AZ-700 Exam 2026: Your Complete Azure Network Engineer Guide
The Microsoft AZ-700: Designing and Implementing Microsoft Azure Networking Solutions exam is the single requirement to earn the Azure Network Engineer Associate badge. It validates that you can plan, deploy, secure, monitor, and troubleshoot Azure networks across virtual networks, hybrid connectivity (S2S, P2S, ExpressRoute, Virtual WAN), application delivery (Load Balancer, Application Gateway, Front Door), private access (Private Link, Private Endpoint, Service Endpoints), and network security (NSG, ASG, Azure Firewall, WAF).
The February 22, 2026 skills outline still keeps the same five domains, but every functional group received "minor" updates that rolled in Azure Virtual Network Manager as the recommended way to manage VNet topology and security at scale, Microsoft Defender for Cloud Security Explorer as a network monitoring tool, and Azure Front Door tier selection (Standard, Premium, Classic) as an explicit objective.
Where most competitor blogs fall short: they list services without telling you when to choose each. This guide leads with the decision matrices that the AZ-700 case study tests — hub-spoke vs Virtual WAN, Private Link vs Service Endpoint, ExpressRoute SKU and tier, BGP vs UDR, NVA vs Azure Firewall — and adds a 6-week FREE study plan tuned to the 2026 outline.
Start Your FREE AZ-700 Prep Today
Our free AZ-700 prep mirrors the real Microsoft case-study and multi-select format with AI-generated explanations citing the February 2026 skills outline. 100% FREE, no credit card.
AZ-700 Exam Format at a Glance
| Spec | Detail |
|---|---|
| Exam code | AZ-700 |
| Title | Designing and Implementing Microsoft Azure Networking Solutions |
| Certification earned | Azure Network Engineer Associate |
| Questions | 40–60 (typically ~50) |
| Time | 100 minutes (core); ~120 min seat time |
| Passing score | 700 of 1000 (scaled — not 70%) |
| Question types | Multiple choice, multiple answer, drag-drop, build-list, hot area, case study |
| Fee (US) | $165 USD |
| Languages | English, Japanese, Chinese (Simplified), Korean, German, French, Spanish, Portuguese (Brazil) |
| Validity | 1 year — renewed FREE on Microsoft Learn |
| Skills outline date | February 22, 2026 (Microsoft Learn) |
| Delivery | Pearson VUE test center or online proctored |
| Prerequisites | None — but AZ-104 strongly recommended; the exam assumes Azure fundamentals |
Important: The 700 pass mark is scaled, not a raw 70%. Microsoft uses item-response weighting, so harder questions count more.
The 5 AZ-700 Domains (February 2026 Skills Outline)
| Domain | Weight | Focus |
|---|---|---|
| 1. Design and implement core networking infrastructure | 25–30% | VNets, IP addressing, DNS, peering, UDRs, NAT Gateway, Network Watcher |
| 2. Design, implement, and manage connectivity services | 20–25% | S2S/P2S VPN, ExpressRoute, Virtual WAN |
| 3. Design and implement application delivery services | 15–20% | Load Balancer, Traffic Manager, Application Gateway, Front Door |
| 4. Design and implement private access to Azure services | 10–15% | Private Link, Private Endpoint, Service Endpoints |
| 5. Design and implement Azure network security services | 15–20% | NSG, ASG, Azure Firewall, WAF |
Domain 1 is the largest single domain. Master VNet peering, UDRs, and DNS first — they recur as building blocks inside every other domain.
AZ-700 vs AZ-104 vs AZ-305: Which Azure Cert in 2026?
The Azure role-based ladder is wider than most candidates realize. Here is the 2026 placement:
| Cert | Code | Role | Best for | Where AZ-700 fits |
|---|---|---|---|---|
| Azure Administrator Associate | AZ-104 | Admin generalist | Anyone touching Azure daily | Take this first |
| Azure Network Engineer Associate | AZ-700 | Network specialist | DevOps, network engineers, security engineers | The networking deep-dive |
| Azure Solutions Architect Expert | AZ-305 | Architect | Solution design across compute, storage, networking | After AZ-104 + 1 more associate |
| Azure Security Engineer Associate | AZ-500 | Security specialist | Defender, NSG, WAF, identity | Sibling to AZ-700 |
Recommended order: AZ-104 → AZ-700 → AZ-500 (or AZ-305 if you want architect track). AZ-700 alone, without AZ-104, is doable but you will be force-learning Azure fundamentals (resource groups, RBAC, ARM) at the same time as VNet peering — slower path.
Hub-Spoke vs Virtual WAN: The Decision That Drives 5+ Exam Questions
This is the single most-tested architectural decision on AZ-700. Memorize this table:
| Factor | Hub-Spoke (DIY) | Azure Virtual WAN |
|---|---|---|
| Topology | Manual hub VNet + spoke VNets via peering | Microsoft-managed virtual hub(s) per region |
| Routing | UDRs and Route Server you maintain | Hub-managed automatic routing |
| Scale | Limited by VNet peering quota (~500 spokes per hub) | Scales to thousands of branches and VNets |
| Branch connectivity | Each branch needs separate VPN gateway and config | Built-in S2S, P2S, ExpressRoute terminate at hub |
| SD-WAN | Manual NVA integration | Native partners (Cisco Meraki, Citrix, Versa, Aruba, etc.) |
| Pricing | Lower at small scale | Hub units billed hourly + scale unit per gateway |
| Best for | < 50 spokes, mostly Azure-to-Azure | Multi-region, multi-branch, SD-WAN integration, global mesh |
| Routing intent | DIY firewall steering with UDRs | Routing Intent / Routing Policies for automatic branch-to-branch and inbound-to-internet steering |
Rule of thumb: Pick hub-spoke if you are 100% Azure with a small number of regions and want maximum control over UDRs and NVAs. Pick Virtual WAN if you have 5+ branch offices, multi-region SD-WAN, or expect rapid scale.
Virtual WAN SKUs:
- Basic — only S2S VPN, no transit between hubs (legacy, not recommended for new deployments)
- Standard — full feature set: S2S, P2S, ExpressRoute, hub-to-hub transit, secure hub with Azure Firewall, Routing Intent
Private Link vs Private Endpoint vs Service Endpoint
The second most-tested decision. Confusing because Microsoft uses overlapping terminology.
| Feature | Private Endpoint | Private Link Service | Service Endpoint |
|---|---|---|---|
| What it does | Gives a PaaS service a private IP in your VNet | Lets you publish your own service for private consumption by other tenants | Extends VNet identity to the public PaaS endpoint |
| Traffic stays on Azure backbone? | Yes, with private IP | Yes | Yes, but service still has public endpoint |
| Public endpoint of PaaS service | Can be disabled (recommended) | N/A — your own service | Remains accessible publicly |
| Cross-tenant / cross-region | Yes | Yes (key value-prop) | No, same region only |
| Granularity | Per-resource (one endpoint per storage account) | Per Standard Load Balancer front-end | Per VNet-subnet → service combination |
| Cost | $0.01/hour per endpoint + data | $0.01/hour per service + data | Free |
| Best for | Production zero-trust isolation | SaaS/multi-tenant publishers | Quick wins, cost-conscious dev/test |
Rule of thumb: Default to Private Endpoint for production. Use Service Endpoint only when cost matters more than isolation. Use Private Link Service only when you are the SaaS provider exposing your own service.
ExpressRoute SKUs and Tiers (Memorize)
ExpressRoute pricing has two orthogonal axes — port speed and tier — that AZ-700 case studies test repeatedly.
Connectivity model
| Model | What | When |
|---|---|---|
| CSP (cloud exchange co-location) | Cross-connect in a peering facility | You have your own gear in a colo |
| Point-to-point Ethernet | Carrier-managed Ethernet circuit | Single site, dedicated bandwidth |
| Any-to-any (IPVPN) | MPLS-style mesh | Multi-site enterprise |
| ExpressRoute Direct | Direct 10/100 Gbps port pair to MS | Hyperscalers, very high throughput |
Bandwidth tier
Port speeds: 50 Mbps, 100 Mbps, 200 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps. ExpressRoute Direct adds 10 Gbps and 100 Gbps ports.
Pricing tier
| Tier | What's included | When |
|---|---|---|
| Local | Connect to Microsoft services in the same metro for no egress charge (within tier) | Region-local (Office 365 in same metro) |
| Standard | Connect to any Microsoft region within the same geopolitical region | Default for most enterprises |
| Premium | Adds: cross-geopolitical connectivity, increased route limits (up to 10,000 routes), Microsoft 365 routing | Multi-continent enterprises |
Add-ons
- Global Reach — connect on-prem sites through Microsoft's backbone using two ExpressRoute circuits
- FastPath — bypass the gateway for higher throughput; supports unlimited connections per circuit
- ExpressRoute Direct — physical 10/100 Gbps port pair you own end-to-end; required for FastPath at very large scale and for MACsec encryption at layer 2
Try a FREE AZ-700 Practice Question Set
Our FREE Microsoft-style question bank covers all 5 domains with detailed Microsoft Learn citations.
Azure Subnet Math: The 5-IP Reservation Trap
Azure reserves 5 IP addresses in every subnet you create — a fact that sinks candidates from a Cisco / on-prem background who expect AWS-style 4-IP reservations. The reserved IPs in a subnet 10.0.0.0/24 (256 total addresses) are:
| Address | Reserved for |
|---|---|
10.0.0.0 | Network address |
10.0.0.1 | Default gateway (Azure-provided) |
10.0.0.2 | Azure DNS mapping |
10.0.0.3 | Reserved for future Azure use |
10.0.0.255 | Network broadcast |
A /29 (8 addresses) leaves you only 3 usable IPs, not 6. A /28 (16) gives 11 usable. Plan accordingly when sizing GatewaySubnet, AzureFirewallSubnet, AzureBastionSubnet:
| Special-purpose subnet | Minimum size | Recommended |
|---|---|---|
| GatewaySubnet | /29 | /27 or larger for ExpressRoute coexistence and zone redundancy |
| AzureFirewallSubnet | /26 | /26 (fixed name, must be exactly this) |
| AzureFirewallManagementSubnet | /26 | /26 (only required for forced-tunnel Firewalls) |
| AzureBastionSubnet | /26 | /26 (fixed name, supports 2 to 50 concurrent sessions) |
| RouteServerSubnet | /27 | /27 (fixed name) |
| VNet integration for App Service | /28 | /27 |
The AZ-700 case study always includes a subnet sizing question. If the scenario says "customer needs Azure Bastion + Firewall + VPN gateway in the same hub," you need at least three /26+ subnets plus your workload subnets — which fails to fit in a /24. Recognize this and recommend a /22 or /23 hub VNet.
BGP vs UDR (User-Defined Routes)
Azure routing is layered:
- System routes — Azure-injected defaults (VNet, peering, default 0.0.0.0/0 to internet)
- BGP-learned routes — propagated from on-prem via VPN gateway or ExpressRoute
- UDRs (user-defined routes) — your custom routes attached via a route table
Tie-break order in Azure:
- Longest prefix match wins
- If prefix is equal, UDR > BGP > system route
- Within UDRs, the next-hop type with highest priority wins (none > VirtualNetworkGateway > VirtualAppliance > VnetLocal)
Key gotchas the exam tests:
- A UDR with
0.0.0.0/0 → VirtualAppliance (NVA IP)enables forced tunneling for internet-bound traffic through your firewall - BGP route propagation can be disabled on a route table — useful when you want UDRs to fully override on-prem routes for a specific subnet
- Azure Route Server lets BGP-speaking NVAs (e.g., Cisco CSR, Palo Alto VM-Series) exchange routes with the Azure SDN — eliminates static UDR maintenance
- VNet peering does not propagate BGP routes by default; enable "Use remote gateway" + "Allow gateway transit" to share a hub gateway
Domain 5 Deep-Dive: Network Security (15–20%)
NSG vs ASG vs Azure Firewall vs WAF
| Tool | Layer | Stateful? | Granularity | When |
|---|---|---|---|---|
| NSG (Network Security Group) | L3/L4 | Yes | Per subnet or NIC | Allowlist/denylist by 5-tuple |
| ASG (Application Security Group) | L3/L4 | Yes | Logical group of VMs | Replace IP-list maintenance with role-based grouping |
| Azure Firewall | L3/L4/L7 | Yes | Hub-deployed managed service | Centralized policy, FQDN filtering, threat intel |
| Web Application Firewall (WAF) | L7 | Yes | App Gateway or Front Door | OWASP rule sets, bot protection |
Azure Firewall SKUs:
- Basic — small/medium businesses, throughput up to 250 Mbps, no IDPS
- Standard — full L3-L7 with FQDN tags and threat intelligence
- Premium — adds TLS inspection, IDPS, URL filtering, web categories
WAF placement
- WAF on Application Gateway — regional, supports OWASP CRS 3.2 and bot protection
- WAF on Azure Front Door — global, scales worldwide, supports Microsoft-managed rule sets and custom rules
- WAF policy is a separate resource you associate with one or more App Gateways or Front Doors — same policy can be reused
Application Delivery: Load Balancer vs Application Gateway vs Front Door vs Traffic Manager
| Service | Layer | Scope | Key features | When |
|---|---|---|---|---|
| Azure Load Balancer | L4 (TCP/UDP) | Regional or cross-region (Standard) | Public/internal, SNAT, HA Ports | Internal traffic, non-HTTP workloads |
| Application Gateway | L7 (HTTP/S) | Regional | URL routing, SSL termination, WAF, autoscaling | Regional web apps with WAF |
| Azure Front Door | L7 (HTTP/S) | Global | Anycast edge, caching, WAF, Private Link to origin | Global web apps, multi-region active-active |
| Traffic Manager | DNS-based | Global | Priority/weighted/performance/geographic routing | DNS-level failover, no proxy needed |
Mnemonic: "L4 → LB. L7 regional → AppGW. L7 global → Front Door. DNS-only → TM."
AZ-700 Salary in 2026
| Role | US Median | Range |
|---|---|---|
| Junior Cloud Network Engineer | $95,000 | $80k–$112k |
| Azure Network Engineer (AZ-700 holder) | $140,000 | $118k–$170k |
| Senior Cloud Network Engineer | $170,000 | $148k–$200k |
| Cloud Network Architect | $190,000 | $165k–$230k |
Source: Glassdoor, Payscale, Levels.fyi 2026. AZ-700 holders earn roughly 18% more than non-certified peers in equivalent roles, per Microsoft's 2025 IT certification value report. Specialty network certs combined with security (AZ-700 + AZ-500) cluster at the top of the cloud-engineer salary band.
Your 6-Week FREE AZ-700 Study Plan
| Week | Focus | Hours | Tasks |
|---|---|---|---|
| 1 | Domain 1: Core networking | 10–12 | Microsoft Learn "Configure VNets, subnets, peering, UDRs." Hands-on: build hub-spoke with two spokes, gateway transit. |
| 2 | Domain 2: Connectivity | 10–12 | Configure S2S VPN to a second VNet (acting as on-prem). Configure P2S with Microsoft Entra auth. Compare ExpressRoute SKUs on paper. |
| 3 | Virtual WAN deep-dive | 6–8 | Deploy a Virtual WAN Standard hub. Configure Routing Intent. Connect a second hub for hub-to-hub transit. |
| 4 | Domains 3 + 4: App delivery + private access | 10–12 | Stand up Application Gateway with WAF. Stand up Front Door Premium with Private Link to origin. Compare Service Endpoint vs Private Endpoint on a Storage account. |
| 5 | Domain 5: Security | 8–10 | Deploy Azure Firewall Premium. Configure DNAT. Use Microsoft Defender for Cloud Network Insights and Security Explorer. |
| 6 | Mocks + weak-spot review | 10–12 | Microsoft free Practice Assessment 3+ runs. Two third-party full-length mocks. Re-read the change-log items for the Feb 2026 outline. |
Total prep: 55–70 hours over 6 weeks for someone with AZ-104 already done. Without AZ-104, expect 90–110 hours.
Free Resources From Microsoft
- AZ-700 Study Guide (February 2026 outline) — the only authoritative source
- Microsoft Learn AZ-700 collection — 80+ free modules
- Free Practice Assessment for AZ-700 — 50 questions, free, retakeable
- Azure Virtual WAN documentation
- Azure Route Server documentation
- Azure Front Door documentation
- Free $200 Azure credit (new account) — enough to spin up VNets, gateways, and Azure Firewall Standard for hands-on labs
Take a FREE Full-Length AZ-700 Mock Exam
Unlimited mock exams, AI-explained answers grounded in the Feb 2026 outline, and a personalized weak-spot dashboard — 100% FREE.
AZ-700 Retake Policy and Cost-Saving Tips
Microsoft's official rules for AZ-700 retakes (Microsoft Learn retake policy):
| Attempt | Wait time | Cost |
|---|---|---|
| 1st retake (after fail) | 24 hours | $165 USD (full price) |
| 2nd–5th retake | 14 days between attempts | $165 USD each |
| Maximum attempts in 12 months | 5 | — |
| If you fail 5 times | Wait 12 months from your first attempt | — |
Key rules:
- You cannot retake an exam you have passed unless your certification has expired
- The 14-day waiting period can only be waived for documented internet/equipment failure during the exam — you must have a Pearson VUE case number
- Each retake costs the full $165 unless you bought an Exam Replay voucher upfront (~$33 add-on at purchase)
- Verified-student 50% discount is available with a
.eduemail — drops AZ-700 to ~$82.50 - Free renewal forever — the 1-year renewal assessment is unproctored and free, so the $165 is genuinely a one-time cost if you renew on time
Hands-On Labs Checklist (Cannot Skip)
AZ-700 case studies test whether you have built networks, not whether you have memorized topology diagrams. Complete these labs end-to-end in a free-tier Azure subscription before sitting:
| # | Lab | Domain | Time |
|---|---|---|---|
| 1 | Build a hub-spoke topology with 2 spokes; configure VNet peering with gateway transit and use remote gateway | 1 | 1.5h |
| 2 | Configure Azure DNS Private Resolver with inbound + outbound endpoints; resolve names across hybrid | 1 | 1.5h |
| 3 | Deploy a UDR forcing internet traffic through an NVA; verify with IP Flow Verify in Network Watcher | 1 | 1h |
| 4 | Configure Azure Virtual Network Manager with a hub-spoke connectivity configuration and Security Admin Rules | 1 | 1.5h |
| 5 | Build a S2S VPN between two VNets simulating on-prem; configure active-active gateway and BGP | 2 | 2h |
| 6 | Deploy Virtual WAN Standard hub; configure Routing Intent to send all branch traffic through Azure Firewall | 2 | 2h |
| 7 | Configure ExpressRoute peering simulation in a test environment; verify with Get-AzExpressRouteCircuitRouteTable | 2 | 1h |
| 8 | Deploy Application Gateway v2 with WAF v2 (OWASP CRS 3.2) and end-to-end TLS | 3 | 1.5h |
| 9 | Deploy Azure Front Door Premium with Private Link to an internal storage origin | 3 | 1.5h |
| 10 | Configure Private Endpoint on Azure Storage with private DNS zone integration; disable public access | 4 | 1h |
| 11 | Compare Service Endpoint vs Private Endpoint on the same storage account; observe traffic in flow logs | 4 | 1h |
| 12 | Deploy Azure Firewall Premium with TLS inspection and IDPS; create DNAT rules for inbound traffic | 5 | 2h |
Total: ~17.5 hands-on hours. The Private Endpoint + private DNS integration lab (#10) is where most candidates discover that misconfigured DNS silently routes "private" traffic over the public internet — exactly the trap AZ-700 case studies test.
Common AZ-700 Mistakes (And How to Avoid Them)
Mistake 1: Confusing VNet peering and VPN
VNet peering is layer-3 transparent within Azure — no encapsulation, no encryption, just SDN routing. A VPN tunnel (S2S or VNet-to-VNet over Gateway) is encrypted and encapsulated with IKE/IPsec. Peering is faster and cheaper but does not encrypt; if you need encryption between two VNets, use VNet-to-VNet VPN or a third-party NVA.
Mistake 2: Forgetting BGP route limits
The default ExpressRoute Standard tier supports 4,000 routes per peering session; Premium raises that to 10,000. Teams with massive on-prem route tables hit this and wonder why some prefixes silently disappear.
Mistake 3: NSG rule precedence
NSG rules are evaluated by priority (lowest number wins), not by order in the portal. Default rules at priority 65000+ allow VNet-internal and Azure Load Balancer traffic. Always verify with IP Flow Verify in Network Watcher before declaring a rule "broken."
Mistake 4: Forgetting AllowAzureLoadBalancer in NSG
If you add a deny-all inbound rule to a subnet hosting a backend pool, you can break health probes. The default NSG rule AllowAzureLoadBalancer at priority 65001 must remain reachable.
Mistake 5: Using Service Endpoint when Private Endpoint is required
If the question says "the database must not be reachable from the internet," Service Endpoint is wrong — the public endpoint stays open. Only Private Endpoint combined with disabling the public endpoint achieves true isolation.
Test-Day Strategy: How to Pass AZ-700 First Try
Before You Sit
- Score 820+ on Microsoft's free Practice Assessment three runs in a row
- Re-read the February 2026 skills outline change log the morning of the exam
- Hand-draw the hub-spoke vs Virtual WAN decision tree from memory; if you cannot, study one more day
During the 100 Minutes
- Case study first if it appears at the start (some forms put it last). Budget 25–30 minutes
- For routing/UDR questions, draw the topology on the digital whiteboard before clicking — getting the order of LPM → UDR → BGP → system right matters
- Mark and skip anything > 90 seconds; come back
- Last 10 minutes: review every flagged question; only change an answer if you can cite a Microsoft Learn doc in your head
After You Finish
You see your scaled score immediately. Pass and your Credly badge arrives within 24 hours, plus a one-year-out renewal reminder. Fail and you see your performance by domain.
Renewing AZ-700: Free, Forever
Like all Microsoft role-based certifications, AZ-700 is renewed FREE within a 12-month window starting 6 months before expiration. The renewal assessment is online, unproctored, and takes most candidates 30–45 minutes. Skip it and you must retake the full $165 exam.
Begin Your AZ-700 Journey Now
Join thousands of Azure Network Engineer candidates using our 100% FREE prep — unlimited AI-generated questions matched to the February 2026 skills outline, Microsoft Learn–grounded explanations, and a personalized study dashboard. No credit card. No course fee. Start in under 60 seconds.
Official Resources
- AZ-700 Study Guide on Microsoft Learn (February 2026 outline)
- Azure Network Engineer Associate certification page
- Microsoft AZ-700 free Practice Assessment
- Microsoft Certification Renewal program
- Azure Virtual WAN documentation
- Azure ExpressRoute introduction
- Azure Private Link overview
- Azure Firewall documentation