Microsoft Azure Network Engineer Associate
225 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
AZ-700 validates the day-to-day skills of an Azure network engineer: designing and implementing core networking, routing, secure and monitored networks, hybrid connectivity, and private access to Azure services. The audience is working network engineers extending traditional networking expertise (BGP, VPN, MPLS) onto Azure, and Azure administrators specializing in networking. The exam is implementation-focused β closer to AZ-500 in style than to architecture exams β with 40β60 questions in 120 minutes including drag-and-drop, hot-area, multiple-response, and at least one case study with scenario-driven items rewarding hands-on networking experience.
About 22%. VNets, subnets, IP addressing, peering (regional and global), VNet-to-VNet connectivity, custom DNS, Azure DNS Private Resolver, and core IP planning for hub-spoke topologies.
Largest domain at 28%. UDRs and BGP, Azure Load Balancer (internal and external), Application Gateway with WAF, Azure Front Door, Traffic Manager, and route-server / NVA scenarios. Heavy on traffic-flow questions.
About 18%. Azure Firewall (and Firewall Manager), DDoS Protection, NSGs vs. ASGs, Network Watcher, Connection Monitor, NSG flow logs, and traffic analytics.
About 16%. Site-to-site and point-to-site VPN gateways, ExpressRoute (circuits, peerings, Global Reach, FastPath), Virtual WAN, and SD-WAN integration patterns.
About 16%. Service Endpoints, Private Endpoints / Private Link, Private DNS Zones, custom DNS resolution for private endpoints, and platform-as-a-service network integration.
Services you'll encounter on the exam and why each one matters.
Software-defined network with subnets, address-space planning, global VNet peering, service endpoints, NSGs, and UDRs as the foundational building blocks.
Why it's on the exam: Domain 1 (Design and Implement Core Networking Infrastructure) starts every scenario with VNet topology β CIDR sizing, hub-spoke vs mesh peering, and subnet delegation choices.
Managed global WAN that unifies VNet, VPN, ExpressRoute, and SD-WAN branch attachments under a single Virtual Hub with built-in routing intent and any-to-any connectivity.
Why it's on the exam: Domain 4 (Hybrid Networking) cites Virtual WAN as the canonical answer for multi-region hub-spoke replacing manually-stitched hubs at scale.
Managed site-to-site and point-to-site IPsec VPN termination with BGP, active-active redundancy, route-based and policy-based tunnels, and SKU-tiered throughput.
Why it's on the exam: Domain 4 tests choosing VPN Gateway vs ExpressRoute by bandwidth/SLA, configuring BGP ASNs, and active-active failover patterns for hybrid backbones.
Dedicated private circuits to Azure with private and Microsoft peering, BGP, ExpressRoute Global Reach for site-to-site routing through Microsoft backbone, and FastPath for sub-10ms latency.
Why it's on the exam: Domain 4 hybrid-design questions hinge on ExpressRoute peering types, circuit SKUs (Local/Standard/Premium), Global Reach, and BGP path manipulation.
Managed BGP route reflector that exchanges routes between Azure VNets and NVAs (Network Virtual Appliances) over BGP, eliminating manual UDR maintenance.
Why it's on the exam: Domain 2 (Design and Implement Routing) names Route Server as the answer when SDWAN appliances or NVAs need to inject BGP routes into the Azure routing fabric.
Network diagnostic toolset: Connection Monitor, IP Flow Verify, NSG Diagnostics, Packet Capture, VNet Flow Logs, and effective-route / effective-security-rule introspection.
Why it's on the exam: Domain 3 (Secure and Monitor Networks) anchors on Network Watcher β Connection Monitor for path testing, Flow Logs for traffic visibility, and NSG diagnostics for rule debugging.
Authoritative public DNS hosting plus Private DNS Zones with VNet links, auto-registration, and DNS Private Resolver for inbound/outbound hybrid name resolution.
Why it's on the exam: Domain 4 + Domain 5 test hybrid-DNS patterns β conditional forwarders, Private Resolver endpoints, and Private DNS auto-registration across hub-spoke.
Three load-balancing tiers: Standard Load Balancer (L4, regional), Application Gateway (L7 with WAF, regional), and Front Door (L7 with WAF, global anycast edge).
Why it's on the exam: Domain 1 distinguishes regional L4 (Load Balancer) vs regional L7 (Application Gateway) vs global L7 (Front Door) as a recurring distractor pattern across exam scenarios.
Managed stateful firewall-as-a-service with FQDN filtering, TLS inspection (Premium), IDPS, and Firewall Manager for centralized policy hierarchy across hubs and VNets.
Why it's on the exam: Domain 3 east-west and egress-inspection scenarios cite Azure Firewall as the managed alternative to self-hosted NVAs, with Firewall Manager for multi-hub policy.
Always-on Network-tier and IP-tier DDoS mitigation with traffic profiling, attack analytics, rapid-response engagement, and cost-protection for autoscaled targets.
Why it's on the exam: Domain 3 questions on volumetric and protocol-attack mitigation for internet-facing endpoints name DDoS Protection Network/IP SKU as the answer.
L7 WAF deployed on Application Gateway, Front Door, or Azure CDN with managed rule sets (OWASP CRS, Microsoft bot manager), custom rules, and rate limiting.
Why it's on the exam: Domain 3 application-layer protection scenarios test WAF placement choice β Front Door (global edge) vs App Gateway (regional) β and managed-rule tuning.
Managed outbound-only SNAT service with up to 16 public IPs, 64k SNAT ports per IP, and per-subnet attachment β replaces unpredictable default outbound or LB-based SNAT.
Why it's on the exam: Domain 2 routing questions on deterministic outbound connectivity, SNAT-port exhaustion fixes, and zone-redundant egress design name NAT Gateway as the answer.
Private connectivity to PaaS services and customer-owned services via Private Endpoints (NICs in the consumer VNet) with traffic on the Microsoft backbone β never traversing the internet.
Why it's on the exam: Domain 5 (Design and Implement Private Access to Azure Services) is anchored on Private Link / Private Endpoint as the canonical PaaS-without-public-IP pattern.
10 Gbps or 100 Gbps port pairs giving customers direct connection into the Microsoft backbone, with the ability to carve out multiple circuits and MACsec encryption.
Why it's on the exam: Domain 4 hybrid-design scenarios requiring >10 Gbps aggregate bandwidth, MACsec, or physical-port isolation cite ExpressRoute Direct over standard ExpressRoute.
Continuous reachability and latency testing across Azure VMs, on-prem agents, and Azure endpoints with topology view, packet-loss tracking, and Log Analytics integration.
Why it's on the exam: Domain 3 monitoring scenarios on hybrid-path latency, ExpressRoute path testing, and pre-vs-post-failover validation name Connection Monitor as the operational tool.
Central management plane for VNet groups, connectivity configurations (hub-spoke, mesh), and security admin rules that override NSGs across multi-subscription scope.
Why it's on the exam: Domain 1 + Domain 3 design questions on scaling hub-spoke beyond manual peering and enforcing security baselines via admin rules cite Virtual Network Manager.
Stateful L3/L4 filtering at subnet and NIC scope via NSGs, plus ASGs that let rules reference workload groups (e.g. "WebTier", "DBTier") instead of static IP ranges.
Why it's on the exam: Domain 3 security questions on default-deny posture, rule priority/precedence, and replacing IP-tuple rules with ASG-based rules are a recurring exam staple.
Identity directory with Conditional Access policies that gate Bastion, P2S VPN, and management-plane access by user, device, location, and risk signals.
Why it's on the exam: Domain 3 + Domain 5 secure-access scenarios β Entra-authenticated P2S VPN, Bastion with MFA, and admin-plane Conditional Access β anchor to Entra + Conditional Access.
Unified telemetry sink for VNet Flow Logs, NSG diagnostics, ExpressRoute / VPN Gateway metrics, and Connection Monitor results, queryable via KQL workbooks.
Why it's on the exam: Domain 3 monitoring patterns require Azure Monitor + Log Analytics to centralize flow logs, alert on threshold breaches, and produce traffic-analytics workbooks.
CSPM + workload protection surfacing network-misconfiguration recommendations (open ports, unrestricted NSG rules), adaptive network hardening, and just-in-time VM access.
Why it's on the exam: Domain 3 governance questions on continuous posture management, JIT VM access, and adaptive-hardening recommendations cite Defender for Cloud as the answer.
$110kβ$150kβ$200k USD annual
Range covers US-based mid-to-senior cloud network engineers; senior network architects at large enterprises and Microsoft-partner consultancies often clear $220k TC. Traditional on-premises network engineers transitioning to cloud trend toward the lower end until they accumulate Azure-specific experience.
Source: levels.fyi 2025 network / cloud network engineer roles, U.S. BLS OEWS May 2024 (15-1241 computer network architects, 15-1244 network and computer systems administrators), Glassdoor 2025. Figures are approximate; actual compensation depends on role, region, and experience.
AZ-700 demand is steady, driven by ongoing enterprise cloud-migration programs that require ExpressRoute, hub-spoke, Virtual WAN, and Private Endpoint expertise. Recruiters at financial services, healthcare, government contractors, and Microsoft-partner consultancies use it as the canonical proof of Azure networking competence. It pairs naturally with AZ-104 for cloud-admin-leaning network engineers, with AZ-305 for network-leaning architects, and with AZ-500 for engineers who span network and security roles. Demand is especially strong in regulated industries with significant hybrid-connectivity requirements.
There are no formal prerequisites. Microsoft recommends practitioner-level networking knowledge (TCP/IP, DNS, routing, BGP, IPsec) plus prior Azure exposure equivalent to AZ-104. Candidates without traditional networking depth typically struggle on routing and ExpressRoute scenarios. AZ-900 is a useful conceptual on-ramp for candidates new to Azure but not required.
The official Microsoft Learn path covers all five domains in roughly 30β40 hours. Hands-on lab time is essentially required: a personal Azure subscription with hub-spoke VNets, a VPN gateway, and a small set of private endpoints lets candidates practice the routing and DNS scenarios that dominate the exam. ExpressRoute is harder to practice hands-on without enterprise access; candidates typically rely on Microsoft Learn modules and architecture-center articles for that area.
AZ-700 sits in the Associate tier and is generally considered moderately challenging β comparable to AZ-500 in difficulty, harder than AZ-104 in networking depth but narrower in scope overall. Plan on 70β110 hours of study over 7β10 weeks with prior networking and Azure-admin experience; substantially longer for candidates new to either area. The exam runs about 120 minutes with 40β60 questions in multiple-choice, multiple-response, drag-and-drop, hot-area, and case-study formats. Case studies are timed separately and cannot be revisited.
The most common stumbling block is the routing domain β UDRs interacting with BGP-learned routes from VPN / ExpressRoute, route propagation behavior, and forced-tunneling scenarios are dense and frequently tested. Private DNS resolution for private endpoints (custom DNS forwarders, conditional forwarders, Private DNS Zone group integration) is another consistent trap area.
Most recent skills-measured update. Expanded Azure DNS Private Resolver coverage, modernized Virtual WAN content, refreshed Azure Front Door SKU positioning. Microsoft refreshes AZ-700 approximately every 12β18 months without changing the exam code.
Rebalanced weights toward routing and private-access domains, added Azure Route Server and ExpressRoute FastPath coverage, and integrated Virtual WAN deeper.
Initial GA. Original outline focused on hub-spoke topologies, VPN / ExpressRoute, NSGs, and PaaS network integration.
AZ-700 (Microsoft Azure Network Engineer Associate) is a a moderately difficult exam expecting practical hands-on experience plus solid understanding of best practices Associate-level exam. Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
AZ-700 is a recognized credential in the Azure ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with Azure day-to-day or want to move into roles that do.
The passing score for AZ-700 is 700 / 1000. The exam contains 50 questions and lasts 2 hr.
The AZ-700 exam fee is $165 USD. Fees are set by Azure and may vary by region; always confirm the current price on the official Azure certification page before booking.
Microsoft role-based certifications expire after 1 year but can be renewed for free via an unproctored online assessment on Microsoft Learn, starting 6 months before expiration.
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for AZ-700. The exam-simulation mode mirrors the real exam: 50 questions in 2 hr, with the same passing threshold of 700 / 1000. Browse mode lets you read every Q&A statically.