Browse Certification Practice Tests by Exam Family

Microsoft AZ-700 Cheat Sheet: Azure Networking

May 1, 2026

Review the Microsoft Azure Network Engineer (AZ-700) scope, virtual networks, routing, DNS, hybrid connectivity, private access, load balancing, security, and troubleshooting traps before practicing.

On this page

AZ-700 is an Azure networking exam. Use this cheat sheet to keep network design decisions tied to address space, routing, name resolution, connectivity, load balancing, private access, and security.

Use this with practice. Review the Azure networking checkpoints, then return to the AZ-700 exam page for sample questions and update tracking.

Open AZ-700 practice page Compare Azure routes

Exam snapshot

FieldDetail
IssuerMicrosoft
Certification laneAzure Network Engineer Associate
Exam codeAZ-700
Main scopeAzure virtual networking, hybrid connectivity, application delivery, private access, security, and troubleshooting
IT Mastery statusSample questions available

Networking map

AreaWhat to knowCommon trap
Virtual networksAddress spaces, subnets, peering, NSGs, route tables, and segmentationDesigning one flat subnet for unlike tiers
Routing and DNSUDRs, system routes, name resolution, private DNS, and path selectionFixing routing when DNS is the real failure
Hybrid connectivityVPN, ExpressRoute, redundancy, BGP, gateways, and failoverIgnoring route propagation and asymmetric paths
Application deliveryLoad balancer, Application Gateway, Front Door, Traffic Manager, and routing choiceChoosing a regional tool for a global-routing problem
Private accessPrivate endpoints, service endpoints, private DNS, and PaaS accessCreating a private endpoint without DNS planning
Network securityAzure Firewall, NSGs, WAF, DDoS, monitoring, and flow logsTreating NSGs as a complete firewall strategy

Must-know distinctions

DistinctionHow to decide
NSG vs Azure FirewallNSGs filter at subnet or NIC; Azure Firewall provides centralized, stateful network security.
Private endpoint vs service endpointPrivate endpoint gives a private IP for PaaS access; service endpoint extends VNet identity to a service.
Application Gateway vs Front DoorApplication Gateway is regional layer 7 load balancing; Front Door provides global edge routing.
VPN vs ExpressRouteVPN uses encrypted internet tunnels; ExpressRoute provides private connectivity through a provider.
Peering vs gateway transitPeering connects VNets; gateway transit shares gateway connectivity when designed correctly.

High-yield checklist

  • Start with the traffic path: source, destination, protocol, route, DNS, and security control.
  • Check address overlap before designing hybrid or peered networks.
  • Use segmentation when tiers have different trust or inspection needs.
  • Use private DNS with private endpoints.
  • Use regional or global load balancing based on user location and application pattern.
  • Use logs and effective routes to troubleshoot connectivity.
  • Include redundancy for gateways, routes, and critical paths.
  • Separate name-resolution failures from route or firewall failures.

Common traps

  • Missing address-space overlap in hybrid scenarios.
  • Forgetting private DNS after deploying private endpoints.
  • Choosing Front Door when the scenario needs private regional load balancing.
  • Troubleshooting NSGs before checking effective routes.
  • Using peering without considering transitive routing limits.
  • Treating internet egress control as optional for regulated workloads.

Practice strategy

For AZ-700 misses, draw the traffic path in one line. Then mark where the failure or design requirement belongs: DNS, route, gateway, peering, firewall, private endpoint, load balancer, or monitoring.

Revised on Monday, May 25, 2026