How to Pass Microsoft Azure Networking Solutions (AZ-700) in 2026: Complete Study Guide

# How to Pass Microsoft Azure Networking Solutions (AZ-700) in 2026: Complete Study Guide The AZ-700 exam certifies your ability to design, implement, and maintain Azure networking solutions. It targets network engineers who work daily with VNets, VPN gateways, ExpressRoute circuits, firewalls, and load balancers. This guide gives you everything you need to pass in 2026. ## Exam Format at a Glance | Detail | Value | |--------|-------| | Exam code | AZ-700 | | Full name | Designing and Implementing Microsoft Azure Networking Solutions | | Cost | $165 USD | | Number of questions | 40–60 | | Time allowed | 120 minutes | | Passing score | 700 / 1000 | | Prerequisite | None (but experience with Azure networking strongly recommended) | | Renewal | Every year via free online assessment | The exam uses a mix of case studies, multiple-choice, drag-and-drop, and hot-area questions. Case studies are the most time-consuming — read the scenario carefully before answering. ## Domain Breakdown | Domain | Weight | |--------|--------| | Design, implement, and manage core networking infrastructure | 20–25% | | Design, implement, and manage connectivity services | 25–30% | | Design, implement, and manage application delivery services | 25–30% | | Design, implement, and manage private access to Azure services | 10–15% | | Secure and monitor networks | 10–15% | Despite the similar weights on some domains, application delivery and connectivity services together account for half the exam. Prioritize them. ## Domain 1: Core Networking Infrastructure (20–25%) ### Virtual Networks and Subnets A Virtual Network (VNet) is the fundamental building block. Key points: - Address space uses CIDR notation. Azure reserves 5 IPs per subnet (first 4 + last). - Subnets within a VNet can communicate by default (no NSG needed within the same VNet unless you add one). - Each VNet lives in one region. For multi-region connectivity, use VNet peering or Virtual WAN. ### VNet Peering VNet peering connects two VNets. Know the following differences: | Type | Scope | Latency | |------|-------|---------| | Regional peering | Same region | Low | | Global peering | Cross-region | Slightly higher | Critical behavior: VNet peering is **non-transitive**. If VNet A peers with VNet B, and VNet B peers with VNet C, traffic from A cannot reach C without an additional peering or a hub appliance. ### Azure DNS Azure provides a public DNS service and private DNS zones. **Private DNS zones** must be linked to a VNet for name resolution to work. A single private zone can be linked to multiple VNets, which is essential for hub-and-spoke scenarios. 💡 **Exam Tip:** "Private DNS zone linked to VNet" — without the VNet link, VMs cannot resolve names in the private zone. Linking is a separate step from creating the zone. ## Domain 2: Connectivity Services (25–30%) ### VPN Gateway Azure VPN Gateway supports two connection types: | Type | Use case | IKE version | |------|----------|-------------| | Policy-based | Legacy on-premises devices | IKEv1 only | | Route-based | Modern devices, P2S, multi-site | IKEv1 and IKEv2 | Route-based gateways are almost always the right choice for new deployments. They support Point-to-Site (P2S) connections and active-active configurations for high availability. ### ExpressRoute ExpressRoute provides private connectivity from on-premises to Azure via a connectivity provider. Three circuit SKUs: | SKU | Egress billing | Route advertisement | |-----|---------------|---------------------| | Local | Free (same metro only) | Local region only | | Standard | Metered or unlimited | Domestic regions | | Premium | Metered or unlimited | Global (all regions + Office 365) | 💡 **Exam Tip:** Local SKU = free egress but only peers with gateways in the same metro. If you need cross-region or global routing, you need Standard or Premium. ### Network Watcher Network Watcher is a regional service for diagnosing and monitoring network connections. Key tools: IP flow verify, next hop, connection troubleshoot, packet capture, NSG flow logs, and Traffic Analytics. ## Domain 3: Application Delivery Services (25–30%) ### Azure Load Balancer A Layer 4 (TCP/UDP) load balancer. Two SKUs: - **Basic**: Free, no SLA for multi-instance, no availability zones. - **Standard**: SLA, zone-redundant, supports outbound rules, cross-zone load balancing. Always use Standard in production. Basic is being retired. ### Application Gateway v2 Application Gateway is a Layer 7 load balancer with URL-based routing, cookie-based session affinity, SSL termination, and Web Application Firewall (WAF). The v2 SKU adds autoscaling (0–125 instances) and zone redundancy. ### Azure Front Door Azure Front Door is a global HTTP/HTTPS load balancer and CDN. It uses Anycast and Microsoft's global network to route traffic to the closest healthy backend. Front Door Standard/Premium adds WAF policy integration and Private Link origin connectivity (Premium only). ### Traffic Manager Traffic Manager is a DNS-based global traffic routing service. It does not proxy traffic — it redirects DNS queries. Routing methods include performance, weighted, priority, geographic, multivalue, and subnet. ## Domain 4: Private Access to Azure Services (10–15%) ### Service Endpoints vs Private Endpoints | Feature | Service Endpoint | Private Endpoint | |---------|-----------------|-----------------| | How it works | Extends VNet identity to service over public backbone | Private IP in your VNet via NIC | | Public IP used? | Yes (traffic stays on Microsoft backbone) | No (fully private) | | Cost | Free | Per hour + data | | DNS needed? | No | Yes (private DNS zone) | Private Endpoint is the recommended approach for most new architectures. Service Endpoints are simpler but don't eliminate the public endpoint. ## Domain 5: Secure and Monitor Networks (10–15%) ### Azure Firewall Three tiers: | Tier | Features | |------|----------| | Basic | DNAT, network rules, app rules (limited). Not recommended for enterprise. | | Standard | Full DNAT, network, and application rules. Threat intelligence. | | Premium | TLS inspection, IDPS, URL categories, web categories. | ### NSGs and ASGs Network Security Groups (NSGs) filter traffic at the subnet or NIC level. Rules use priority numbers — **lower number = higher priority** (100 beats 200). Application Security Groups (ASGs) group VMs logically so you can write NSG rules against the group instead of individual IPs. ### DDoS Protection | Plan | Scope | Cost | |------|-------|------| | Network | Per public IP | Lower cost | | Standard | Per VNet | ~$2,944/month, includes cost protection | 💡 **Exam Tip:** DDoS Standard is per VNet and provides adaptive tuning and attack analytics. DDoS Network protection is per public IP and is cheaper for small deployments. ## 6-Week Study Plan | Week | Focus | |------|-------| | 1 | Core networking: VNets, subnets, VNet peering, Azure DNS private zones | | 2 | Connectivity: VPN Gateway (policy vs route-based), ExpressRoute SKUs | | 3 | Application delivery: Load Balancer, Application Gateway v2, WAF | | 4 | Application delivery + Global: Front Door, Traffic Manager routing methods | | 5 | Private access: Private Endpoints, Service Endpoints, Private Link | | 6 | Security + review: Azure Firewall, NSGs, DDoS, Network Watcher, practice exams | ## Recommended Resources - Microsoft Learn AZ-700 learning path (free) - Microsoft documentation on Virtual WAN, ExpressRoute, and Azure Firewall - Hands-on labs in your own Azure subscription (free tier covers most networking resources) - Practice questions on CertLand ## Final Tips AZ-700 rewards hands-on experience. If you have not deployed an ExpressRoute circuit or Application Gateway in a lab, do it — the exam scenario questions become much easier when you have seen the workflows. Pay particular attention to DNS resolution for Private Endpoints, routing behavior in hub-and-spoke topologies, and the differences between service tiers (SKUs) across every service. --- Ready to test your knowledge? [Try our AZ-700 practice exam with 340 questions on CertLand](/exams/designing-and-implementing-microsoft-azure-networking-soluti-340-questions) and simulate the real exam experience before exam day.