100+ Free Azure AZ-720 Practice Questions

Pass your Troubleshooting Microsoft Azure Connectivity (AZ-720) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

Not publicly published Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

You need to verify whether traffic from a specific source IP can reach a destination IP and port on an Azure VM through all configured NSGs and route tables. Which Network Watcher tool should you use?

Connection Monitor

IP Flow Verify

Effective security rules

Packet capture

to track

2026 Statistics

Key Facts: Azure AZ-720 Exam

700/1000

Passing Score

Microsoft

100 min

Exam Duration

Microsoft

$165

Exam Fee (US)

Microsoft

6 domains

Skill Areas

Microsoft AZ-720 outline

25-30%

Largest Domain

Troubleshoot networks

Jul 31, 2023

Retirement Date

Microsoft Learn

AZ-720 is Microsoft's specialty exam for Azure connectivity troubleshooting. It uses a 700/1000 passing score, runs about 100 minutes, costs US$165 in the United States, and is delivered by Pearson VUE. Microsoft retired the exam on July 31, 2023, but its objectives remain a strong reference for Azure support engineers. The official skills outline weights Troubleshoot networks at 25-30%, Hybrid and cloud connectivity at 20-25%, Authentication and access control at 15-20%, with Business continuity, PaaS, and VM connectivity each at 5-10%.

Sample Azure AZ-720 Practice Questions

Try these sample questions to test your Azure AZ-720 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1You need to verify whether traffic from a specific source IP can reach a destination IP and port on an Azure VM through all configured NSGs and route tables. Which Network Watcher tool should you use?

A.Connection Monitor

B.IP Flow Verify

C.Effective security rules

D.Packet capture

Explanation: IP Flow Verify checks whether a packet is allowed or denied to or from a virtual machine based on 5-tuple input (direction, protocol, local IP, remote IP, local port, remote port) and returns the matching NSG rule that allowed or denied it. Connection Monitor measures connectivity over time. Effective security rules show aggregated rules but do not test a specific 5-tuple. Packet capture records actual traffic, not a what-if test.

2A user reports that an Azure VM cannot reach a public web service. After running IP Flow Verify the result shows that traffic is denied by a rule named DefaultOutboundDenyAll. Where should you look to fix this?

A.The route table attached to the subnet

B.The NSG that contains the deny rule, either on the NIC or the subnet

C.Azure Firewall application rules

D.The VM's local Windows Firewall

Explanation: IP Flow Verify returns the exact NSG and rule name that denied the traffic. You need to inspect the NSG attached to the NIC or subnet, find the rule, and adjust priority or scope so the legitimate traffic is allowed. UDRs influence next-hop selection, not allow/deny. Azure Firewall and host-based firewalls are separate enforcement points and would not show up as the denying NSG rule.

3You need to view the actual NSG rules applied to a network interface, including merged rules from both subnet-level and NIC-level NSGs. Which feature provides this view?

A.NSG flow logs

B.Effective security rules

C.Connection troubleshoot

D.BGP route table

Explanation: Effective security rules in Network Watcher (or on the NIC) show the combined, evaluated NSG rule set that is actually applied to a NIC, merging subnet and NIC NSGs and including default rules. NSG flow logs record traffic events. Connection troubleshoot tests path reachability. BGP route table shows routing, not security rules.

4NSG flow logs version 2 are being ingested into a Log Analytics workspace. Which Azure feature processes the raw flow logs into traffic insights and visualizations?

A.Azure Monitor metrics

B.Traffic Analytics

C.Defender for Cloud

D.Azure Sentinel hunting

Explanation: Traffic Analytics consumes NSG flow logs (v2) stored in a storage account and uses a Log Analytics workspace to produce dashboards on top talkers, malicious traffic, traffic distribution, and geo flows. Metrics, Defender for Cloud, and Sentinel hunting do not process NSG flow logs into the Traffic Analytics dashboard.

5You need to determine the next hop that Azure will use for a packet leaving an Azure VM destined for an on-premises subnet. Which Network Watcher tool gives this answer?

A.Next Hop

B.Topology

C.Connection Monitor

D.NSG diagnostic

Explanation: The Next Hop diagnostic tool returns the next-hop type (e.g., VirtualNetworkGateway, VirtualAppliance, Internet, None, VnetLocal) and the next-hop IP for a destination, evaluating system, BGP, and user-defined routes together. Topology draws a graph but does not evaluate routes. Connection Monitor tests reachability. NSG diagnostic does not exist as such.

6Which statement about Azure route precedence is correct?

A.System routes always win over UDRs

B.User-defined routes override BGP routes, which override system routes

C.BGP routes always override UDRs

D.NSG rules influence route selection

Explanation: Azure route precedence is: User-defined routes (longest prefix match wins among UDRs), then BGP routes from ExpressRoute or VPN, then system routes. UDRs are how administrators force traffic through firewalls or NVAs. NSG rules do not influence routing; they only allow or deny.

7You configure an NSG rule with priority 200 to deny all inbound traffic on port 3389 and another rule with priority 100 to allow 3389 from a management subnet. What happens?

A.Both rules apply equally; traffic is denied

B.The deny rule wins because deny is implicit

C.The allow rule from the management subnet is evaluated first because lower priority is higher precedence

D.Azure rejects the configuration

Explanation: NSG rules are evaluated in priority order from lowest number to highest. Priority 100 is evaluated before priority 200, so management traffic is allowed first and the higher-numbered deny only applies to other sources. Lower priority numbers always win.

8You need to allow outbound HTTPS from app subnet VMs to Azure Storage in the same region without exposing the traffic to the public internet. Which simplest NSG construct identifies the destination?

A.A list of CIDR ranges for storage

B.A user-defined route

C.The Storage service tag

D.An application security group

Explanation: Service tags such as Storage, AzureCloud, or Storage.<region> represent groups of Microsoft-managed IP addresses for that service. Using a service tag in an NSG keeps the destination definition automatically updated. Manually maintained CIDR lists are brittle. UDRs route traffic, they do not match it. ASGs apply to virtual machines, not to Azure services.

9You want to write NSG rules using groups of VM NICs (not IP ranges) so that rules survive IP changes. Which feature supports this?

A.Service tags

B.Application security groups (ASGs)

C.Route tables

D.Private DNS zones

Explanation: Application security groups (ASGs) let you group VM NICs by role (such as web, app, db) and reference those groups in NSG rules. NICs can move between subnets while rules continue to apply by ASG membership. Service tags group Azure services. Route tables and private DNS are unrelated.

10A site-to-site VPN tunnel between an on-premises VPN device and an Azure VPN Gateway is not establishing. Both sides report negotiation failures during phase 1. What should you check first?

A.BGP AS numbers and ASN

B.Local network gateway address spaces

C.IKE version, encryption, and pre-shared key match

D.Azure NAT Gateway settings

Explanation: Phase 1 (IKE) failures are typically caused by mismatched IKE version (IKEv1 vs IKEv2), mismatched encryption or integrity algorithm, or mismatched pre-shared key. AS numbers matter for BGP but not phase 1. Address spaces affect phase 2 traffic selectors. NAT Gateway is unrelated to VPN Gateway tunnels.

About the Azure AZ-720 Exam

Exam AZ-720 validates the ability to troubleshoot Azure networking and connectivity issues end to end. Candidates are expected to diagnose problems with Azure virtual networks, NSGs, routing, VPN and ExpressRoute, DNS, Azure Firewall, Application Gateway, Front Door, Load Balancer, private endpoints, and VM connectivity, using Network Watcher, Log Analytics, and the Azure portal as primary tools. The exam was retired by Microsoft on July 31, 2023; the content remains widely used as a benchmark for Azure connectivity engineering skills.

Assessment

Typically 40-60 multiple-choice and scenario items focused on Azure connectivity troubleshooting

Time Limit

100 minutes

Passing Score

700/1000

Exam Fee

$165 (Microsoft / Pearson VUE)

Azure AZ-720 Exam Content Outline

5-10%

Troubleshoot business continuity issues

Diagnose and resolve issues with backup, recovery services, replication, and DR connectivity that affect Azure workload availability.

20-25%

Troubleshoot hybrid and cloud connectivity issues

Resolve VPN, ExpressRoute, BGP, route filter, gateway transit, point-to-site, and Virtual WAN problems between Azure and on-premises networks.

5-10%

Troubleshoot Platform as a Service (PaaS) issues

Diagnose connectivity to App Service, Storage, SQL, Key Vault, private endpoints, service endpoints, and private DNS resolution chains.

15-20%

Troubleshoot authentication and access control issues

Resolve identity-related connectivity failures including RBAC, managed identity, certificate auth on P2S, Azure AD blocked sign-ins, and resource access policies.

25-30%

Troubleshoot networks

Triage NSG rules, effective security rules, route tables, BGP routes, NSG flow logs, IP Flow Verify, Connection Monitor, Network Watcher, Azure Firewall, Application Gateway, Front Door, and Load Balancer behaviors.

5-10%

Troubleshoot VM connectivity issues

Resolve VM-side networking problems including SNAT exhaustion, default outbound, host firewalls, IMDS reachability, packet capture, and Bastion access.

How to Pass the Azure AZ-720 Exam

What You Need to Know

Passing score: 700/1000
Assessment: Typically 40-60 multiple-choice and scenario items focused on Azure connectivity troubleshooting
Time limit: 100 minutes
Exam fee: $165

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Azure AZ-720 Study Tips from Top Performers

1Memorize the route precedence rule cold: longest prefix match wins, then UDR > BGP > System routes.

2Practice IP Flow Verify and Effective security rules in your own subscription so you can quickly identify which NSG rule denies traffic.

3Drill VPN troubleshooting separately for phase 1 (IKE/PSK) versus phase 2 (IPsec transforms and traffic selectors), because the symptoms and fixes are different.

4Lab private endpoint plus private DNS zone end to end so you understand how zone link, A records, and on-premises DNS forwarders fit together.

5Know Azure Firewall rule order: NAT first, then Network rules, then Application rules, with first match winning per category.

6Use Log Analytics with KQL against AzureDiagnostics to surface Azure Firewall denies, NSG flow logs, and VPN IKE diagnostics.

Frequently Asked Questions

Is AZ-720 still active?

Microsoft retired AZ-720 on July 31, 2023. The exam content remains a useful benchmark for Azure support engineers focused on connectivity troubleshooting, and many learners continue to study the objectives to validate real-world skills.

What is the AZ-720 passing score?

AZ-720 used Microsoft's standard scaled scoring with a passing score of 700 out of 1000. The exam typically delivered around 40-60 questions in 100 minutes, including scenario-style items.

How much did AZ-720 cost?

The standard United States exam fee for AZ-720 was US$165, charged through Pearson VUE. Pricing varied by country and region. Discounts could apply for students, MCT instructors, and partner programs.

What domains does AZ-720 cover?

AZ-720 measured six skill areas: Troubleshoot business continuity (5-10%), Troubleshoot hybrid and cloud connectivity (20-25%), Troubleshoot PaaS (5-10%), Troubleshoot authentication and access control (15-20%), Troubleshoot networks (25-30%), and Troubleshoot VM connectivity (5-10%).

What tools should I master for AZ-720?

Network Watcher (IP Flow Verify, Connection Monitor, Connection Troubleshoot, Effective security rules, Packet capture, Topology, Next Hop), Azure Monitor / Log Analytics (NSG flow logs v2, Traffic Analytics, AzureDiagnostics queries), Azure Firewall logs, Application Gateway backend health, and VPN/ExpressRoute diagnostic logs.

Are there prerequisites for AZ-720?

Microsoft did not require formal prerequisites, but recommended significant Azure networking experience. Candidates were expected to know routing, NSG behavior, hybrid connectivity, DNS, identity-related access controls, and the relevant Azure CLI/PowerShell commands for diagnostics.