Free AZ-700 Practice Questions with Detailed Explanations

Test your Azure network engineering readiness with 25 free practice questions covering VNets, hybrid connectivity, routing, and network security.

20 min read
Updated April 2026
AZ-700 Associate

The AZ-700 (Designing and Implementing Microsoft Azure Networking Solutions) exam targets network engineers who design, implement, and maintain Azure networking infrastructure. Expect scenario-heavy questions requiring you to choose the right networking service, troubleshoot connectivity, and design secure, scalable network architectures.

These 25 questions cover the toughest areas — VNet peering, ExpressRoute vs VPN decisions, Azure Firewall vs NSGs, Private Endpoints vs Service Endpoints, and routing troubleshooting. Check out our AZ-700 study guide for the full exam breakdown.

What You'll Get:

  • 25 scenario-based questions across all AZ-700 domains
  • Architecture decision questions — exactly like the real exam
  • Detailed explanations for every answer option
  • Scoring guide to assess your readiness

What These Questions Cover

8
Core Networking
VNets, subnets, peering, DNS, load balancing
9
Hybrid & Routing
VPN Gateway, ExpressRoute, UDR, BGP
8
Security & Private Access
Azure Firewall, NSG, Private Endpoint, WAF

📝 Practice Test Instructions

  • • Each question has ONE correct answer
  • • Many questions involve service selection — know the key differentiators
  • • Note your answers before scrolling to the answer key
  • • Aim to complete all 25 questions in 25 minutes
🌐

Core Azure Networking

Questions 1–8

1

VNet Peering vs VPN Gateway

You have two VNets in the same Azure region: VNet-A (10.0.0.0/16) and VNet-B (10.1.0.0/16). VMs in each VNet need to communicate privately with low latency and high bandwidth. Both VNets belong to the same subscription.

What is the BEST solution for inter-VNet connectivity?

A)VNet peering
B)VPN Gateway with VNet-to-VNet connection
C)Azure ExpressRoute
D)Azure Virtual WAN
2

VNet Address Space

You are designing a VNet for a new workload in Azure East US. The on-premises network uses 10.0.0.0/8 address space. You need the Azure VNet to avoid overlap and support up to 500 VMs.

Which address space should you assign to the Azure VNet?

A)10.5.0.0/16
B)172.16.0.0/16
C)192.168.1.0/24
D)10.0.0.0/16
3

Azure DNS

Your VMs in Azure need to resolve each other by hostname (e.g., vm1.contoso.internal). You also want VMs to automatically register their DNS records when they are created, without deploying DNS servers.

Which Azure service should you use?

A)Azure DNS public zones
B)Deploy a Windows Server DNS on a VM
C)Azure Private DNS zones linked to the VNet with auto-registration
D)Azure DNS resolver
4

Azure Load Balancer vs Application Gateway

Your web application runs on 5 Azure VMs behind a load balancer. You need to distribute HTTPS traffic based on URL path (/api/* goes to one backend pool, /images/* to another). You also need SSL termination.

Which service should you use?

A)Azure Load Balancer Standard
B)Azure Front Door
C)Azure Traffic Manager
D)Azure Application Gateway with path-based routing
5

Azure Bastion

Your security policy prohibits exposing RDP (3389) and SSH (22) ports on any Azure VM to the internet via public IPs. Administrators must still be able to remotely manage VMs securely via a browser.

Which Azure service meets this requirement?

A)Azure Bastion
B)Azure VPN Gateway with point-to-site VPN
C)Just-in-time VM access via Defender for Cloud
D)Azure Virtual Desktop
6

Network Security Groups

You have a subnet with 10 VMs hosting a web application. You need to allow inbound HTTPS (443) from the internet but block all other inbound traffic. Outbound traffic should be unrestricted.

What is the MINIMUM configuration to achieve this with an NSG?

A)Create an inbound allow rule for port 443 (priority 100) and an inbound deny rule for all other traffic (priority 4096)
B)Create an inbound allow rule for port 443 only — the default deny rule blocks everything else
C)Create an inbound allow rule for port 443 and explicitly allow ports 80, 8080 as well
D)Create an NSG on each VM NIC and the subnet both
7

Service Endpoints vs Private Endpoints

VMs in your Azure VNet need to access Azure Storage without traffic traversing the internet. You need the storage account to ONLY be accessible from your specific VNet and NOT from other Azure VNets or the internet.

Which approach provides the most restrictive access control?

A)Azure Service Endpoint on the subnet
B)Storage account firewall with VNet rule
C)Azure Private Endpoint for the storage account
D)Service Endpoint with storage account network rule
8

Azure Front Door

Your global web application is deployed in Azure East US and West Europe. You need to route users to the closest healthy region, perform SSL offload, and apply WAF policies to protect against OWASP threats.

Which Azure service provides all of these capabilities?

A)Azure Traffic Manager + Azure Application Gateway
B)Azure Virtual WAN with routing intent
C)Azure Load Balancer + Azure CDN
D)Azure Front Door Standard/Premium
🔗

Hybrid Connectivity & Routing

Questions 9–17

9

VPN Gateway vs ExpressRoute

Your organization is connecting an on-premises datacenter to Azure. The requirements are: 10 Gbps dedicated bandwidth, sub-10ms latency, traffic must not traverse the public internet, and a guaranteed SLA of 99.95%.

Which connectivity option meets ALL requirements?

A)Azure ExpressRoute with a dedicated circuit
B)Azure VPN Gateway with VpnGw5 SKU
C)Azure Virtual WAN with SD-WAN integration
D)Site-to-site VPN over the internet with IPsec
10

ExpressRoute Redundancy

You have an ExpressRoute circuit connecting your on-premises network to Azure. Your SLA requires no single point of failure for this connectivity. You want the HIGHEST availability design.

What is the recommended redundancy configuration?

A)A single ExpressRoute circuit with two connections (primary and secondary) to two different peering locations
B)Two ExpressRoute circuits to two different peering locations with two edge routers on-premises
C)One ExpressRoute circuit plus a site-to-site VPN as backup
D)Two ExpressRoute circuits to the same peering location
11

VPN Gateway SKU

You need to establish a site-to-site VPN between Azure and an on-premises location. The maximum throughput required is 1 Gbps. You also need to support BGP for dynamic routing.

Which VPN Gateway SKU meets the minimum requirements?

A)Basic
B)VpnGw3
C)VpnGw1
D)VpnGw5AZ
12

User-Defined Routes

Your VNet has a subnet with VMs and a hub-spoke topology. All traffic from the spoke VMs destined for the internet must be routed through an Azure Firewall in the hub VNet (10.0.0.0/16, firewall at 10.0.1.4). By default, spoke VMs use the system route to the internet directly.

What do you need to configure to force internet traffic through the Azure Firewall?

A)A BGP route advertisement from the firewall
B)Configure Azure Virtual WAN routing policies
C)An NSG outbound deny rule for internet traffic
D)A User-Defined Route (UDR) table with a 0.0.0.0/0 route pointing to the firewall's private IP, associated with the spoke subnet
13

BGP with VPN Gateway

Your organization has multiple branch offices that all need VPN connections to Azure. You want Azure to dynamically learn routes from each branch and automatically propagate changes without manual route updates when new subnets are added to branches.

What must you enable on the Azure VPN Gateway?

A)BGP on the VPN Gateway and on each on-premises VPN device
B)Static routing on each VPN connection
C)ExpressRoute route filter policies
D)Azure Virtual WAN dynamic routing
14

Hub-Spoke Topology

You are designing a hub-spoke network. Spoke VNets need to communicate with each other through the hub VNet where a firewall resides. By default, spoke VNets peered to the hub cannot route traffic to each other.

What must you configure to enable spoke-to-spoke communication through the hub firewall?

A)Peer all spoke VNets directly with each other
B)Enable "Allow gateway transit" on the hub peering and "Use remote gateways" on spoke peerings, then add UDRs in spokes for each other's address spaces pointing to the hub firewall
C)Enable VNet peering between all spoke pairs
D)Deploy Azure Virtual WAN instead of a manual hub-spoke
15

Azure Virtual WAN

Your organization has 30 branch offices, 5 Azure regions, and needs to provide optimized routing between all sites. Managing individual VPN connections and route tables is becoming too complex. You want a Microsoft-managed solution that simplifies this at scale.

Which Azure service is purpose-built for this use case?

A)Multiple hub VNets with VPN Gateways
B)Azure ExpressRoute Global Reach
C)Azure Virtual WAN
D)Azure Traffic Manager
16

Point-to-Site VPN

Remote employees need secure access to Azure VNet resources without connecting to a site-to-site VPN. Each user authenticates with their Microsoft Entra ID credentials and the connection is established from their laptop.

Which VPN Gateway configuration supports this?

A)Site-to-site IKEv2 VPN
B)Azure Bastion with native client
C)ExpressRoute with a private peering
D)Point-to-site VPN with Microsoft Entra ID authentication
17

Route Troubleshooting

A VM in Azure cannot reach a specific on-premises subnet (192.168.50.0/24) over an existing VPN connection. Other on-premises subnets are reachable. The VPN connection shows as Connected.

What is the FIRST tool you should use to troubleshoot why the specific subnet is unreachable?

A)Use Network Watcher — Next hop to check the effective routes for the VM's NIC
B)Check the NSG flow logs for the VM's subnet
C)Review the VPN Gateway BGP route table
D)Run a packet capture on the VPN Gateway
🔒

Network Security & Private Access

Questions 18–25

18

Azure Firewall vs NSG

You need to control outbound internet traffic from Azure VMs with FQDN-based rules (e.g., allow *.microsoft.com but deny all other internet destinations). NSG rules only support IP addresses, not FQDNs.

Which Azure service supports FQDN-based outbound filtering?

A)Network Security Group with service tags
B)Azure Firewall with application rules
C)Azure Application Gateway with WAF
D)Web Application Firewall policy on a Load Balancer
19

Azure Firewall Premium

Your security team requires TLS inspection of encrypted HTTPS traffic passing through the Azure Firewall to detect malware and data exfiltration in encrypted streams. Standard Azure Firewall cannot inspect TLS payloads.

Which Azure Firewall tier supports TLS inspection?

A)Azure Firewall Standard
B)Azure Application Gateway WAF_v2
C)Azure Firewall Premium
D)Azure DDoS Protection Standard
20

Private Endpoint

You have an Azure SQL Database that must be accessible only from VMs in your VNet. No traffic should leave your VNet boundary. The SQL database should get a private IP address within your VNet's address space.

What should you configure?

A)Azure SQL firewall rule allowing the VNet subnet
B)VNet integration for the Azure SQL Database
C)Service Endpoint for Azure SQL on the subnet
D)Private Endpoint for the Azure SQL Database
21

DDoS Protection

Your company hosts a public-facing web application in Azure with a public IP address. You need protection against volumetric DDoS attacks (layer 3/4) with adaptive tuning specific to your application's traffic patterns, plus access to DDoS rapid response experts during an attack.

Which DDoS protection plan provides these capabilities?

A)Azure DDoS Network Protection (Standard) with DDoS Rapid Response
B)Azure DDoS Network Protection (Basic) — included free with Azure
C)Azure Application Gateway WAF for DDoS
D)Azure Front Door with WAF policy
22

Network Watcher

You suspect traffic between two VMs is being blocked by an NSG rule, but you have multiple NSGs applied at both the subnet and NIC levels. You need to quickly identify which specific NSG rule is blocking the traffic without reading every rule manually.

Which Network Watcher feature should you use?

A)Network Watcher — Packet capture
B)Network Watcher — IP flow verify
C)Network Watcher — NSG flow logs
D)Network Watcher — Connection troubleshoot
23

Azure DNS Private Resolver

Your organization has an on-premises DNS server that must resolve Azure private DNS zone names (e.g., privatelink.database.windows.net) for on-premises clients. On-premises clients must be able to resolve these names without deploying any VMs in Azure.

Which solution enables on-premises DNS resolution of Azure private zones without VMs?

A)Azure Private DNS zone with auto-registration
B)Deploy a DNS forwarder VM in the Azure VNet
C)Azure DNS Private Resolver with an inbound endpoint
D)Use Azure Firewall DNS proxy
24

Network Performance Monitor

You need to continuously monitor the performance (latency, packet loss) of your ExpressRoute circuit from on-premises to Azure. You also want alerts when performance degrades below your SLA thresholds.

Which Azure service provides ExpressRoute performance monitoring?

A)Azure Monitor metrics for the ExpressRoute circuit
B)Network Performance Monitor — ExpressRoute Monitor (now via Azure Monitor Network Insights)
C)Azure Traffic Analytics
D)Azure Network Watcher Connection Monitor
25

WAF Policy

Your e-commerce application behind Azure Application Gateway is experiencing SQL injection and cross-site scripting attacks. You want to block these attacks using OWASP ruleset version 3.2 without writing custom rules.

What should you configure?

A)A WAF policy in Prevention mode with OWASP Core Rule Set 3.2 associated with the Application Gateway
B)An NSG rule blocking suspicious IP addresses
C)Azure Firewall Premium with TLS inspection
D)Azure DDoS Network Protection

✋ Stop Here Before Scrolling!

Have you answered all 25 questions? Complete the test before checking the answers below.

Pro tip: Draw network diagrams while answering architecture questions — it helps on the real exam too

📝 Answer Key with Detailed Explanations

Review each explanation carefully, even for questions you answered correctly

Quick Answer Reference

Q1
A
Q2
B
Q3
C
Q4
D
Q5
A
Q6
B
Q7
C
Q8
D
Q9
A
Q10
B
Q11
C
Q12
D
Q13
A
Q14
B
Q15
C
Q16
D
Q17
A
Q18
B
Q19
C
Q20
D
Q21
A
Q22
B
Q23
C
Q24
D
Q25
A
1

Question 1: VNet Peering vs VPN Gateway

✓ Correct Answer: A) VNet peering

Why this is correct:

VNet peering is the best option for same-region, same-subscription VNet connectivity. It uses the Azure backbone network (no public internet), provides the lowest latency (sub-millisecond), highest bandwidth, and is the simplest to configure. There is no throughput limitation beyond the VM NIC limits.

Why other answers are incorrect:

B: VNet-to-VNet VPN goes through a VPN Gateway, which adds latency and throughput limits (max 10 Gbps for highest SKU) — worse than peering for same-region connectivity.
C: ExpressRoute is for on-premises to Azure connectivity — not between Azure VNets.
D: Virtual WAN is for large-scale branch and multi-region scenarios — overkill for two VNets in the same region.

💡 Key Concept:

VNet Peering: same or different regions, same or different subscriptions, same or different tenants (cross-tenant peering requires explicit configuration). Traffic stays on Azure backbone — never traverses internet.

2

Question 2: VNet Address Space

✓ Correct Answer: B) 172.16.0.0/16

Why this is correct:

/16 provides 65,536 addresses — more than enough for 500 VMs with room for subnets, gateway subnets, and Azure-reserved IPs. 172.16.0.0/16 does not overlap with the on-premises 10.0.0.0/8 space, avoiding routing conflicts.

Why other answers are incorrect:

A: 10.5.0.0/16 is within the 10.0.0.0/8 range used on-premises — it would cause routing conflicts.
C: /24 provides only 256 addresses total (251 usable minus 5 Azure reserved) — insufficient for 500 VMs plus subnets.
D: 10.0.0.0/16 directly overlaps with on-premises 10.x.x.x addresses.

💡 Key Concept:

Private address ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Azure reserves 5 IPs per subnet: .0 (network), .1 (default gateway), .2 & .3 (DNS), .255 (broadcast).

3

Question 3: Azure DNS

✓ Correct Answer: C) Azure Private DNS zones linked to the VNet with auto-registration

Why this is correct:

Azure Private DNS zones provide internal hostname resolution for resources in your VNet. When linked to a VNet with auto-registration enabled, VMs automatically register their names and IPs when created. No DNS server VMs are needed — fully managed by Azure.

Why other answers are incorrect:

A: Public DNS zones are for internet-resolvable hostnames — not private internal names.
B: DNS VMs work but add management overhead, cost, and availability requirements — private DNS zones are the cloud-native solution.
D: Azure DNS Private Resolver is for resolving Azure private zones from on-premises or forwarding queries between VNets — not the primary registration service.

💡 Key Concept:

Private DNS zone link settings: Registration-enabled = VMs auto-register their FQDN and IP. Resolution-only = VNet can query the zone but doesn't auto-register. Max 1 VNet with auto-registration per zone.

4

Question 4: Application Gateway

✓ Correct Answer: D) Azure Application Gateway with path-based routing

Why this is correct:

Application Gateway is a layer 7 load balancer that supports URL path-based routing, SSL/TLS termination, cookie-based session affinity, and WebSocket support. Path-based routing allows different backend pools for different URL paths (/api/* → pool1, /images/* → pool2).

Why other answers are incorrect:

A: Azure Load Balancer is layer 4 — it distributes based on IP/port, not URL paths. No SSL termination.
B: Front Door does support path-based routing but is designed for global multi-region apps — for a single-region app with path routing, Application Gateway is the right choice.
C: Traffic Manager is DNS-based load balancing across regions — not for path-based routing within a region.

💡 Key Concept:

Load balancing decision: Layer 4 regional = Azure Load Balancer. Layer 7 regional = Application Gateway. Global DNS = Traffic Manager. Global layer 7 with CDN = Azure Front Door.

5

Question 5: Azure Bastion

✓ Correct Answer: A) Azure Bastion

Why this is correct:

Azure Bastion provides browser-based RDP and SSH to VMs via TLS 443, completely eliminating the need to expose port 3389 or 22 on VMs. It's deployed in a dedicated subnet (AzureBastionSubnet) and provides a secure management gateway.

Why other answers are incorrect:

B: Point-to-site VPN secures the connection but still requires VMs to have RDP/SSH ports open to the VNet.
C: JIT access dynamically opens ports only for authorized IPs — but the question requires no port exposure at all.
D: Azure Virtual Desktop provides a full desktop experience in a browser — not just remote management access to VMs.

💡 Key Concept:

Azure Bastion SKUs: Basic (standard RDP/SSH), Standard (native client support, IP-based connections, shareable links, session recording). Deployed in /26+ AzureBastionSubnet.

6

Question 6: NSG Rules

✓ Correct Answer: B) Create an inbound allow rule for port 443 only — the default deny rule blocks everything else

Why this is correct:

NSGs have a default inbound rule "DenyAllInbound" with priority 65500. This default rule blocks all inbound traffic not explicitly allowed. You only need to create the allow rule for port 443 — the default deny handles everything else.

Why other answers are incorrect:

A: Creating an explicit deny rule (priority 4096) is unnecessary because the default DenyAllInbound rule (priority 65500) already does this. Priority 4096 would still work but is redundant.
C: Ports 80 and 8080 are not required in the scenario — don't add unnecessary allow rules.
D: While you CAN have NSGs on both subnet and NIC, the minimum configuration is one NSG on the subnet.

💡 Key Concept:

NSG default rules (cannot be deleted): AllowVNetInBound (65000), AllowAzureLoadBalancerInBound (65001), DenyAllInbound (65500), AllowVNetOutBound (65000), AllowInternetOutBound (65001), DenyAllOutBound (65500).

7

Question 7: Service vs Private Endpoints

✓ Correct Answer: C) Azure Private Endpoint for the storage account

Why this is correct:

Private Endpoint creates a private network interface in your VNet with a private IP from your subnet. The storage account gets a private IP in your VNet. You can then disable all public access and restrict the storage account network firewall to deny all — making it accessible ONLY via the private endpoint in your specific VNet.

Why other answers are incorrect:

A: Service Endpoints extend the VNet identity to the service but the storage account still has a public endpoint — it's optimized routing, not true private access.
B: Storage account firewall with VNet rule uses Service Endpoints behind the scenes — the storage account still has a public endpoint.
D: Same as B — service endpoint integration still uses public endpoints optimized for the VNet.

💡 Key Concept:

Private Endpoint = private IP in your VNet, public endpoint can be disabled, DNS resolution returns private IP. Service Endpoint = traffic optimized to Azure backbone, no private IP, public endpoint remains. Private Endpoint is more secure.

8

Question 8: Azure Front Door

✓ Correct Answer: D) Azure Front Door Standard/Premium

Why this is correct:

Azure Front Door is a global layer 7 CDN and load balancer that provides: anycast-based routing to the closest healthy origin (region), SSL/TLS offload at the edge, built-in WAF policy support, CDN caching, and health probe-based failover between origins. It handles all four requirements in one service.

Why other answers are incorrect:

A: Traffic Manager + Application Gateway works but is two services. Traffic Manager is DNS-based (not anycast), and Application Gateway WAF is regional — not global edge WAF.
B: Virtual WAN with routing intent is for network connectivity, not application delivery.
C: Load Balancer is layer 4 regional; CDN adds caching but not intelligent routing or WAF at the edge.

💡 Key Concept:

Front Door vs Traffic Manager: Front Door = layer 7 anycast, edge WAF, SSL offload, caching. Traffic Manager = DNS-based routing, layer 4 effectively, no edge processing. Use Front Door for web apps, Traffic Manager for non-HTTP global routing.

9

Question 9: VPN Gateway vs ExpressRoute

✓ Correct Answer: A) Azure ExpressRoute with a dedicated circuit

Why this is correct:

Only ExpressRoute meets all four requirements: 10 Gbps dedicated bandwidth (available with ExpressRoute Direct or partner circuits), sub-10ms latency (private dedicated path, not internet), no public internet traversal (private Microsoft peering path), and 99.95% SLA (with redundant configuration).

Why other answers are incorrect:

B: VpnGw5 supports up to 10 Gbps aggregate but traverses the internet over IPsec — it can't guarantee sub-10ms latency or avoid the public internet.
C: Virtual WAN can use ExpressRoute circuits but the underlying connectivity still needs ExpressRoute — Virtual WAN is the topology, not the connectivity type.
D: Site-to-site VPN explicitly traverses the public internet — fails the "no internet" requirement.

💡 Key Concept:

ExpressRoute vs VPN decision criteria: High bandwidth (>1 Gbps) → ExpressRoute. No internet requirement → ExpressRoute. Predictable latency → ExpressRoute. Lower cost, internet OK → VPN Gateway.

10

Question 10: ExpressRoute Redundancy

✓ Correct Answer: B) Two ExpressRoute circuits to two different peering locations with two edge routers on-premises

Why this is correct:

Maximum availability requires eliminating every single point of failure: two separate ExpressRoute circuits (provider edge redundancy), connecting to two different peering locations (location redundancy, survives a facility outage), and two on-premises edge routers (customer edge redundancy). This is the Microsoft-recommended high availability design.

Why other answers are incorrect:

A: A single circuit with two connections (primary/secondary) still has a single circuit as SPOF — if the circuit itself fails, both connections fail.
C: ExpressRoute + VPN backup is good (and many organizations use this) but not the HIGHEST availability design — VPN introduces internet dependency and lower SLA.
D: Two circuits at the same peering location doesn't protect against that location going down.

💡 Key Concept:

ExpressRoute availability zones: Zone-redundant ExpressRoute Gateways (ErGw1AZ, ErGw2AZ, ErGw3AZ) ensure the Azure gateway survives an AZ failure. Combine with dual circuits at different peering locations for end-to-end HA.

11

Question 11: VPN Gateway SKU

✓ Correct Answer: C) VpnGw1

Why this is correct:

VpnGw1 supports up to 650 Mbps aggregate throughput and includes BGP support. While 650 Mbps is less than 1 Gbps, VpnGw2 (1.25 Gbps) is the SKU that definitively exceeds 1 Gbps. However, VpnGw1 is the minimum SKU supporting BGP (Basic SKU does NOT support BGP).

Why other answers are incorrect:

A: The Basic SKU does not support BGP — it fails the BGP requirement regardless of throughput.
B: VpnGw3 supports up to 1.25 Gbps but is more expensive than needed for the stated requirements.
D: VpnGw5AZ is vastly more capable and expensive than needed — overkill for this requirement.

💡 Key Concept:

VPN Gateway SKU comparison: Basic = no BGP, no active-active, 100 Mbps. VpnGw1 = BGP, active-active, 650 Mbps. VpnGw2 = 1.25 Gbps. VpnGw3 = 1.25 Gbps + more tunnels. AZ variants add zone redundancy.

12

Question 12: User-Defined Routes

✓ Correct Answer: D) A User-Defined Route (UDR) table with a 0.0.0.0/0 route pointing to the firewall's private IP, associated with the spoke subnet

Why this is correct:

By default, Azure routes all traffic via system routes (0.0.0.0/0 → internet). To override this and force internet traffic through the Azure Firewall, you create a route table (UDR) with a 0.0.0.0/0 route pointing to the firewall's private IP as the next hop, then associate this route table with the spoke subnets.

Why other answers are incorrect:

A: BGP route advertisement is for dynamic routing protocols in VPN/ExpressRoute scenarios — it doesn't override system routes in peered VNets without additional configuration.
B: Virtual WAN routing policies manage routing within Virtual WAN hubs — not applicable to standard VNet peering topologies.
C: NSG deny rules block traffic but don't redirect it — the traffic would just be dropped, not sent through the firewall.

💡 Key Concept:

UDR 0.0.0.0/0 → Azure Firewall: overrides default internet route. Next hop type must be "Virtual Appliance" with the firewall's private IP. Also disable BGP route propagation on the route table if using VPN/ExpressRoute.

13

Question 13: BGP

✓ Correct Answer: A) BGP on the VPN Gateway and on each on-premises VPN device

Why this is correct:

BGP (Border Gateway Protocol) enables dynamic route exchange between Azure VPN Gateway and on-premises VPN devices. When new subnets are added on-premises, they're automatically advertised via BGP without manual route updates. Both sides (Azure gateway and on-premises devices) must support and be configured for BGP.

Why other answers are incorrect:

B: Static routing requires manual updates every time routes change — doesn't meet the "dynamic" requirement.
C: ExpressRoute route filters are for filtering BGP communities on ExpressRoute circuits — not applicable to VPN connections.
D: Virtual WAN has its own routing model but the question is about standard VPN Gateway, not Virtual WAN.

💡 Key Concept:

VPN Gateway BGP ASN: Azure default ASN is 65515 (or custom 1-4294967295). On-premises devices need different ASNs. BGP peer IP for Azure is the gateway's BGP IP address (configured separately from the gateway IP).

14

Question 14: Hub-Spoke Routing

✓ Correct Answer: B) Enable "Allow gateway transit" on the hub peering and "Use remote gateways" on spoke peerings, then add UDRs in spokes for each other's address spaces pointing to the hub firewall

Why this is correct:

In hub-spoke, VNet peering is non-transitive by default — spokes can't reach each other through the hub. To route spoke-to-spoke traffic through the hub firewall: (1) configure peering settings for gateway transit, and (2) add UDRs in each spoke with the other spoke's address space pointing to the hub firewall as the next hop.

Why other answers are incorrect:

A: Direct spoke-to-spoke peering bypasses the hub firewall entirely — undermines the security model.
C: VNet peering between all spoke pairs is a full mesh that bypasses the hub.
D: Virtual WAN is a valid alternative but converting an existing hub-spoke to Virtual WAN is a major redesign — the question asks how to make the current design work.

💡 Key Concept:

Hub-spoke spoke-to-spoke checklist: ✓ Hub-spoke peering: Allow gateway transit (hub), Use remote gateway (spoke). ✓ UDRs in both spokes: other-spoke-range → hub firewall IP. ✓ Firewall rules: allow spoke1 → spoke2 traffic.

15

Question 15: Azure Virtual WAN

✓ Correct Answer: C) Azure Virtual WAN

Why this is correct:

Azure Virtual WAN is Microsoft's managed network-as-a-service for large-scale connectivity. It automates VPN/ExpressRoute configurations, provides optimal routing through the Microsoft backbone, supports branch-to-branch, branch-to-Azure, and Azure-to-Azure routing — all centrally managed without individual route table management.

Why other answers are incorrect:

A: Multiple hub VNets with VPN Gateways work but require significant manual management for 30+ branches and 5 regions — exactly what the question wants to avoid.
B: ExpressRoute Global Reach enables on-premises to on-premises connectivity via Microsoft backbone but doesn't manage the full branch connectivity topology.
D: Traffic Manager handles DNS-based global load balancing — not branch/VNet connectivity.

💡 Key Concept:

Virtual WAN SKUs: Basic (S2S VPN only), Standard (S2S VPN, ExpressRoute, P2S VPN, VNet connections, routing). Virtual WAN hubs can have multiple gateways and routing policies for secure hub scenarios.

16

Question 16: Point-to-Site VPN

✓ Correct Answer: D) Point-to-site VPN with Microsoft Entra ID authentication

Why this is correct:

Point-to-site (P2S) VPN allows individual clients to connect to the Azure VNet. With Entra ID authentication (using OpenVPN protocol), users sign in with their Microsoft 365 credentials — no certificate management needed. Each user gets a private tunnel to the VNet.

Why other answers are incorrect:

A: Site-to-site VPN is for connecting entire networks (e.g., branch office to Azure) — not for individual user clients.
B: Azure Bastion provides browser-based access to specific VMs — not a VPN that gives network-level access to all VNet resources.
C: ExpressRoute requires dedicated circuits and is for datacenter-level connectivity — not individual user remote access.

💡 Key Concept:

P2S VPN authentication options: Azure Certificate (self-signed or CA), RADIUS (on-premises NPS), Microsoft Entra ID (Entra ID accounts, no certificates). Entra ID authentication only works with OpenVPN protocol.

17

Question 17: Route Troubleshooting

✓ Correct Answer: A) Use Network Watcher — Next hop to check the effective routes for the VM's NIC

Why this is correct:

"Next hop" in Network Watcher shows the effective route for a specific destination IP from a specific VM NIC — it shows exactly which route is being used and what the next hop is. This immediately reveals if a missing or incorrect route is causing the connectivity issue.

Why other answers are incorrect:

B: NSG flow logs show allowed/denied traffic but don't diagnose routing issues — if the VPN connection is up, the issue may be a missing route, not an NSG block.
C: Reviewing the BGP table on the VPN Gateway would be the second step after confirming the route issue — Next hop gives you the immediate answer.
D: Packet capture is for deep packet inspection — too complex as a first diagnostic step for a routing issue.

💡 Key Concept:

Network Watcher troubleshooting tools: Next hop (routing), IP flow verify (NSG allow/deny), Connection troubleshoot (end-to-end path), Packet capture (deep inspection), NSG flow logs (traffic logging), Traffic analytics (flow log visualization).

18

Question 18: Azure Firewall vs NSG

✓ Correct Answer: B) Azure Firewall with application rules

Why this is correct:

Azure Firewall application rules support FQDN filtering — you can create rules like "allow *.microsoft.com:443" or "deny *:80". NSGs work only at the IP address and port level (layer 4) and cannot resolve FQDNs. Azure Firewall uses DNS to resolve FQDNs and applies rules dynamically as IPs change.

Why other answers are incorrect:

A: NSG service tags (like AzureCloud, Internet) are IP range-based — they don't support custom FQDN filtering.
C: Application Gateway WAF inspects inbound traffic to protected web applications — it doesn't control outbound traffic from VMs.
D: WAF on Load Balancer doesn't exist — WAF is for Application Gateway or Front Door.

💡 Key Concept:

Azure Firewall rule types: Network rules (L3/L4, IP+port based), Application rules (L7, FQDN-based, outbound HTTP/S and other protocols), DNAT rules (inbound port forwarding). NSGs = Network rules only.

19

Question 19: Azure Firewall Premium

✓ Correct Answer: C) Azure Firewall Premium

Why this is correct:

Azure Firewall Premium includes TLS inspection (decrypts, inspects, and re-encrypts HTTPS traffic), IDPS (Intrusion Detection and Prevention System), URL filtering (beyond just FQDN), and web category filtering. Standard Firewall only sees the SNI header for HTTPS — it can't inspect the encrypted payload.

Why other answers are incorrect:

A: Azure Firewall Standard supports FQDN filtering via SNI but cannot inspect encrypted TLS payload — it sees the hostname but not the content.
B: Application Gateway WAF inspects inbound HTTPS traffic from internet to your apps — not outbound traffic from VMs.
D: Azure DDoS Protection defends against volumetric attacks — it doesn't inspect application-layer encrypted traffic.

💡 Key Concept:

Firewall Premium features (beyond Standard): TLS inspection (requires CA certificate in Key Vault), IDPS (signature-based threat detection), URL filtering (beyond FQDN — filter specific URL paths), Web categories.

20

Question 20: Private Endpoint

✓ Correct Answer: D) Private Endpoint for the Azure SQL Database

Why this is correct:

Private Endpoint creates a private NIC in your VNet with a private IP address mapped to the Azure SQL Database. After creating the private endpoint, you configure the Azure SQL Database to deny public access — making it completely inaccessible from the internet and accessible only via the private IP in your VNet.

Why other answers are incorrect:

A: SQL firewall rule at the VNet level uses Service Endpoints — the database still has a public endpoint.
B: VNet integration is for Azure App Service to connect TO databases — not for the database itself to get a private IP.
C: Service Endpoint provides optimized routing but the SQL database retains its public endpoint.

💡 Key Concept:

After creating a Private Endpoint: update DNS to resolve the SQL FQDN to the private IP (use Private DNS zone privatelink.database.windows.net), then set the SQL firewall to "Deny public network access = Yes."

21

Question 21: DDoS Protection

✓ Correct Answer: A) Azure DDoS Network Protection (Standard) with DDoS Rapid Response

Why this is correct:

Azure DDoS Network Protection (Standard/Premium) provides adaptive tuning that learns your application's normal traffic patterns and creates custom mitigation profiles. It includes the DDoS Rapid Response (DRR) team — Microsoft experts who assist during active attacks. The free basic protection is platform-wide but offers no adaptive tuning.

Why other answers are incorrect:

B: Basic DDoS protection (now called Infrastructure Protection) is included free but provides only platform-level generic mitigation — no adaptive tuning for your specific app and no DRR access.
C: Application Gateway WAF protects against application-layer (L7) attacks — not volumetric L3/L4 DDoS attacks.
D: Front Door WAF is application-layer protection — not volumetric DDoS mitigation.

💡 Key Concept:

DDoS protection: Infrastructure Protection (free, basic) → everyone. DDoS Network Protection (Standard, paid per VNet) → adaptive tuning, DRR, cost protection, attack analytics. Cover all public IPs in a subscription with one DDoS plan.

22

Question 22: Network Watcher

✓ Correct Answer: B) Network Watcher — IP flow verify

Why this is correct:

IP flow verify asks: "Would traffic from [source IP:port] to [destination IP:port] be allowed or denied by the NSGs effective on this VM?" It evaluates all NSGs (subnet and NIC level) and tells you exactly which NSG rule is allowing or blocking the specified traffic flow.

Why other answers are incorrect:

A: Packet capture captures raw network traffic — useful for deep analysis but not for quickly identifying which NSG rule is blocking specific traffic.
C: NSG flow logs log actual traffic (allowed/denied) over time — requires querying logs after the fact, not real-time rule evaluation.
D: Connection troubleshoot tests end-to-end connectivity between two endpoints and shows latency/packet loss — it goes further than just NSG evaluation.

💡 Key Concept:

IP flow verify = "would this packet be blocked?" (test before or after issue). NSG flow logs = "what traffic was actually allowed/denied?" (historical). Use IP flow verify for diagnosis, NSG flow logs for forensics.

23

Question 23: Azure DNS Private Resolver

✓ Correct Answer: C) Azure DNS Private Resolver with an inbound endpoint

Why this is correct:

Azure DNS Private Resolver provides an inbound endpoint — a private IP in your VNet that on-premises DNS servers can forward Azure private zone queries to. It resolves Azure private DNS zones without any VM-based DNS forwarders, fully managed by Microsoft.

Why other answers are incorrect:

A: Private DNS zone auto-registration is for Azure VM registration within the zone — it doesn't help on-premises clients resolve the zone.
B: DNS forwarder VMs work but require you to manage the VM (patching, HA, scaling) — Private Resolver is the modern serverless alternative.
D: Azure Firewall DNS proxy forwards DNS queries to Azure DNS — but it doesn't provide an endpoint for on-premises to query.

💡 Key Concept:

DNS Private Resolver: Inbound endpoint = on-premises queries forwarded to this IP (resolves Azure private zones). Outbound endpoint + forwarding ruleset = forward DNS queries to on-premises DNS for private domain resolution from Azure.

24

Question 24: ExpressRoute Monitoring

✓ Correct Answer: D) Network Watcher — Connection Monitor

Why this is correct:

Azure Monitor Network Insights (and Connection Monitor) provides continuous monitoring of ExpressRoute circuit health including latency, packet loss, and availability between specific endpoints. It replaced the legacy Network Performance Monitor and provides alerts when performance degrades.

Why other answers are incorrect:

A: Azure Monitor metrics for ExpressRoute circuit (BitsInPerSecond, BitsOutPerSecond) show bandwidth utilization — not end-to-end latency and packet loss between specific endpoints.
B: Network Performance Monitor is the legacy tool — it has been replaced by Azure Monitor Network Insights and Connection Monitor.
C: Traffic Analytics processes NSG flow logs to visualize traffic patterns — not specifically for ExpressRoute performance.

💡 Key Concept:

Connection Monitor replaces Network Performance Monitor. It can monitor: VNet → VNet, on-premises → Azure (via VPN/ExpressRoute), Azure → internet, multi-hop paths. Alerts based on latency thresholds and packet loss.

25

Question 25: WAF Policy

✓ Correct Answer: A) A WAF policy in Prevention mode with OWASP Core Rule Set 3.2 associated with the Application Gateway

Why this is correct:

Web Application Firewall (WAF) on Application Gateway includes the OWASP Core Rule Set (CRS) which contains rules for SQL injection, XSS, and other OWASP Top 10 attacks. Prevention mode actively blocks matching requests (vs Detection mode which only logs). CRS 3.2 includes updated rules with fewer false positives.

Why other answers are incorrect:

B: NSG rules are IP/port based — they can't inspect HTTP payloads for injection attacks.
C: Azure Firewall Premium with TLS inspection can detect some threats via IDPS signatures, but WAF with OWASP CRS is specifically designed for web application attack protection.
D: DDoS protection handles volumetric attacks — not application-layer SQL injection or XSS.

💡 Key Concept:

WAF policy modes: Detection = log violations, don't block. Prevention = actively block malicious requests. Always start in Detection mode, tune to eliminate false positives, then switch to Prevention. CRS 3.2 > CRS 3.1 > 3.0 — use latest.

📊 How Did You Score?

23–25
Exam Ready
Excellent! Schedule your exam.
19–22
Almost There
Review routing and hybrid connectivity.
14–18
Keep Studying
Focus on ExpressRoute, Private Endpoints, and UDRs.
0–13
More Study Needed
Work through the AZ-700 study guide.

Ready for More AZ-700 Practice?

These 25 questions are just a sample. The actual AZ-700 exam has 40–60 questions.

MSCertQuiz AZ-700 includes 500 questions covering:

  • ✓ VNet design, subnetting, and peering scenarios in depth
  • ✓ ExpressRoute circuit types, SKUs, and redundancy patterns
  • ✓ Azure Firewall, WAF, DDoS, and NSG combinations
  • ✓ Private DNS, Private Endpoints, and Service Endpoints
  • ✓ Network Watcher troubleshooting scenarios

$14.99 One-Time Payment

Lifetime access • No subscription • 500 questions

Try 40 Free QuestionsGet 500 Questions — $14.99

📚 Related AZ-700 Resources

📖

AZ-700 Study Guide

Complete guide covering all AZ-700 exam domains with study strategies

🎯

AZ-700 Certification Page

Full exam details, prerequisites, and exam topics breakdown