MICROSOFT CERTIFICATION
AZ-700 Azure Network Engineer Associate Practice Exam
Exam Number: 3110 | Last updated 16-Apr-26 | 793+ questions across 4 vendor-aligned objectives
The AZ-700 Azure Network Engineer Associate certification validates the skills of network engineers who design, implement, and manage Azure networking solutions including hybrid connectivity. This exam measures your ability to work with Azure Virtual Network, Azure ExpressRoute, Azure VPN Gateway, Azure Firewall, Azure Load Balancer, Azure Front Door, demonstrating both conceptual understanding and practical implementation skills required in today’s enterprise environments.
The heaviest exam domains include Design and Implement Routing (25–30%), Design, Implement, and Manage Hybrid Networking (20–25%), and Design and Implement Core Networking Infrastructure (20–25%). These areas collectively represent the majority of exam content and require focused preparation across their respective subtopics.
Additional domains tested include Secure and Monitor Networks (15–20%), and Design and Implement Private Access to Azure Services (10–15%). Together, these areas round out the full exam blueprint and ensure candidates possess well-rounded expertise across the certification scope.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Microsoft documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
374
practice exam users
91.3%
satisfied users
90.6%
passed the exam
4.2/5
quality rating
Test your AZ-700 Azure Network Engineer Associate knowledge
10 of 793+ questions
Question #1 - Design and Implement Routing
A company has multiple Azure VNets and needs traffic from a spoke VNet to route through a central firewall appliance in the hub VNet before reaching the internet.
Which routing mechanism should be configured?
A) Default system routes
B) BGP route propagation from on-premises
C) User-Defined Routes (UDR) on spoke subnets with next hop set to the firewall NVA
D) Azure Traffic Manager DNS routing
Show solution
Correct answers: C – Explanation:
UDRs override default routing to force traffic through the firewall NVA. System routes send internet traffic directly out. BGP propagation is for on-premises routes, not intra-Azure forced tunneling. Traffic Manager is DNS-level, not network-level routing. Source: Check Source
Question #2 - Design and Implement Routing
A company has multiple VNets and needs spoke traffic to route through a central firewall NVA in the hub before reaching the internet.
Which routing mechanism should be configured?
A) Azure Traffic Manager DNS-level routing policies directing client requests by geographic region
B) BGP route advertisements propagated from the on-premises network to Azure virtual networks
C) User-Defined Routes on spoke subnets setting the next hop to the firewall NVA private IP
D) Default system routes that automatically direct internet-bound traffic to the Azure gateway
Show solution
Correct answers: C – Explanation:
UDRs override default routing to force traffic through the firewall NVA for inspection before internet egress. System routes send internet traffic directly to the Azure internet gateway, bypassing the firewall. BGP propagation handles on-premises route exchange, not intra-Azure forced tunneling through an NVA. Traffic Manager resolves DNS queries by geography but operates at the DNS layer, not the network routing layer. Source: Check Source
Question #3 - Design and Implement Routing
An enterprise uses ExpressRoute and needs Azure Route Server to exchange routes dynamically between their NVA and Azure VNets.
Which protocol does Azure Route Server use for dynamic route exchange?
A) RIP broadcasting routing table updates at periodic intervals across the network
B) BGP establishing peering sessions and exchanging network reachability information
C) Static routing requiring manual route table entry configuration on each resource
D) OSPF establishing neighbor adjacencies and exchanging link-state advertisements
Show solution
Correct answers: B – Explanation:
Azure Route Server uses BGP to dynamically exchange routes with NVAs, enabling automatic route propagation without manual static entries. OSPF is a widely used protocol but is not supported by Azure Route Server for route exchange. Static routing works but requires manual maintenance when the network topology changes. RIP is a legacy distance-vector protocol not supported by Azure Route Server. Source: Check Source
Question #4 - Design and Implement Routing
A company needs to route traffic between hub VNets in different regions with transitive routing through connected spoke VNets.
Which solution enables cross-region hub-to-hub routing?
A) Application Gateway cross-region HTTP load balancing with backend pool health monitoring
B) Azure Virtual WAN with managed hub-to-hub connectivity and automatic transitive routing
C) DNS-based routing using Azure DNS private zones linked to all participating virtual networks
D) Direct VNet peering connections established individually between every spoke VNet pair
Show solution
Correct answers: B – Explanation:
Virtual WAN provides automated hub-to-hub connectivity with transitive routing between all connected VNets and branches across regions. Direct spoke-to-spoke peering does not scale and requires N-squared connections without transitivity. DNS resolves names to IP addresses but does not create network data-plane connectivity paths. Application Gateway handles HTTP traffic load balancing, not general network-level transitive routing. Source: Check Source
Question #5 - Design, Implement, and Manage Hybrid Networking
A company needs a private dedicated connection from their datacenter to Azure with guaranteed 10 Gbps bandwidth and SLA-backed uptime.
Which connectivity option should be implemented?
A) Azure Peering Service optimizing Microsoft 365 and SaaS application routing paths
B) Point-to-site VPN connections established individually from each on-premises server
C) Azure ExpressRoute with a 10 Gbps private peering circuit through a connectivity provider
D) A site-to-site VPN tunnel routed over the public internet with IPsec encryption
Show solution
Correct answers: C – Explanation:
ExpressRoute provides dedicated private circuits with guaranteed bandwidth, latency SLAs, and no public internet exposure. Site-to-site VPN runs over the internet without bandwidth guarantees or dedicated capacity. Point-to-site VPN is designed for individual client connections, not site-level datacenter connectivity. Peering Service optimizes Microsoft 365 routing but does not provide dedicated general-purpose Azure connectivity. Source: Check Source
Question #6 - Design, Implement, and Manage Hybrid Networking
A company needs site-to-site VPN as a backup path for their primary ExpressRoute circuit.
Which VPN Gateway configuration provides this redundancy?
A) Configure Azure Front Door as a failover proxy routing traffic between connection types
B) VPN Gateway coexisting with ExpressRoute configured on the same virtual network gateway subnet
C) A Basic SKU VPN Gateway deployed independently without any ExpressRoute integration
D) Remove the ExpressRoute circuit entirely and rely on the VPN Gateway as the sole connection
Show solution
Correct answers: B – Explanation:
VPN Gateway can coexist with ExpressRoute on the same VNet, providing automatic failover if the ExpressRoute circuit goes down. Basic SKU does not support coexistence with ExpressRoute circuits. Removing ExpressRoute eliminates the primary high-bandwidth, low-latency connection. Front Door is an HTTP application delivery platform, not a network-level connectivity failover mechanism. Source: Check Source
Question #7 - Design and Implement Core Networking Infrastructure
An organization segments their VNet into public-facing, application, and database tiers with different security rules for each.
Which approach should be used?
A) Assign different resource groups per tier relying on RBAC for network-level traffic isolation
B) Deploy three separate VNets requiring peering connections and gateway transit configuration
C) Use Azure Firewall as the sole segmentation control without any subnet-level separation
D) Create subnets within a single VNet with dedicated NSGs applying tier-specific security rules
Show solution
Correct answers: D – Explanation:
Subnets within a VNet segment traffic logically, and per-subnet NSGs enforce tier-specific inbound and outbound security rules while maintaining easy intra-VNet communication. Separate VNets add peering complexity and costs for simple tier segmentation. Firewall without subnets lacks the granular micro-segmentation NSGs provide at each tier boundary. Resource groups organize management scope but have no effect on network traffic flow or isolation. Source: Check Source
Question #8 - Design and Implement Core Networking Infrastructure
A company needs DNS resolution for private endpoints so internal apps resolve service FQDNs to private IPs instead of public IPs.
Which DNS configuration should be implemented?
A) Azure Private DNS zones linked to the VNet with automatic registration of private endpoints
B) Individual hosts file entries maintained on each virtual machine mapping FQDNs to private IPs
C) Third-party public DNS servers configured with manual A-records for each private endpoint
D) Azure public DNS zones hosting records that resolve to the private endpoint IP addresses
Show solution
Correct answers: A – Explanation:
Private DNS zones linked to VNets automatically resolve private endpoint FQDNs to their private IPs through DNS integration. Public DNS zones resolve to public IPs accessible from the internet. Third-party DNS requires manual record creation and updating for every endpoint change. Individual hosts files do not scale across VMs and break when private endpoint IPs change. Source: Check Source
Question #9 - Secure and Monitor Networks
A company needs to log and analyze all traffic flowing through their Azure Firewall to detect policy violations and suspicious patterns.
Which monitoring solution should be configured?
A) Azure Firewall diagnostic logs sent to a Log Analytics workspace for KQL-based analysis
B) Azure Network Watcher IP Flow Verify testing individual connection paths between resources
C) Azure Advisor network recommendations reviewing firewall configuration best practices
D) Azure Traffic Analytics aggregating NSG flow logs from network security group evaluations
Show solution
Correct answers: A – Explanation:
Firewall diagnostic logs capture all traffic decisions (allow/deny) with full metadata, and Log Analytics enables KQL queries for pattern detection and alerting. IP Flow Verify tests whether specific traffic is allowed between two points but does not log ongoing traffic. Traffic Analytics processes NSG flow logs, not Azure Firewall logs. Advisor provides configuration recommendations but does not analyze real-time traffic patterns. Source: Check Source
Question #10 - Secure and Monitor Networks
A web application behind Azure Application Gateway needs protection against SQL injection and cross-site scripting attacks.
Which Application Gateway feature should be enabled?
A) URL path-based routing distributing requests to different backend pools by request path
B) Connection draining ensuring graceful removal of backend instances during maintenance
C) SSL/TLS offloading terminating encrypted connections at the gateway for backend servers
D) Web Application Firewall with the OWASP Core Rule Set detecting common web exploits
Show solution
Correct answers: D – Explanation:
WAF with OWASP Core Rule Set inspects HTTP requests for attack patterns including SQL injection, XSS, and other common exploits. Connection draining handles graceful backend instance removal during updates. SSL offloading manages encryption termination but does not inspect request content for attacks. Path-based routing directs traffic by URL structure, not for security filtering purposes. Source: Check Source
Get 793+ more questions with source-linked explanations
Every answer traces to the exact Microsoft documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated 16-Apr-26
Learn more...
What the AZ-700 Azure Network Engineer Associate exam measures
- Design, Implement, and Manage Hybrid Networking (20–25%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Design and Implement Core Networking Infrastructure (20–25%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Design and Implement Routing (25–30%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Secure and Monitor Networks (15–20%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Design and Implement Private Access to Azure Services (10–15%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
How to prepare for this exam
- Review the official exam guide to understand every objective and domain weight before you begin studying
- Complete the relevant Microsoft Learn learning path to build a structured foundation across all exam topics
- Get hands-on practice in an Azure free-tier sandbox or trial environment to reinforce what you have studied with real configurations
- Apply your knowledge through real-world project experience — whether at work, in volunteer roles, or contributing to open-source initiatives
- Master one objective at a time, starting with the highest-weighted domain to maximize your score potential early
- Use PowerKram learn mode to study by individual objective and review detailed explanations for every question
- Switch to PowerKram exam mode to simulate the real test experience with randomized questions and timed conditions
Career paths and salary outlook
Earning this certification can open doors to several in-demand roles:
- Azure Network Engineer: $115,000–$155,000 per year (based on Glassdoor and ZipRecruiter data)
- Cloud Network Architect: $125,000–$165,000 per year (based on Glassdoor and ZipRecruiter data)
- Network Infrastructure Specialist: $105,000–$140,000 per year (based on Glassdoor and ZipRecruiter data)
Official resources
Microsoft provides comprehensive free training to prepare for the AZ-700 Azure Network Engineer Associate exam. Start with the official Microsoft Learn learning path for structured, self-paced modules covering every exam domain. Review the exam study guide for the complete skills outline and recent updates.