The Microsoft Certified: Azure Network Engineer Associate certification is Microsoft's role-based networking exam for engineers who design, implement, and operate Azure network infrastructure. AZ-700 goes well beyond basic virtual network concepts. It focuses on building resilient, scalable, secure connectivity across Azure environments, hybrid links, private service access, and application delivery layers.
This is not a general networking theory exam. Microsoft is testing whether you can apply Azure networking services correctly in production architectures. That means your preparation should focus on service fit, routing and connectivity design, operational security, hybrid patterns, application traffic delivery, and private access models rather than just memorizing product names.
As of May 28, 2026, Microsoft positions AZ-700 for network engineers who already understand name resolution, network protocols, and network address management, and who have experience creating and managing compute, storage, and networking resources in Azure.
Exam At a Glance
| Attribute | Value |
|---|---|
| Certification | Microsoft Certified: Azure Network Engineer Associate |
| Exam code | AZ-700 |
| Level | Intermediate / Associate |
| Duration | 100 minutes |
| Cost | $165 USD |
| Renewal | Every 12 months |
| Prerequisites | No formal prerequisite, but Microsoft expects experience with Azure resources plus solid networking fundamentals like name resolution, protocols, and address management |
| Target candidate | Azure network engineers designing and managing Azure connectivity, traffic delivery, and network security |
| Primary focus | Core networking, connectivity services, application delivery, private access, and secure network connectivity |
- Official certification page: Microsoft Certified: Azure Network Engineer Associate
- Official exam page: Exam AZ-700: Designing and Implementing Microsoft Azure Networking Solutions
- Official study guide: AZ-700 study guide
- Official course: Design and Implement Microsoft Azure Network Solutions
- Official learning path: AZ-700 Design and Implement Microsoft Azure Network Solutions
Official Assessed Areas
- Design and implement core networking infrastructure
- Design, implement, and manage connectivity services
- Design and implement application delivery services
- Design and implement private access to Azure services
- Secure network connectivity to Azure resources
Microsoft's public exam page lists the current AZ-700 domains without inline percentage weighting. Treat all five areas as active. Networking questions in AZ-700 often combine more than one domain, especially when security or hybrid connectivity is involved.
1. Design and Implement Core Networking Infrastructure
This domain covers the foundations of Azure networking: virtual networks, address planning, routing, DNS, and the baseline structure every other service depends on.
- Virtual networks, subnets, and IP addressing - Study how Azure network segmentation works and how address planning affects future connectivity and scale. Official resources: AZ-700 networking path, Azure virtual network overview.
- Routing and name resolution - Microsoft expects you to understand how traffic finds its destination and how DNS and routing choices shape architecture. Official resources: User-defined routes overview, Azure DNS overview.
- Core networking choices affect every later domain - Many AZ-700 mistakes come from weak fundamentals in addressing, subnetting, and route design. Official resource: AZ-700 course.
Exam tip: If the scenario is ambiguous, start with the core network layout first: address space, subnet boundaries, route path, and DNS behavior.
2. Design, Implement, and Manage Connectivity Services
This domain focuses on how Azure connects to other networks and how hybrid or cross-network traffic is carried reliably.
- Hybrid connectivity with VPN Gateway and ExpressRoute - Be ready to distinguish internet-based connectivity from private dedicated connectivity and understand where each belongs. Official resources: VPN Gateway overview, ExpressRoute overview.
- VNet peering and inter-network design - Study how Azure networks are connected and how connectivity choices affect scale, segmentation, and operations. Official resources: Virtual network peering overview, AZ-700 path.
- Connectivity questions are about path design - Microsoft usually wants the most appropriate way to move traffic between locations, networks, or environments under specific constraints. Official resource: AZ-700 course.
Exam tip: If the question involves between-network traffic, classify it first as site-to-site, network-to-network, hybrid private connectivity, or Azure-internal peering.
3. Design and Implement Application Delivery Services
This domain tests whether you can deliver application traffic correctly through the right Azure service layer.
- Load balancing across service layers - Know when Azure Load Balancer, Application Gateway, and Front Door are the correct fit based on traffic type and application scope. Official resources: Azure Load Balancer overview, Application Gateway overview, Azure Front Door overview.
- Traffic management and application availability - Expect questions about distributing traffic, protecting latency-sensitive paths, and keeping services available. Official resources: Traffic Manager overview, AZ-700 path.
- Application delivery is about choosing the right control plane - The exam rewards accurate service selection based on L4 vs L7 behavior, regional vs global scope, and application-aware routing. Official resource: AZ-700 course.
Exam tip: Ask whether the scenario needs packet distribution, HTTP-aware routing, or global edge acceleration before picking the Azure service.
4. Design and Implement Private Access to Azure Services
This domain covers how Azure services are consumed privately without exposing them unnecessarily to the public internet.
- Private Link and service endpoint patterns - You need to understand how Azure makes platform services privately reachable and what security and routing implications come with each option. Official resources: Azure Private Link overview, Virtual network service endpoints overview.
- Private access is about reducing exposure - Microsoft often frames this domain as a design decision between convenience and a tighter network boundary. Official resources: AZ-700 path, AZ-700 course.
- Private service access overlaps with DNS and routing - Questions here frequently connect private endpoints to resolution and connectivity behavior. Official resource: Azure Private Endpoint DNS configuration.
Exam tip: If the goal is to keep Azure PaaS access off the public internet, think private endpoint and DNS behavior together, not as separate topics.
5. Secure Network Connectivity to Azure Resources
This final domain is where Azure networking and security controls meet directly.
- Network security controls and inspection - Study NSGs, Azure Firewall, WAF, and related traffic-control mechanisms as operational security tools. Official resources: Network security groups overview, Azure Firewall overview, Azure Web Application Firewall overview.
- Secure connectivity is about policy plus path - AZ-700 asks you to think about both where traffic goes and what is allowed to happen along that path. Official resources: AZ-700 path, AZ-700 course.
- Security questions still depend on network architecture basics - Many wrong answers fail because they choose a security control that does not fit the actual topology. Official resource: Azure Firewall overview.
Exam tip: When the prompt mentions securing network traffic, separate the problem into segmentation, filtering, inspection, or application-layer protection before choosing the control.
Recommended 5-Week Study Plan
| Week | Focus | Primary resources |
|---|---|---|
| 1 | Virtual networks, subnets, address planning, routing, DNS | AZ-700 learning path, VNet overview, UDR overview, Azure DNS overview |
| 2 | Peering, VPN Gateway, ExpressRoute, hybrid connectivity design | AZ-700 path, VNet peering, VPN Gateway, ExpressRoute docs |
| 3 | Load balancing, Front Door, Application Gateway, Traffic Manager | AZ-700 path, Load Balancer, Application Gateway, Front Door, Traffic Manager docs |
| 4 | Private Link, service endpoints, private DNS integration | AZ-700 path, Private Link docs, service endpoints docs, private endpoint DNS docs |
| 5 | Network security, NSGs, Azure Firewall, WAF, practice assessment, mixed review | AZ-700 path, NSG docs, Firewall docs, WAF docs, Microsoft practice assessment |
Last-Mile Exam Strategy
- Study AZ-700 as a design-and-operations exam for Azure networking, not as a generic memorization test.
- Keep the service boundaries very clear: VNet and routing foundation, connectivity services, application delivery, private access, and network security each solve different problems.
- Use Microsoft's learning path as the core sequence, then reinforce with product overview docs so the design tradeoffs stay concrete.
- Do not isolate security from connectivity. AZ-700 questions often blend topology and protection in the same scenario.
- Read the scenario for the main network objective: connect, route, distribute, privatize, or secure. That objective usually points to the correct service faster than feature memorization.
After the official docs, Microsoft's own AZ-700 practice assessment is the best exam-readiness checkpoint. If you want foundational Azure networking context from this repo first, the closest adjacent content is our broader Azure Administrator Associate study guide, especially for core VNet and hybrid concepts.
The fastest way to pass AZ-700 is to think like an Azure network engineer making architecture decisions under operational constraints: design the core network correctly, choose the right connectivity model, deliver traffic through the right service layer, keep Azure services private when needed, and secure the whole path deliberately. Stay close to Microsoft's current path and make the topology logic explicit in your head as you study.