What does the AZ-700 exam actually test in 2026?
AZ-700 tests design and implementation of Azure networking across five domains: design, implement, and manage hybrid networking (10-15%); design and implement core networking infrastructure (20-25%); design and implement routing (25-30%); secure and monitor networks (15-20%); and design and implement private access to Azure services (20-25%). The 2026 update increased Virtual WAN, Azure Route Server, and Private Link weight; ExpressRoute SKU details and BGP behavior remain heavily tested. Passing requires hands-on configuration plus protocol-level understanding of BGP, IPsec, and DNS resolution.
The Microsoft Azure Network Engineer Associate certification is one of the few Azure exams that is meaningfully harder than its peers. It tests protocol-level networking knowledge alongside Azure-specific service configuration. Candidates who pass AZ-104 and assume AZ-700 is similar are routinely surprised by both depth and breadth.
This guide covers domain-by-domain content, study sequence, hands-on labs, and the 2026 changes that catch returning candidates off guard.
Who AZ-700 Is For
AZ-700 is appropriate for three types of candidates.
Network engineers moving to Azure: traditional network engineers with CCNA, JNCIA, or equivalent backgrounds adapt their existing BGP, OSPF, and IPsec knowledge to Azure constructs.
Cloud engineers specializing in networking: AZ-104 holders going deeper into VNets, ExpressRoute, and security perimeters.
Solutions architects strengthening their networking story: AZ-305 holders who realize that networking is the bottleneck of most architecture decisions.
The exam is not a beginner exam. Microsoft Learn's Azure Network Engineer Associate learning path explicitly recommends AZ-104 or equivalent experience as a prerequisite, even though it is not formally required.
"AZ-700 is the exam that tells you whether you actually understand cloud networking or whether you have been clicking through the portal. The portal won't save you here." -- John Savill, Microsoft Technical Trainer
The Five Exam Domains
| Domain | Weight | Topics |
|---|---|---|
| Design, implement, and manage hybrid networking | 10-15% | VPN, ExpressRoute, Virtual WAN, BGP |
| Design and implement core networking infrastructure | 20-25% | VNets, peering, public/private IP, name resolution |
| Design and implement routing | 25-30% | UDRs, Route Server, BGP, transit |
| Secure and monitor networks | 15-20% | Azure Firewall, NSG, DDoS, Network Watcher, monitoring |
| Design and implement private access to Azure services | 20-25% | Service Endpoints, Private Endpoints, Private Link |
Routing is the largest domain and the one most candidates underestimate. Private access is the second largest -- a major shift from prior versions where it was a subset of core networking.
Domain 1: Hybrid Networking
This domain covers VPN, ExpressRoute, and Virtual WAN. The exam expects candidates to choose the right connectivity option per scenario.
VPN Gateway
Site-to-site VPN -- IPsec tunnels between an on-premises VPN device and an Azure VPN gateway. Bandwidth ranges from VpnGw1 (650 Mbps) to VpnGw5 (10 Gbps).
Point-to-site VPN -- individual user clients connecting to Azure with OpenVPN, IKEv2, or SSTP. Authentication via Entra ID, RADIUS, or certificates.
The exam tests:
SKU selection by bandwidth and tunnel count
Active-active versus active-standby configuration
BGP-enabled versus policy-based VPN behavior differences
ExpressRoute
ExpressRoute circuits come in Local, Standard, and Premium SKUs. Premium adds global reach and more route prefixes; Local restricts to peering locations near the on-premises footprint.
The exam expects candidates to know that ExpressRoute does not include encryption by default -- adding IPsec over ExpressRoute is a common scenario. Global Reach allows two ExpressRoute circuits in different geographies to exchange routes, turning the Microsoft backbone into a private WAN.
Virtual WAN
Virtual WAN is Microsoft's managed SD-WAN. It provides automatic transit between connected VNets, branches, and remote users. The exam scenario for Virtual WAN typically involves an organization with many branches and many regions where managing per-region hub-spoke has become unsustainable.
The Heineken multi-country deployment, publicly described in Microsoft case studies, runs over forty branch sites on Virtual WAN with SD-WAN partner integration. AZ-700 scenarios mirror this pattern.
Domain 2: Core Networking Infrastructure
VNets, subnets, IP addressing, and DNS. Most of this content overlaps with AZ-104 but at greater depth.
The exam dedicates several questions to name resolution:
Default Azure-provided DNS
Custom DNS servers per VNet
Azure Private DNS zones with VNet links
Azure DNS Private Resolver for hybrid resolution
Private Resolver is a 2024 feature that landed heavily on the 2026 exam refresh. It provides inbound and outbound DNS endpoints, replacing older patterns that required custom DNS forwarders on VMs.
IP Address Planning
The exam tests address space planning. Candidates must know:
Azure reserves the first four and last IP addresses in every subnet
The smallest supported subnet is
/29VNet address spaces cannot overlap when peered
Private endpoints consume IPs from the subnet they are deployed in
ASOS, the UK retailer, publicly described its address allocation strategy reserving /16 per region with /24 per workload. AZ-700 scenarios borrow this pattern.
Domain 3: Routing -- The Largest Domain
Routing dominates the exam. Three subtopics drive most questions.
System routes -- Azure-provided routes for the local VNet, peerings, internet, and platform services. Always present unless overridden.
User-defined routes (UDRs) -- custom routes that override system routes. The exam tests longest-prefix match, the next hop type field (Virtual Appliance, Virtual Network Gateway, Virtual Network, Internet, None), and the requirement that UDRs apply at the subnet level.
BGP -- both ExpressRoute and BGP-enabled VPN gateways exchange routes via BGP. Azure Route Server propagates BGP routes between gateways and NVAs.
The Spoke-to-Spoke Routing Question
Every AZ-700 form contains at least one spoke-to-spoke routing question. The pattern:
Two spokes peered to a hub
Default peering does not allow spoke-to-spoke traffic
The fix is UDRs on each spoke pointing at a hub firewall, NVA, or Route Server
Candidates who do not configure this hands-on lose the question. Mark Russinovich, CTO of Microsoft Azure, has written that "transit routing is the single most-asked design question I see in customer architecture reviews" -- the exam reflects this directly.
Domain 4: Security and Monitoring
This domain covers Azure Firewall (Standard, Premium, Basic), NSGs, ASGs, DDoS Protection, and Network Watcher.
Network Watcher tools tested by name:
Connection Monitor -- continuous reachability and latency measurement
NSG flow logs -- per-flow log of traffic through an NSG
IP flow verify -- one-shot rule evaluation
Next hop -- shows the next hop for a given source/destination pair
Packet capture -- on-VM packet capture triggered remotely
The exam tests scenarios where each tool is the correct answer. A scenario asking "why is this VM not reachable" answers IP flow verify or Next hop. A scenario asking for ongoing health visibility answers Connection Monitor.
Domain 5: Private Access to Azure Services
This domain expanded significantly in the 2026 refresh.
Service Endpoints -- legacy mechanism that extends a VNet's private routing to specific Azure services like Storage and SQL. Traffic stays on the Microsoft backbone but uses public IP addresses.
Private Endpoints -- modern replacement that gives a private IP to the Azure service inside the VNet. Traffic is fully private; the service is unreachable from the public internet by default.
Private Link -- the umbrella service that powers Private Endpoints and that lets independent organizations expose services to each other privately.
The exam expects candidates to recognize that Private Endpoints are the modern default, that Service Endpoints remain valid for cost-sensitive scenarios, and that mixing them on the same subnet has specific behavior the exam tests.
Recommended Study Resources
| Resource | Type | Best For |
|---|---|---|
| Microsoft Learn AZ-700 path | Free | Domain coverage, sandbox labs |
| AZ-700 Exam Ref by Daniel Mauser | Book | Deep-dive reading |
| John Savill AZ-700 Cram | YouTube | Last-week review |
| MeasureUp practice exam | Paid | Question style and scoring |
| Tutorials Dojo cheat sheets | Paid | Quick-reference revision |
Pair Microsoft Learn for hands-on, the book for depth, and one practice exam to calibrate readiness.
A Realistic Eight-Week Study Plan
Week 1: VNets, subnets, IP planning, DNS basics, name resolution
Week 2: VPN gateway types, point-to-site, site-to-site, BGP basics
Week 3: ExpressRoute SKUs, peerings, Global Reach, encryption options
Week 4: Routing -- UDRs, system routes, longest-prefix match, Route Server
Week 5: Hub-spoke topology, Virtual WAN, transit patterns
Week 6: Azure Firewall (all SKUs), NSGs, ASGs, DDoS Protection
Week 7: Private Endpoints, Service Endpoints, Private Link, private DNS
Week 8: Network Watcher, monitoring, full-length practice exams, weak-area review
The Microsoft AZ-700 Exam Ref by Daniel Mauser and Anavi Nahar is the most cited written resource and aligns with this sequence.
Hands-On Labs That Map to the Exam
Each lab below is achievable on the Azure free tier in under three hours.
Build a hub-spoke with two spokes and confirm non-transitive peering
Deploy Azure Firewall and configure UDRs for spoke-to-spoke transit
Configure a site-to-site VPN to a VPN device simulator (RouterOS or strongSwan in a separate region)
Replace UDRs with Azure Route Server and observe BGP propagation
Convert hub-spoke to Virtual WAN and observe automatic transit
Deploy Storage with a Private Endpoint and verify resolution from a peered spoke
Trigger NSG flow logs and inspect them in Log Analytics
The Microsoft Learn sandbox covers each topic with isolated lab environments that do not consume subscription credit.
Real-World Patterns the Exam Borrows From
Microsoft IT enterprise: Microsoft's internal Azure footprint moved from flat VNets to hub-spoke with Route Server and Azure Firewall Premium. The published architecture decisions read like an AZ-700 study guide.
Heineken multi-region: Heineken runs a regional hub per continent with global Virtual WAN, SD-WAN partner integration for branches, and ExpressRoute to a single core data center. AZ-700 scenarios mirror this pattern in multiple questions.
Day-of-Exam Strategy
The exam is two hours of forty to sixty questions. Candidates who finish early often catch errors on a second pass; candidates who run short on time typically failed to flag and revisit complex routing scenarios.
First pass -- answer all easy questions, flag anything requiring more than ninety seconds
Second pass -- work the flagged questions
Third pass -- review unflagged questions, especially case studies
Case studies appear on AZ-700 forms -- a multi-screen scenario with five to ten questions sharing context. Read the entire scenario before answering question one.
Score Targets Before Booking
A candidate scoring 75% consistently on MeasureUp or Tutorials Dojo practice exams is ready. Below 65%, additional study is required. The passing score on AZ-700 is 700 out of 1000.
The Microsoft Learn knowledge checks are good for content reinforcement but do not predict exam performance -- they are easier than the real exam.
See also: /certifications/azure/azure-vnet-peering-and-hub-spoke-topology-for-az-700, /certifications/azure/microsoft-azure-certifications-roadmap-which-order-makes-sense, /exam-prep/study-techniques/active-recall-cert-prep.
What Changed in the 2026 Refresh
Microsoft refreshes exam objectives roughly annually. The 2026 AZ-700 refresh introduced or expanded several topics that returning candidates often miss.
Azure DNS Private Resolver moved from a fringe topic to a fully tested feature, replacing older custom-DNS-on-VM patterns
Virtual WAN secured hub with integrated Firewall Manager became the recommended pattern for multi-region transit
Private Link for Azure-managed services gained additional questions, especially around DNS zone configuration
Azure Route Server received expanded coverage, particularly its interaction with NVAs in active-active configurations
NSG flow logs version 2 replaced version 1 in most monitoring scenarios
Candidates who studied with 2023-vintage materials should specifically refresh Private DNS Resolver, Virtual WAN secured hub, and the Route Server NVA scenarios. Microsoft Learn publishes change notes per learning path; these are worth scanning before every exam attempt because objectives drift gradually between major refreshes.
"Refresh notes are the most under-read resource in the Microsoft certification ecosystem. Five minutes per attempt would change pass rates noticeably." -- Yuri Diogenes, Principal PM Manager at Microsoft and Microsoft Press author
The refresh also increased the share of case-study questions over standalone questions. Case studies reward candidates who read carefully and slow down on the first scenario; they punish candidates who pattern-match the first line and skip context.
Career Outcomes for AZ-700 Holders
The Azure Network Engineer Associate sits at a strategic point in cloud careers. Job roles that reward AZ-700 include cloud network engineer, infrastructure architect, security architect with networking depth, and platform engineering lead. Salary data from Microsoft's annual technology certification compensation report shows AZ-700 holders averaging higher base compensation than AZ-104 holders alone, particularly in financial services, healthcare, and regulated industries where networking and security expertise command premiums.
Three career paths flow from AZ-700.
Network specialist: pair AZ-700 with AZ-500 to become the security-aware networking lead -- the person teams call when zero-trust networking, ExpressRoute encryption, or private DNS gets complicated.
Architect track: pair AZ-700 with AZ-305 to qualify for solutions architect roles where networking is often the decisive constraint. Candidates who hold both pass design interviews more reliably because they can defend topology choices end-to-end.
Platform engineering: pair AZ-700 with AZ-400 to lead the platform team's networking automation -- Bicep modules for hub-spoke, GitOps for firewall policy, and pipeline-driven peering changes.
The HashiCorp State of Cloud Strategy survey reports that organizations consistently rank networking expertise as the second-hardest cloud skill to hire, behind only security architecture. AZ-700 is the credential the market reads as evidence of that expertise on the Microsoft stack.
Common Career Mistakes
Two patterns recur among AZ-700 holders who do not see expected career returns.
Stopping at the credential: AZ-700 demonstrates exam readiness, not real-world delivery. Holders who do not pair it with at least one production hub-spoke build, an ExpressRoute migration, or a Private Link rollout undersell the credential at interviews.
Ignoring adjacent stacks: AZ-700 covers Azure networking. AWS, GCP, and on-premises networking still matter in most enterprises. Holders who add CCNA-level networking fundamentals or AWS Advanced Networking become disproportionately valuable to multi-cloud teams.
The CompTIA Network+ remains a strong baseline for any candidate whose protocol-level networking is weaker than their cloud configuration knowledge.
References
- Microsoft Learn. "Azure Network Engineer Associate learning path." Microsoft Corporation, 2025.
- Mauser, Daniel; Nahar, Anavi. AZ-700 Designing and Implementing Microsoft Azure Networking Solutions Exam Ref. Microsoft Press, 2024.
- Microsoft Docs. "Azure Virtual WAN documentation." Microsoft Corporation, 2025.
- Microsoft Docs. "ExpressRoute documentation." Microsoft Corporation, 2025.
- Microsoft Docs. "Azure Private Link documentation." Microsoft Corporation, 2025.
- Savill, John. "AZ-700 Study Cram v2." YouTube, John Savill's Technical Training, 2024.
- Microsoft Cloud Adoption Framework. "Network topology and connectivity decisions." Microsoft Corporation, 2025.