Azure AZ-700 Network Engineer Exam Preparation

Passing the AZ-700 exam validates your ability to design, implement, and maintain core Azure networking infrastructure, a critical skill for cloud architects and engineers. This guide focuses on the practical knowledge and architectural decisions required to succeed, moving beyond simple service recognition to understanding how to connect, secure, and optimize hybrid networks at scale.

Foundational Design: Virtual Networks and Connectivity

Every Azure solution begins with a virtual network (VNet), an isolated networking environment in the cloud. Your primary design tasks are subnetting—logically dividing the VNet's address space—and establishing connectivity between networks. Subnets must be carefully planned to account for future growth, Azure service requirements (like subnet delegations for Azure Kubernetes Service), and security boundaries. A common starting design uses separate subnets for front-end web tiers, application logic, and data layers.

Connecting these VNets is achieved through VNet peering, which allows resources in different VNets to communicate directly via the Microsoft backbone. For the exam, you must understand two critical peering properties. First, peering is non-transitive; if VNetA is peered to VNetB, and VNetB is peered to VNetC, VNetA cannot talk to VNetC unless they are also directly peered. Second, you must master peering across subscriptions and regions. Global VNet Peering connects VNets in different Azure regions, but it introduces considerations around bandwidth, latency, and cost compared to intra-region peering.

Advanced Hybrid Connectivity: ExpressRoute, VPN, and Virtual WAN

When you need reliable, high-bandwidth private connectivity from on-premises to Azure, ExpressRoute is the solution. An ExpressRoute circuit is a logical connection between your on-premises infrastructure and Microsoft through a connectivity provider. You'll need to distinguish between ExpressRoute circuit SKUs (e.g., Standard vs. Premium, which enables global reach across geopolitical boundaries) and understand routing configurations. ExpressRoute uses Border Gateway Protocol (BGP) to exchange routes, and you should be comfortable with concepts like private peering (for connecting to your VNets) and Microsoft peering (for connecting to Microsoft SaaS services like Office 365).

For encrypted connectivity over the public internet, you configure a VPN Gateway. Be prepared to compare Site-to-Site (S2S), Point-to-Site (P2S), and VNet-to-VNet VPNs. A key exam topic is the selection of gateway SKUs (like VpnGw1 vs. VpnGw3) based on required aggregate throughput and connection count. Virtual WAN architecture simplifies large-scale hybrid connectivity by providing a unified hub-and-spoke model. The Virtual WAN hub automatically integrates with VPN, ExpressRoute, and VNet connections, and it can deploy native networking services like Azure Firewall. Your decision often hinges on complexity: for a simple single-region setup, a traditional VPN Gateway suffices; for a global enterprise with many branches, Virtual WAN offers centralized management and optimal routing.

Securing and Optimizing Application Traffic

Azure provides layered controls for managing north-south (internet-to-Azure) and east-west (between Azure services) traffic. Azure Firewall is a stateful, cloud-native firewall service. Azure Firewall Manager is a central security policy and route management tool, especially useful for governing multiple Firewall instances across Virtual WAN hubs or secured virtual hubs.

For high-availability web applications, you use global and regional load-balancing services. Azure Front Door is a global HTTP/HTTPS load balancer with built-in Web Application Firewall (WAF). It operates at the application layer (OSI Layer 7), using the Microsoft global edge network to route user requests to the closest healthy backend. It's ideal for improving performance for a globally distributed user base. Azure Application Gateway, conversely, is a regional Layer 7 load balancer. It also features a WAF and provides critical capabilities like SSL/TLS termination, cookie-based session affinity, and URL-path-based routing. The exam will test your ability to choose between them: Front Door for global scale and DDoS protection, Application Gateway for granular traffic handling within a region.

Designing Private Access and DNS Resolution

Public endpoints can expose your services to unnecessary risk. Private Link enables you to access Azure Platform-as-a-Service (PaaS) offerings (like Azure SQL or Storage Accounts) over a private endpoint, which is a network interface that gets a private IP address from your VNet. This traffic travels over the Microsoft network backbone, never touching the public internet, satisfying stringent security and compliance requirements. You must design for scenarios where multiple services or consumers need private access, understanding how Private Link integrates with DNS.

DNS is a frequently underestimated topic. Azure provides Azure DNS for hosting your domains. For hybrid resolution—where an Azure VM needs to resolve an on-premises server name, and vice-versa—you have several DNS resolution strategies. You can configure DNS forwarders on Azure VMs, use Azure DNS Private Zones (which can be linked to multiple VNets), or leverage the automatic DNS resolution provided by Azure Firewall. The correct choice depends on your network architecture, particularly your use of peered VNets and on-premises connectivity.

Common Pitfalls

1. Underestimating Subnet Size: Creating subnets with too few IP addresses (like a /29) is a common design flaw that prevents scaling. Always plan for growth and reserve address space for Azure-injected services (like default gateways and future features). Use CIDR notation correctly and leave room for expansion.
2. Assuming Transitive Routing in Peering: A major conceptual trap is forgetting that VNet peering is non-transitive by default. If you need transitive routing (e.g., for a network virtual appliance), you must explicitly configure User-Defined Routes (UDRs) to direct traffic through a central hub network.
3. Confusing WAF and DDoS Protection Scope: The WAF in Application Gateway or Front Door protects against application-layer attacks (like SQL injection). Azure DDoS Protection Standard defends against network-layer volumetric attacks. They are complementary services, not substitutes. On the exam, a question about a sudden flood of spoofed packets is pointing to DDoS, not WAF.
4. Overlooking DNS in Private Connectivity: Setting up a Private Endpoint without configuring DNS correctly is a classic implementation error. The Azure PaaS service's default public DNS name will not automatically resolve to the private IP address. You must either use Azure Private DNS Zones (recommended) or manually update your on-premises DNS servers with the appropriate A records.

Summary

• Design from the Ground Up: Master VNet and subnet planning, including CIDR calculations and the non-transitive nature of VNet peering across subscriptions and regions.
• Choose the Right Hybrid Path: Select between ExpressRoute (for private, high-throughput connectivity), VPN Gateway (for encrypted internet-based links), and Virtual WAN (for managing complex, global network topologies from a single pane).
• Layer Your Defenses: Implement Azure Firewall for network-level control and use Application Gateway or Front Door with WAF to protect your web applications from common exploits.
• Embrace Private Access: Utilize Azure Private Link and Private Endpoints to securely consume PaaS services over the Microsoft backbone, and always pair this with a solid DNS resolution strategy using Azure Private DNS Zones or forwarders.
• Think Like an Architect: The AZ-700 tests your ability to weigh trade-offs—cost vs. performance, complexity vs. manageability, public vs. private connectivity. Focus on the "why" behind each design decision, not just the "how."