
- • Private DNS zones for Private Endpoints — auto-registration, DNS resolver integration
- • Azure DNS Private Resolver — inbound/outbound endpoints, forwarding rulesets
- • Virtual Network Service Endpoint policies
Study tip: Private Endpoint vs. Service Endpoint questions are common. Private Endpoint uses a private IP inside your VNet; Service Endpoint extends VNet identity to the service without a private IP.
Ready to test yourself?
Try 40 Free AZ-700 Practice Questions
Scenario-based questions with detailed explanations. No credit card required.
Start Free Practice →How Hard is AZ-700?
AZ-700 is widely considered one of the most technically demanding Associate-level Azure exams. The depth of networking knowledge required — including BGP routing, ExpressRoute circuit types, and complex DNS scenarios — goes well beyond what AZ-104 covers. Candidates with a strong traditional networking background (CCNA level or above) combined with Azure hands-on experience perform best.
Why candidates fail AZ-700
- • Weak on ExpressRoute: Many candidates skip ExpressRoute in study because it seems niche — it's 10–15% of the exam
- • Load balancer selection errors: Confusing which load balancer to use in scenarios (L4 vs. L7, global vs. regional) is the most common source of lost marks
- • Private Endpoint vs. Service Endpoint confusion: These have subtle but critical differences that are heavily tested
- • DNS complexity: Azure DNS, private DNS zones, and DNS Private Resolver interactions are more complex than most candidates expect
6-Week AZ-700 Study Plan
This plan assumes 1.5–2 hours per day with hands-on lab time. A paid Azure subscription is needed for some advanced networking labs (VPN Gateway, ExpressRoute circuits).
Week 1: Core Networking Infrastructure
- Days 1–2: VNet design — address space planning, subnets, peering, hub-and-spoke topology
- Days 3–4: Azure DNS — public zones, private zones, split-brain DNS, conditional forwarders
- Days 5–6: Azure DNS Private Resolver — inbound/outbound endpoints, forwarding rulesets
- Day 7: Lab — create hub-and-spoke VNet topology with global peering and private DNS
Week 2: Hybrid Networking & ExpressRoute
- Days 1–2: VPN Gateway — SKUs, S2S VPN, P2S VPN (IKEv2/OpenVPN/SSTP), active-active
- Days 3–4: Azure Virtual WAN — hub types, branch connections, routing intents
- Days 5–6: ExpressRoute — circuit SKUs, private vs. Microsoft peering, Global Reach, FastPath, Direct
- Day 7: ExpressRoute practice questions — routing scenarios, peering type selection
Week 3: Load Balancing
- Days 1–2: Azure Load Balancer Standard — frontend IPs, backend pools, rules, health probes, outbound rules
- Days 3–4: Application Gateway — WAF, URL routing, SSL termination, autoscaling, zones
- Days 5–6: Azure Front Door and Traffic Manager — routing methods, global load balancing scenarios
- Day 7: Load balancer selection drill — practice choosing the right load balancer for 20 scenarios
Week 4: Network Security
- Days 1–2: NSGs — rule evaluation, service tags, ASGs, flow logs
- Days 3–4: Azure Firewall — DNAT/SNAT/network/application rules, Firewall Policy, Premium IDPS
- Days 5–6: DDoS Protection — protection tiers, mitigation flow, metrics and alerts
- Day 7: Lab — configure Azure Firewall with Firewall Policy and test traffic flow
Week 5: Private Access & Monitoring
- Days 1–2: Private Endpoint — create for storage/SQL/KeyVault, configure private DNS zone integration
- Days 3–4: Private Link Service — expose custom service, service consumer/provider model
- Days 5–6: Network Watcher — Connection Monitor, IP flow verify, packet capture, NSG flow logs, Traffic Analytics
- Day 7: Private Endpoint vs. Service Endpoint drill + monitoring practice questions
Week 6: Mock Exams & Review
- Days 1–2: Review load balancing and ExpressRoute — highest-impact weak areas for most candidates
- Day 3: Full 120-minute timed mock exam
- Days 4–5: Targeted review of any domain below 70%
- Day 6: Second full mock exam — aim for 80%+
- Day 7: Light review only. Book exam if consistently 80%+.
Best AZ-700 Study Resources
1. Microsoft Learn AZ-700 Learning Path (Free)
The official learning path is comprehensive and includes hands-on sandbox labs for VNet peering, DNS configuration, Load Balancer, and Application Gateway. Complete every exercise — the labs build the mental models you need for scenario-based exam questions.
2. John Savill's AZ-700 Study Cram (YouTube)
Savill's networking content is exceptionally deep — especially his coverage of ExpressRoute peering types, VPN Gateway BGP configuration, and Virtual WAN routing. His whiteboard-style explanations of routing scenarios are invaluable for the exam's more complex topology questions.
3. MSCertQuiz Practice Tests
500 AZ-700 practice questions covering all six domains with detailed explanations. Particularly strong on load balancer selection scenarios, Private Endpoint vs. Service Endpoint, and ExpressRoute peering configurations — the areas where most candidates lose the most marks.
Start free AZ-700 practice →4. Azure Networking Documentation
For deep-dive topics like ExpressRoute circuit configuration, VPN Gateway BGP, and DNS Private Resolver, the official Azure documentation is the authoritative source. The architecture diagrams in each service's overview article are particularly useful for exam preparation.
AZ-700 Exam Day Tips
Do
- • For load balancer questions: identify scope (global/regional) first, then protocol (HTTP/any), then choose the right service
- • For ExpressRoute questions: identify peering type (private = VNet resources, Microsoft = M365/PaaS public endpoints)
- • For Private Access questions: Private Endpoint = private IP in VNet; Service Endpoint = VNet routing without private IP
- • Draw topology mentally before answering complex routing scenarios
Don't
- • Don't confuse Azure Firewall (stateful, centralized) with NSGs (stateless-evaluated, per-subnet/NIC)
- • Don't forget that Basic Load Balancer is being retired — always prefer Standard in new deployments
- • Don't ignore Virtual WAN — it appears more frequently in recent exam versions
- • Don't rush routing scenario questions — these require careful reading of the entire topology described
Ready to Practice AZ-700?
500 scenario-based questions across all 6 domains. Practice mode with explanations + timed exam simulation.
Start Free Practice →Related Resources
AZ-104 Study Guide 2026
AZ-104 covers Azure networking fundamentals — a strong foundation before AZ-700.
AZ-900 vs AZ-104: Certification Path
Understand the Azure certification path — AZ-700 fits after AZ-104 for networking specialists.
Top Microsoft Certifications 2026
See where AZ-700 ranks among the most in-demand Microsoft certifications this year.
Is AZ-104 Worth It in 2026?
Career impact analysis for the Azure Administrator cert — the most common AZ-700 prerequisite.
Frequently Asked Questions
Do I need AZ-104 before AZ-700?
AZ-104 is not a prerequisite, but the networking content in AZ-104 (Domain 4) covers many foundational concepts needed for AZ-700. If you have completed AZ-104 or have equivalent Azure networking experience, you have the right foundation. Candidates without any Azure networking background should consider completing AZ-104 first.
Is AZ-700 harder than AZ-104?
For networking specialists, AZ-700 is more focused but just as technically deep. For general cloud administrators, AZ-700 is harder because networking depth exceeds what most admins deal with day-to-day. If you enjoy networking and have traditional network engineering experience, you may find AZ-700 more approachable than AZ-104.
Do I need a real Azure subscription for AZ-700 labs?
Some labs require a paid subscription — particularly VPN Gateway (billed per hour), ExpressRoute (which requires a circuit, though you can study concepts without one), and Azure Firewall. Most VNet, DNS, and NSG labs work on a free account with $200 credit. Budget approximately $30–50 for gateway-related labs if needed.
What comes after AZ-700?
AZ-700 is a strong complement to AZ-104 and sets you up for expert-level certifications like AZ-305 (Azure Solutions Architect Expert). For security depth, AZ-500 (Azure Security Engineer) builds on the networking security concepts in AZ-700. Together, AZ-104 + AZ-700 + AZ-305 is a common pathway to Azure Solutions Architect Expert.