Microsoft · AZ-700
Validates expertise in designing, implementing, and maintaining Azure networking solutions including hybrid connectivity, application delivery services, private access to Azure services, and network security.
Questions
554
Duration
120 minutes
Passing Score
700/1000
Difficulty
AssociateLast Updated
Jan 2026
Use this AZ-700 practice exam to prepare for Microsoft Certified: Azure Network Engineer Associate (AZ-700) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 554 questions for Microsoft AZ-700, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Core Networking Infrastructure, Routing, Azure ExpressRoute, Network Security, and Private Access to Azure Services. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Microsoft Certified: Azure Network Engineer Associate (AZ-700) validates subject matter expertise in designing, implementing, and managing Azure networking solutions. The certification covers five core domains: core network infrastructure (virtual networks, IP addressing, DNS, routing, and NAT), hybrid connectivity (site-to-site VPN, point-to-site VPN, Azure ExpressRoute, and Azure Virtual WAN), application delivery services (Azure Load Balancer, Traffic Manager, Application Gateway, and Azure Front Door), private access to Azure services (Private Link, private endpoints, and service endpoints), and network security (NSGs, Azure Firewall, Firewall Manager, and Web Application Firewall). The exam was last updated on January 21, 2026, reflecting the latest Azure networking capabilities.
Earning this certification demonstrates that a professional can optimize performance, resiliency, scale, and security across Azure networking environments, proactively monitor network health, diagnose routing and connectivity issues, and collaborate effectively with solution architects, cloud administrators, security engineers, and application developers. It is recognized across the industry as a benchmark for Azure network engineering proficiency at the associate level.
This certification targets network engineers and cloud infrastructure professionals who plan, implement, and manage Azure networking solutions as part of their day-to-day responsibilities. Ideal candidates typically hold roles such as Azure Network Engineer, Cloud Network Architect, Infrastructure Engineer, or Network Administrator working in organizations that operate workloads in Azure or are migrating from on-premises environments.
Candidates should have hands-on experience creating and managing compute, storage, and networking resources in Azure, along with a solid understanding of networking fundamentals including name resolution, network protocols (TCP/IP, BGP, IPsec/IKE), and network address management (CIDR, subnetting). Those who regularly work with Azure VNets, ExpressRoute circuits, Application Gateway, Azure Firewall, or hybrid connectivity scenarios will find the exam content closely aligned with their practical experience.
There are no formal prerequisite certifications required to sit for the AZ-700 exam. However, Microsoft recommends that candidates possess practical experience creating and managing compute, storage, and networking resources in Azure before attempting the exam. A working knowledge of Azure fundamentals—such as the concepts covered in the AZ-900 (Azure Fundamentals) certification—provides a useful foundation, though it is not mandatory.
Candidates should be proficient in core networking concepts including IP addressing and subnetting, DNS, routing protocols (including BGP for ExpressRoute scenarios), VPN technologies (IPsec/IKE, SSL/TLS), and network security principles. Familiarity with Azure-specific services such as Virtual Networks, Azure Portal, Azure CLI, and Azure PowerShell is strongly recommended. Prior experience with on-premises networking technologies and hybrid connectivity scenarios involving site-to-site VPNs or MPLS/ExpressRoute circuits will be advantageous.
Exam AZ-700 is a proctored assessment delivered through Pearson VUE, available in both online proctored and in-person test center formats. Candidates are given 100 minutes to complete the exam. The exam may include interactive components such as labs or case studies in addition to standard question types like multiple choice, multiple select, drag-and-drop, and scenario-based questions.
The passing score is 700 out of 1000 on Microsoft's scaled scoring system, which uses a compensatory model—meaning candidates do not need to achieve a minimum score in each individual domain, only an overall scaled score of 700 or above. The exam is available in English, German, Spanish, French, Italian, Japanese, Korean, Portuguese (Brazil), Chinese (Simplified), and Chinese (Traditional). The exam fee is $165 USD (pricing varies by country/region). Certification earned is valid for 12 months and can be renewed at no cost by passing an online renewal assessment on Microsoft Learn.
The Azure Network Engineer Associate certification opens doors to roles such as Azure Network Engineer, Cloud Infrastructure Engineer, Network Architect, and Cloud Solutions Architect at organizations across virtually every industry undertaking Azure adoption or hybrid cloud migrations. As of early 2026, Azure Network Engineers in the United States earn average annual salaries of approximately $109,000–$145,000, with top earners in high-cost markets such as California, Massachusetts, and Washington D.C. commanding $155,000–$165,000 or more depending on experience and seniority.
Demand for certified Azure networking professionals continues to grow as enterprises expand hybrid connectivity using ExpressRoute and Virtual WAN, adopt Zero Trust network security models, and migrate application delivery infrastructure to Azure-native services like Front Door and Application Gateway. Compared to general cloud associate certifications, the AZ-700's specialization in networking positions holders for higher-compensation, more technically complex roles. The certification also serves as a natural stepping stone toward expert-level credentials such as the Azure Solutions Architect Expert (AZ-305) or specialized security certifications, making it a strategically valuable milestone in a cloud networking career path.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 554 questions.
Preview — answers shown1. An administrator is creating an NSG rule to allow SSH traffic from their corporate office to a set of bastion host VMs. The corporate office has a dynamic public IP address. To avoid constantly updating the NSG rule, what is the best practice for defining the source in the rule?
Explanation
While you cannot create a custom service tag yourself, this question highlights a common challenge. The intended answer in a real-world scenario would often involve a more advanced setup like using a DDNS name with an Azure Firewall rule. However, within the strict confines of NSG capabilities, none of the options are perfect. The least incorrect approach, conceptually, would be to wish for a service tag, as this represents a managed group of IPs. The most practical (but not listed) answer is to script updates or use a firewall. Given the options, service tags represent the type of solution needed (a managed, named group of IPs) even if custom ones aren't available for this scenario, making it the most plausible distracter or intended answer pointing towards managed entities.
2. A network switch at a local library receives a frame of data. To decide which port to send the frame out on, the switch examines a specific address contained within the frame's header. This address uniquely identifies the network card of the destination computer on the local network. What layer of the OSI model and what type of address is the switch using to make this forwarding decision?
Explanation
Switches operate at Layer 2, the Data Link Layer, of the OSI model. [3, 15, 24] They make forwarding decisions based on the destination MAC (Media Access Control) address contained within the header of each data frame. [48, 50] Routers use IP addresses at Layer 3, and firewalls or applications use port numbers at Layer 4. Layer 1 deals with the physical transmission of bits.
3. Northwind Traders has Azure subscription with virtual network TradeVNet containing Azure Firewall TradeFirewall in AzureFirewallSubnet. The company needs to enable high availability for the firewall deployment to survive Azure datacenter outages. The solution must maintain the same public IP addresses for existing NAT rules. What should you configure?
Explanation
To achieve datacenter-level high availability while maintaining the same public IP addresses, you should deploy Azure Firewall across availability zones using zone-redundant public IP addresses. This configuration distributes firewall instances across multiple datacenters within the region while preserving the same public IPs for existing DNAT rules. Multiple firewall instances would require different IPs, and Virtual WAN would change the architectural approach.
4. Adventure Works needs to automate packet capture on their critical virtual machines to troubleshoot intermittent application performance issues. They want to trigger packet capture automatically when CPU usage exceeds 80% or when specific error rates are detected in their application logs. The captured data should be stored securely and analyzed automatically. Which Network Watcher configuration provides this automated troubleshooting capability?
Explanation
Azure Automation runbooks can be triggered by Azure Monitor alerts based on metrics (CPU usage) or log analytics queries (application error rates). The runbooks can then start Network Watcher packet capture on specific VMs, configure capture filters, set storage locations, and even trigger additional analysis workflows. This provides the most flexible automated troubleshooting capability, allowing complex conditions and automated responses to network performance issues.
5. A financial services company is using Azure Monitor Network Insights to get a comprehensive view of their network health. An administrator is trying to troubleshoot a connectivity issue between two virtual machines but is not seeing any data in the 'Topology' view. Which Azure service must be deployed and configured for Network Insights to collect the necessary data and generate the topology map?
Explanation
Azure Monitor Network Insights relies on the capabilities of Azure Network Watcher to function. Network Watcher is the underlying service that provides the core monitoring and diagnostic tools, including packet capture, NSG flow logs, and the topology view. Network Insights acts as a visualization and analysis layer on top of the data collected by Network Watcher. Therefore, Network Watcher must be enabled and properly configured in the subscription and region for Network Insights to display meaningful data.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam