200+ Free Azure AZ-700 Practice Questions

Pass your Azure Network Engineer Associate (AZ-700) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~65% Pass Rate

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

You create an Azure subnet with the address range 10.10.20.0/24. How many IP addresses are available for Azure resources in that subnet?

251

252

254

256

to track

2026 Statistics

Key Facts: Azure AZ-700 Exam

700/1000

Passing Score

Microsoft

40-60 Q

Exam Questions

Microsoft (varies)

70-110 hrs

Study Time

Recommended

$165

Exam Fee

Microsoft

5 domains

Exam Domains

Microsoft AZ-700 outline

100 min

Exam Duration

Microsoft

AZ-700 is Microsoft's associate-level Azure networking exam. It uses a 700 out of 1000 passing score and typically delivers 40-60 questions in 100 minutes. The current blueprint emphasizes core networking infrastructure (25-30%), connectivity services (20-25%), application delivery (15-20%), private access to Azure services (10-15%), and Azure network security services (15-20%). Microsoft refreshed the study guide on January 21, 2026, and Azure candidates should also understand the March 31, 2026 default outbound access change for new virtual networks and subnets.

Sample Azure AZ-700 Practice Questions

Try these sample questions to test your Azure AZ-700 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1You create an Azure subnet with the address range 10.10.20.0/24. How many IP addresses are available for Azure resources in that subnet?

A.251

B.252

C.254

D.256

Explanation: Azure reserves the first four IP addresses and the last IP address in every subnet. A /24 has 256 total addresses, so 251 remain usable for resources.

2You are designing multiple Azure VNets that will later be peered to each other and connected to on-premises networks. Which address planning approach should you use?

A.Reuse the same 10.0.0.0/16 range in every VNet to simplify templates

B.Assign nonoverlapping private ranges to every VNet and on-premises network

C.Use public IP ranges inside VNets to avoid translation

D.Place all workloads into one flat /8 subnet

Explanation: Azure VNet peering and hybrid connectivity require nonoverlapping address spaces to route traffic correctly. Reusing the same prefixes across networks creates conflicts that block peering and VPN or ExpressRoute designs.

3Your security team wants a reserved block of contiguous public IP addresses so that external partners can allowlist a predictable range before you deploy Azure Firewall instances. Which Azure resource should you create?

A.Application security group

B.Public IP Prefix

C.Private endpoint

D.Service endpoint

Explanation: A Public IP Prefix reserves a contiguous block of public IP addresses for your subscription. You can then create individual public IP resources from that reserved range as needed.

4You change a virtual network to use custom DNS servers, but existing VMs continue using the old DNS settings. What should you do next?

A.Delete and recreate the NICs

B.Restart the VMs or renew their DHCP lease

C.Enable accelerated networking

D.Move the VMs to a different subnet

Explanation: Azure VMs obtain DNS settings through DHCP from the virtual network configuration. Restarting the VM or renewing the DHCP lease makes the guest pick up the updated DNS server list.

5You want VM records in a VNet to be created and removed automatically in an Azure Private DNS zone. Which type of link should you configure?

A.A resolution virtual network link

B.A registration virtual network link

C.A conditional forwarder that targets 168.63.129.16

D.A wildcard CNAME record set

Explanation: A registration virtual network link enables Azure to automatically manage DNS records for VMs in that linked VNet. A resolution link allows queries but does not auto-register VM host records.

6On-premises DNS servers must resolve records from Azure Private DNS zones without deploying DNS forwarder VMs in Azure. Which Azure DNS Private Resolver component should receive those forwarded queries?

A.Outbound endpoint

B.Inbound endpoint

C.DNS forwarding ruleset link

D.Network Security Group

Explanation: The inbound endpoint provides a private IP address in Azure that external networks can send DNS queries to. Azure DNS Private Resolver then resolves those queries by using Azure DNS and linked private zones.

7SpokeA is peered with a hub VNet, and SpokeB is also peered with the same hub. What is true about connectivity between SpokeA and SpokeB if no other configuration is added?

A.They can communicate automatically because peering is transitive through the hub

B.They can communicate only if both spokes are in the same region

C.They cannot communicate because VNet peering is nontransitive

D.They cannot communicate unless both spokes use Basic Load Balancer

Explanation: Azure VNet peering is not transitive, so a hub does not automatically relay connectivity between two spokes. To enable spoke-to-spoke communication, you need direct peering, routing through an NVA, or a managed connectivity design such as Virtual Network Manager.

8You need low-latency connectivity between two Azure VNets in different regions without deploying VPN gateways. Which option should you choose?

A.Site-to-site VPN between the VNets

B.ExpressRoute Global Reach

C.Global virtual network peering

D.NAT Gateway in both VNets

Explanation: Global virtual network peering connects VNets across Azure regions over the Microsoft backbone. It avoids the extra cost and complexity of deploying VPN gateways just to connect Azure-to-Azure networks.

9You must force all internet-bound traffic from a subnet through an NVA that has the IP address 10.0.0.4. Which user-defined route should you create?

A.10.0.0.0/8 with next hop Virtual network

B.0.0.0.0/0 with next hop Virtual appliance 10.0.0.4

C.0.0.0.0/0 with next hop Internet

D.::/0 with next hop Virtual appliance 10.0.0.4

Explanation: A default route matches any IPv4 destination that is not covered by a more specific prefix. Pointing that route to a virtual appliance sends outbound traffic to the NVA for inspection or forwarding.

10A subnet has the default system route 0.0.0.0/0 to Internet and a user-defined route 10.20.0.0/16 to a virtual appliance. Where will traffic to 10.20.5.8 be sent?

A.To the Internet because the system route always wins

B.To the virtual appliance because the more specific prefix wins

C.It will be dropped because the routes conflict

D.To Azure DNS because it is platform traffic

Explanation: Azure routing follows longest prefix match before considering route source. Because the user-defined route is more specific than the default route, traffic to that destination uses the virtual appliance.

About the Azure AZ-700 Exam

The Azure Network Engineer Associate (AZ-700) exam validates the ability to design, implement, and maintain Azure networking solutions for hybrid and cloud-native environments. Candidates are expected to understand virtual networks, DNS, private access patterns, VPN and ExpressRoute connectivity, application delivery, and layered Azure network security controls.

Questions

60 scored questions

Time Limit

100 minutes

Passing Score

700/1000

Exam Fee

$165 (Microsoft / Pearson VUE)

Azure AZ-700 Exam Content Outline

25-30%

Design and implement core networking infrastructure

Plan Azure virtual networks, subnets, IP addressing, public IP resources, DNS architecture, NAT, routing building blocks, monitoring visibility, and resilient core network design.

20-25%

Design, implement, and manage connectivity services

Configure site-to-site and point-to-site VPN, Virtual WAN, ExpressRoute, gateway transit, hybrid routing, and connectivity resiliency between Azure and on-premises environments.

15-20%

Design and implement application delivery services

Choose and configure Azure Load Balancer, Application Gateway, Front Door, Traffic Manager, health probes, routing methods, and web application firewall patterns for application traffic.

10-15%

Design and implement private access to Azure services

Use Private Endpoints, Private Link Service, private DNS integration, service endpoints, and service endpoint policies to keep Azure service access off the public internet.

15-20%

Design and implement Azure network security services

Apply NSGs, ASGs, Azure Firewall, Firewall Manager, Bastion, traffic inspection, effective rule analysis, and network monitoring controls to secure Azure networks.

How to Pass the Azure AZ-700 Exam

What You Need to Know

Passing score: 700/1000
Exam length: 60 questions
Time limit: 100 minutes
Exam fee: $165

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Azure AZ-700 Study Tips from Top Performers

1Know route precedence cold: user-defined routes override BGP, and BGP overrides system routes in Azure.

2Practice the service-selection matrix for Azure Load Balancer, Application Gateway, Front Door, and Traffic Manager because AZ-700 repeatedly tests when to choose each.

3Spend extra time on private endpoint DNS resolution, including private DNS zones, split-brain DNS, and hybrid name-resolution patterns.

4Lab both VPN Gateway and ExpressRoute scenarios so you can compare transit, redundancy, BGP behavior, and cost/performance tradeoffs.

5Study Azure Firewall policy hierarchy, rule processing, forced tunneling, and how Firewall Manager coordinates policy at scale.

6Understand the March 31, 2026 default outbound access change for new VNets and how NAT Gateway becomes the explicit outbound design pattern.

Frequently Asked Questions

What is the AZ-700 passing score?

AZ-700 uses Microsoft's scaled scoring model and requires a passing score of 700 out of 1000. The exam typically contains around 40-60 questions and is completed in 100 minutes.

Are there prerequisites for AZ-700?

There is no formal prerequisite certification for AZ-700. Microsoft recommends hands-on experience with Azure administration plus subject matter expertise in hybrid networking, connectivity methods, routing, security controls, and network monitoring.

How hard is the AZ-700 exam?

AZ-700 is a moderately challenging associate-level exam because it tests both service knowledge and design judgment. Candidates need to know not just what Azure networking services do, but when to choose VPN Gateway versus ExpressRoute, Front Door versus Application Gateway, or Private Endpoint versus service endpoint.

How long should I study for AZ-700?

Most candidates need about 6-10 weeks and roughly 70-110 study hours, depending on prior Azure networking exposure. Strong preparation usually includes hands-on labs for Virtual WAN, private DNS, Azure Firewall, Application Gateway, and hybrid connectivity troubleshooting.

What changed for AZ-700 in 2026?

Microsoft updated the AZ-700 study guide on January 21, 2026. A separate Azure networking platform change also matters for exam prep: starting March 31, 2026, new virtual networks use private subnets by default without default outbound internet access, which increases the importance of NAT Gateway and explicit outbound design choices.

What roles does AZ-700 support?

AZ-700 is well aligned to Azure network engineer, cloud network engineer, infrastructure engineer, and platform engineering roles that own hybrid connectivity, DNS, private access, load balancing, and network security architecture in Azure.