Microsoft · AZ-700
Validates expertise in designing, implementing, and maintaining Azure networking solutions including hybrid connectivity, application delivery services, private access to Azure services, and network security.
Questions
554
Duration
120 minutes
Passing Score
700/1000
Difficulty
AssociateLast Updated
Jan 2026
Use this AZ-700 practice exam to prepare for Microsoft Certified: Azure Network Engineer Associate (AZ-700) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 554 questions for Microsoft AZ-700, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Core Networking Infrastructure, Routing, Azure ExpressRoute, Network Security, and Private Access to Azure Services. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The Microsoft Certified: Azure Network Engineer Associate (AZ-700) validates subject matter expertise in designing, implementing, and managing Azure networking solutions. The certification covers five core domains: core network infrastructure (virtual networks, IP addressing, DNS, routing, and NAT), hybrid connectivity (site-to-site VPN, point-to-site VPN, Azure ExpressRoute, and Azure Virtual WAN), application delivery services (Azure Load Balancer, Traffic Manager, Application Gateway, and Azure Front Door), private access to Azure services (Private Link, private endpoints, and service endpoints), and network security (NSGs, Azure Firewall, Firewall Manager, and Web Application Firewall). The exam was last updated on January 21, 2026, reflecting the latest Azure networking capabilities.
Earning this certification demonstrates that a professional can optimize performance, resiliency, scale, and security across Azure networking environments, proactively monitor network health, diagnose routing and connectivity issues, and collaborate effectively with solution architects, cloud administrators, security engineers, and application developers. It is recognized across the industry as a benchmark for Azure network engineering proficiency at the associate level.
This certification targets network engineers and cloud infrastructure professionals who plan, implement, and manage Azure networking solutions as part of their day-to-day responsibilities. Ideal candidates typically hold roles such as Azure Network Engineer, Cloud Network Architect, Infrastructure Engineer, or Network Administrator working in organizations that operate workloads in Azure or are migrating from on-premises environments.
Candidates should have hands-on experience creating and managing compute, storage, and networking resources in Azure, along with a solid understanding of networking fundamentals including name resolution, network protocols (TCP/IP, BGP, IPsec/IKE), and network address management (CIDR, subnetting). Those who regularly work with Azure VNets, ExpressRoute circuits, Application Gateway, Azure Firewall, or hybrid connectivity scenarios will find the exam content closely aligned with their practical experience.
There are no formal prerequisite certifications required to sit for the AZ-700 exam. However, Microsoft recommends that candidates possess practical experience creating and managing compute, storage, and networking resources in Azure before attempting the exam. A working knowledge of Azure fundamentals—such as the concepts covered in the AZ-900 (Azure Fundamentals) certification—provides a useful foundation, though it is not mandatory.
Candidates should be proficient in core networking concepts including IP addressing and subnetting, DNS, routing protocols (including BGP for ExpressRoute scenarios), VPN technologies (IPsec/IKE, SSL/TLS), and network security principles. Familiarity with Azure-specific services such as Virtual Networks, Azure Portal, Azure CLI, and Azure PowerShell is strongly recommended. Prior experience with on-premises networking technologies and hybrid connectivity scenarios involving site-to-site VPNs or MPLS/ExpressRoute circuits will be advantageous.
Exam AZ-700 is a proctored assessment delivered through Pearson VUE, available in both online proctored and in-person test center formats. Candidates are given 100 minutes to complete the exam. The exam may include interactive components such as labs or case studies in addition to standard question types like multiple choice, multiple select, drag-and-drop, and scenario-based questions.
The passing score is 700 out of 1000 on Microsoft's scaled scoring system, which uses a compensatory model—meaning candidates do not need to achieve a minimum score in each individual domain, only an overall scaled score of 700 or above. The exam is available in English, German, Spanish, French, Italian, Japanese, Korean, Portuguese (Brazil), Chinese (Simplified), and Chinese (Traditional). The exam fee is $165 USD (pricing varies by country/region). Certification earned is valid for 12 months and can be renewed at no cost by passing an online renewal assessment on Microsoft Learn.
The Azure Network Engineer Associate certification opens doors to roles such as Azure Network Engineer, Cloud Infrastructure Engineer, Network Architect, and Cloud Solutions Architect at organizations across virtually every industry undertaking Azure adoption or hybrid cloud migrations. As of early 2026, Azure Network Engineers in the United States earn average annual salaries of approximately $109,000–$145,000, with top earners in high-cost markets such as California, Massachusetts, and Washington D.C. commanding $155,000–$165,000 or more depending on experience and seniority.
Demand for certified Azure networking professionals continues to grow as enterprises expand hybrid connectivity using ExpressRoute and Virtual WAN, adopt Zero Trust network security models, and migrate application delivery infrastructure to Azure-native services like Front Door and Application Gateway. Compared to general cloud associate certifications, the AZ-700's specialization in networking positions holders for higher-compensation, more technically complex roles. The certification also serves as a natural stepping stone toward expert-level credentials such as the Azure Solutions Architect Expert (AZ-305) or specialized security certifications, making it a strategically valuable milestone in a cloud networking career path.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 554 questions.
Preview — answers shown1. A company is designing a globally distributed web application. The solution requires a load balancing architecture that can provide both SSL offloading at the edge and content caching to improve performance for users across different continents. Which two Azure services should be combined to meet these requirements?
Multiple correct answersExplanation
The ideal solution is to combine Azure Front Door and Azure Application Gateway v2. Azure Front Door is a global load balancer that operates at Layer 7 and provides CDN-like capabilities, including SSL offloading and dynamic content caching at its globally distributed edge locations. This handles the global traffic routing and performance acceleration. Azure Application Gateway v2 is a regional load balancer that can be placed in each Azure region as the origin for Front Door. It provides further capabilities like Web Application Firewall (WAF) and advanced routing within the virtual network, and it can also perform SSL offloading if needed. Azure Load Balancer works at Layer 4 and does not support SSL offload or caching. Traffic Manager is a DNS-based load balancer and also lacks these features.
2. A company has a legacy application on an Azure VM that can only be accessed over HTTP. They want to use an Azure Application Gateway to provide a secure external endpoint for users. Users must connect to the gateway using HTTPS, but the gateway should then communicate with the backend VM over unencrypted HTTP. What configuration enables this?
Explanation
This configuration is known as SSL/TLS termination. You would configure an HTTPS listener on the Application Gateway, which requires a TLS certificate. This listener accepts the encrypted HTTPS traffic from the end-user. Then, in the 'HTTP settings' that are linked to the routing rule, you would set the backend protocol to 'HTTP' and the port to 80. This tells the gateway to decrypt the user's traffic and forward it as unencrypted HTTP to the backend VM, which meets the legacy application's requirement.
3. Woodgrove Bank operates seven branch offices and has an Azure subscription with virtual network BankVNet. They plan to configure a virtual network gateway for BankVNet meeting these requirements: use IKEv2 protocol, support maximum 10 Site-to-Site VPN connections. Which VPN gateway type should you configure?
Explanation
The Basic route-based VPN gateway meets all requirements: it supports IKEv2 protocol, allows up to 10 Site-to-Site VPN connections, and minimizes costs. Policy-based gateways only support one tunnel per gateway, making them unsuitable for multiple site connections. Higher SKUs like VpnGw1 support 30 connections and VpnGw5AZ supports 100 connections, exceeding requirements and increasing costs unnecessarily.
4. Tailspin Toys has Azure Virtual WAN with Standard SKU and hub in Central US. They connect 10 branch offices via Site-to-Site VPN and headquarters via ExpressRoute. The company needs to enable branch-to-branch connectivity through the Virtual WAN hub while maintaining traffic inspection through Azure Firewall. What should you configure?
Explanation
To enable branch-to-branch connectivity with traffic inspection in Virtual WAN, you need to convert the hub to a Secured hub by deploying Azure Firewall. This automatically configures routing to inspect inter-branch traffic through the firewall while maintaining the Virtual WAN's automatic routing capabilities. Custom route tables are managed automatically when using Secured hub configuration.
5. An administrator is setting up a new virtual machine in Azure. To simplify management and security, they want to group this VM with several other VMs that share the same security requirements, so a single NSG rule can be applied to all of them at once. For example, a rule to allow port 443 from a specific source to all VMs in the 'WebServers' group. What Azure networking object should be created and associated with the network interfaces of these VMs?
Explanation
An Application Security Group (ASG) is the correct object for this purpose. ASGs are used to group virtual machines with similar functions, such as web servers or database servers. You can then use the ASG as the source or destination in an NSG rule. This simplifies rule management significantly because you no longer need to manage a list of explicit IP addresses. When you add or remove a VM's NIC from the ASG, its access is automatically updated without any changes needed to the NSG rule itself.
Microsoft Dynamics 365 Supply Chain Management Functional Consultant Expert (MB-335)
MB-335 · 2039 questions
Microsoft Dynamics 365 Business Central Functional Consultant (MB-800)
MB-800 · 1899 questions
Microsoft Certified: Azure AI Engineer Associate (AI-102)
AI-102 · 1392 questions
Microsoft Certified: Windows Server Hybrid Administrator Associate (AZ-801)
AZ-801 · 1376 questions
Microsoft Dynamics 365 Finance Functional Consultant (MB-310)
MB-310 · 1299 questions
Microsoft 365 Certified: Fundamentals (MS-900)
MS-900 · 1201 questions
$17.99
One-time access to this exam