High-Value Azure AZ-700 Questions To Master Azure Networking

The Microsoft Certified: Azure Network Engineer Associate (AZ-700) certification is a crucial step for networking professionals. The AZ-700 exam demands deep, practical expertise in implementing, managing, and monitoring Azure networking services, from virtual networks and routing to complex hybrid connectivity and load balancing. To achieve success on the rigorous AZ-700 exam, rigorous preparation using a validated, free Azure practice test is the most authoritative way to prepare.

Note: The full interactive practice test is available immediately at the bottom of this post.

High-Value AZ-700 Questions to Dominate Azure Networking

Why You Need This AZ-700 Practice Test (And Not Exam Dumps)

The AZ-700 exam is not about simple memorization; it tests your ability to make architectural and implementation decisions. Relying on outdated or incorrect azure az-700 exam dumps will lead to failure. Our free Microsoft Azure practice tests—specifically this set of 69 critical AZ-700 questions—are meticulously designed to cover the official skills outline, providing scenarios that reflect real-world engineering challenges.

Mastering Core VNet and Subnetting Concepts for the AZ-700

A strong foundation in Azure Virtual Networking (VNet) is the bedrock of the AZ-700 exam.

The Five Reserved IPs in Every Subnet (A Critical AZ-700 Detail)

A common trick question on the AZ-700 relates to VNet addressing. If you create a subnet, you must account for the five IP addresses that Azure automatically reserves and cannot be allocated to resources. These addresses are reserved for: the network address, the default gateway, two addresses for Azure DNS mapping, and the broadcast address.

Best Practice: RFC 1918 Address Spaces

When planning your VNet address space (e.g., 10.1.0.0/16), the AZ-700 requires you to follow best practices. It is highly recommended to use private, non-internet routable address spaces as defined in RFC 1918 (like 10.0.0.0/8) to prevent conflicts with public internet routing paths.

https://learn.microsoft.com/en-us/credentials/certifications/azure-network-engineer-associate

https://learn.microsoft.com/en-us/training/paths/design-implement-microsoft-azure-networking-solutions-az-700

Advanced Routing and Hybrid Connectivity (AZ-700 Exam Scenarios)

The AZ-700 dedicates significant focus to ensuring networks can communicate effectively, both within Azure and with on-premises resources.

Implementing Custom Routing with UDRs

If you need to force traffic destined for a specific address range through a Network Virtual Appliance (NVA) or a custom gateway, you must use User-Defined Routes (UDRs). UDRs are the primary mechanism tested on the AZ-700 for overriding Azure’s default system routes, allowing you to specify a next-hop address.

Hub-and-Spoke Gateway Transit (A Key AZ-700 Design)

In a Hub-and-Spoke VNet topology, allowing resources in the Spoke VNet to reach an on-premises network via a VPN gateway in the Hub VNet requires two peering settings: Allow Gateway Transit on the Hub’s side and Use Remote Gateways on the Spoke’s side. This is a crucial, high-yield topic for the AZ-700.

Firewall-Friendly VPN Tunnels

When configuring Point-to-Site VPNs, security-conscious customers often need a solution that can easily traverse firewalls. The AZ-700 highlights OpenVPN as the recommended tunnel type in this scenario because it operates over TCP port 443 (the same port used for HTTPS), making it inherently firewall-friendly.

https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

Securing Traffic Flow with AZ-700 Controls

A major component of the AZ-700 is applying security controls to network traffic.

Understanding the Azure Network Security Group (NSG)

Network Security Groups (NSGs) are the first line of defense for controlling traffic at the subnet or NIC level. The AZ-700 requires you to know that NSG rules are stateless and processed by priority (lower numbers first). Because they are stateless, you must explicitly create rules for both inbound and outbound traffic flows.

Differentiating Load Balancing Services

The AZ-700 demands a clear understanding of when to use Layer 4 vs. Layer 7 load balancing.

Azure Load Balancer: Operates at Layer 4 (Transport) and distributes traffic based purely on IP and port.
Azure Application Gateway: Operates at Layer 7 (Application) and is required when you need features like URL-path based routing, SSL/TLS termination, or an integrated Web Application Firewall (WAF).

https://learn.microsoft.com/en-us/azure/architecture/networking/

Conclusion: Pass the AZ-700 with Authority

The AZ-700 certification validates your expert standing as an Azure Network Engineer. To succeed, you must move beyond passive reading and actively engage with high-quality, scenario-based questions. This free Azure AZ-700 practice test provides the comprehensive coverage and authoritative explanations necessary to master every objective. Don’t risk your certification attempt on inferior azure az-700 exam dumps. Please do not forget to checkout other free Microsoft Azure Practice Tests on CertyBuddy.com: https://certybuddy.com/practice-tests/?vendor=azure

Take the professional path to certification. Master these 69 critical AZ-700 questions now!

/69

AZ-700 Practice Test

Free Azure Network Engineer Mock Exam (Updated for 2025)

Look for a platform-managed service that acts as a secure jump server.

1 / 69

1. Which service should be used to provide secure RDP and SSH connectivity to Azure VMs without exposing management ports to the public internet?

Azure VPN Gateway with a Point-to-Site connection.

Azure Bastion

Azure Firewall

Network Security Group (NSG) with a Just-in-Time (JIT) access rule.

The limit for subnets in a VNet is a large number in the thousands to accommodate complex network designs.

2 / 69

2. What is the maximum number of subnets that an Azure VNet can have?

1024

65,536

100

3,000

This routing method is useful when you want the client to receive the IP addresses of several available endpoints.

3 / 69

3. Which Azure Traffic Manager routing method is designed to send traffic to multiple endpoints, returning all healthy endpoints in the DNS response?

Priority

Weighted

MultiValue

Performance

Think about how to avoid conflicts with internet-based IP addresses when setting up internal networks.

4 / 69

4. Which of the following is the recommended best practice for IP address spaces used for VNets in Azure?

Use IP address ranges provided by Azure's dynamic allocation service only.

Use address ranges defined in RFC 1918 for private networks.

Use any publicly routable IP address range for simplicity.

Use the fc00::/7 address range for all IPv4 VNets.

Consider the operational responsibilities of managing the central hub network in both architectures.

5 / 69

5. What is a primary benefit of using Azure Virtual WAN (vWAN) over a traditional, customer-managed hub-and-spoke topology?

It provides lower latency for traffic within a single VNet.

It is the only way to connect an on-premises network to Azure.

It reduces management overhead by using a Microsoft-managed virtual hub.

It enforces encryption on all VNet peering connections by default.

Think about how to secure a PaaS service to a subnet without giving it a private IP address from that subnet’s range.

6 / 69

6. What is the function of a ‘Service Endpoint’ for an Azure PaaS service like Azure Storage?

It assigns a private IP address from your VNet to the PaaS service, making it a part of your VNet.

It allows on-premises networks to connect directly to the PaaS service without traversing the VNet.

It extends a VNet's identity to the PaaS service, allowing traffic to travel from the VNet to the service over an optimized route on the Azure backbone.

It creates an encrypted VPN tunnel from the subnet to the public endpoint of the PaaS service.

Think about how the load balancer determines if a backend virtual machine is healthy and able to receive traffic.

7 / 69

7. What is the primary function of the `AzureLoadBalancer` service tag when used in a Network Security Group (NSG) rule?

To restrict outbound traffic from backend instances to only the Azure Load Balancer's frontend IP.

To tag a VM as a member of a load balancer's backend pool.

To allow health probe traffic from the Azure Load Balancer to backend instances.

To allow traffic from any resource deployed behind an Azure Load Balancer.

Think about whether you would want your specific, custom exceptions to be evaluated before or after the general, pre-defined rules.

8 / 69

8. When configuring a WAF policy for an Application Gateway, where are custom rule sets processed in relation to managed rule sets?

After managed rule sets are processed.

The processing order is determined by the rule with the lower priority number, regardless of type.

Custom rule sets are always processed before managed rule sets.

They are processed in parallel.

Consider what kind of functionality you would get from a third-party networking vendor’s appliance.

9 / 69

9. What is the primary role of a Network Virtual Appliance (NVA) in an Azure VNet?

To provide native Azure services like load balancing and DNS resolution.

To act as a physical router connecting an on-premises network to Azure.

To provide advanced networking functions like firewalling, WAN optimization, or intrusion detection.

To automatically manage the IP address allocation for all subnets in a VNet.

This IPv6 address range is analogous to the private IPv4 ranges like 10.0.0.0/8.

10 / 69

10. In a dual-stack VNet that supports both IPv4 and IPv6, what is the IETF-defined address range for IPv6 Unique Local Addresses?

fc00::/7

fe80::/10

2001:db8::/32

ff00::/8

Consider which protocol uses the same port as secure web browsing.

11 / 69

11. Which Azure VPN Gateway tunnel type is recommended for firewall-friendliness because it operates over TCP port 443?

BGP-enabled VPN

IKEv2 VPN

Site-to-Site (IPsec)

OpenVPN (SSL-based)

Think about how network routing protocols handle multiple potential matches for a destination.

12 / 69

12. In an NSG, if two rules have the same priority, how is traffic evaluated?

The most specific rule (e.g., a single IP vs. a range) takes precedence.

The rule that was created first takes precedence.

This configuration is not allowed; all rules must have a unique priority.

The 'Allow' rule always takes precedence over the 'Deny' rule.

Consider the standard DNS record type used to store arbitrary text-based information for domain verification purposes.

13 / 69

13. To successfully validate a custom domain for Azure Front Door, what type of DNS record must be created if the domain is not managed by Azure DNS?

A CNAME record pointing to the Front Door endpoint hostname.

A TXT record with a specific value provided by Azure.

An MX record pointing to Microsoft's mail servers.

An A record pointing to the Front Door frontend IP address.

There is a known platform limitation regarding flow logging for the newer version of Application Gateway.

14 / 69

14. An NSG flow log is enabled, but an administrator notices that traffic to and from the Application Gateway v2 subnet is not being logged. What is the reason for this?

The storage account for the logs is in a different region.

The retention period for the flow logs is set to zero.

The NSG is associated at the NIC level instead of the subnet level.

NSG flow logging is not currently supported for NSGs associated with an Application Gateway v2 subnet.

Determine if the two regions are within the same geopolitical boundary as defined by Azure.

15 / 69

15. You need to connect a VNet in the ‘East US’ region to a VNet in the ‘West US’ region. Which ExpressRoute circuit SKU is the minimum requirement for this scenario?

Local SKU

Standard SKU

ExpressRoute Direct

Any SKU will work, as East US and West US are in the same geopolitical region.

Think about the specific VNet peering settings that facilitate a hub-and-spoke topology for hybrid connectivity.

16 / 69

16. A network architect has peered a Spoke VNet to a Hub VNet. The Hub VNet has a VPN gateway connection to an on-premises network. What must be configured to allow workloads in the Spoke VNet to communicate with the on-premises network?

Configure a User-Defined Route (UDR) on the Spoke VNet pointing to the Hub VNet's address space.

Direct VNet peering between the Spoke VNet and the on-premises network.

Enable 'Allow gateway transit' on the Hub VNet's peering connection and 'Use remote gateways' on the Spoke VNet's peering connection.

Deploy a separate VPN gateway in the Spoke VNet.

Consider the relationship between three VNets where A is peered to B, and B is peered to C.

17 / 69

17. What is a significant limitation of VNet peering regarding connectivity between peered networks?

It can only connect VNets within the same subscription.

It does not support high bandwidth connections.

It encrypts all traffic using IPsec by default.

It is not transitive.

Think about the part of a routing rule that specifies the settings for the ‘backend’ connection.

18 / 69

18. Which component of an Azure Application Gateway is used to define how traffic is routed between the gateway and the backend pool, including settings for protocol, port, and cookie-based affinity?

HTTP Listener

Backend Setting

Frontend IP Configuration

WAF Policy

Look for a feature that provides continuous logging specifically for NSGs.

19 / 69

19. A network administrator wants to log all IP flows moving in and out of a Network Security Group (NSG). Which Azure Network Watcher feature should be enabled?

NSG Flow Logs

Packet Capture

Topology Visualization

Connection Troubleshoot

Consider the part of the Application Gateway that ‘listens’ for client connections.

20 / 69

20. When configuring an Azure Application Gateway, what component is responsible for receiving incoming web requests on a frontend IP and port, and can perform SSL termination?

HTTP/HTTPS Listener

Backend Pool

Health Probe

Routing Rule

Look for the SKU name that often represents the entry-level or oldest tier in Azure services.

21 / 69

21. Which Azure VPN Gateway SKU is a legacy option with significant feature limitations and is not recommended for new deployments?

VpnGw1AZ

Basic

Standard

HighPerformance

Consider how stateful applications need to handle user sessions.

22 / 69

22. What is the purpose of configuring ‘Session Affinity’ in Azure Front Door?

To direct subsequent requests from the same user to the same origin that processed the initial request.

To validate the SSL/TLS certificate of the custom domain.

To ensure traffic is evenly distributed across all available origins.

To cache content at the edge location closest to the user.

Azure’s more resilient and feature-rich services are typically associated with the non-basic service tiers.

23 / 69

23. You are creating a new Azure Load Balancer. Which SKU is required to support Availability Zones?

Basic SKU

Standard SKU

Global Tier

Gateway SKU

Consider the OSI model and at which layer each service makes its routing decisions.

24 / 69

24. What is the key difference between Azure Load Balancer and Azure Application Gateway?

Azure Load Balancer requires a public IP, while Application Gateway does not.

Only Application Gateway supports health probes to monitor backend instances.

Azure Load Balancer is a global service, while Application Gateway is regional.

Azure Load Balancer operates at Layer 4 (TCP/UDP), while Application Gateway operates at Layer 7 (HTTP/HTTPS).

Consider how to ensure consistency and manageability across a large enterprise deployment.

25 / 69

25. What is the recommended approach for defining a naming convention for Azure resources?

Name all resources after the project they belong to, without any prefixes or suffixes.

Allow teams to choose their own naming conventions for flexibility.

Define a naming convention early and enforce it using tools like Azure Policy.

Use GUIDs for all resource names to ensure uniqueness.

This setting allows you to resolve a common issue where a backend server hosts multiple websites.

26 / 69

26. What is the purpose of the ‘Origin host header’ setting when configuring an origin in Azure Front Door?

It defines the IP address of the origin server for health probes.

It specifies the public DNS name of the Front Door endpoint.

It is a tag used to group multiple origins for load balancing.

It specifies the host-header value sent to the backend, which should match the domain name the backend is expecting.

Consider the level of detail the firewall inspects in an HTTPS request to determine the website’s category.

27 / 69

27. What is the key difference between the Standard and Premium tiers for Azure Firewall in terms of web categorization filtering?

Web categorization is only available on the Premium tier.

The Standard tier matches the category to the FQDN, while the Premium tier analyzes the full URL.

The Standard tier can only block categories, while the Premium tier can allow or block.

The Standard tier has fewer categories available than the Premium tier.

Think about the manual capacity planning required for the older, non-autoscaling version of the service.

28 / 69

28. You are deploying an Azure Application Gateway v1 tier. You need to plan for capacity. What configuration parameters do you need to specify?

The minimum and maximum number of autoscale instances.

The desired throughput in Mbps.

The number and size of the compute instances.

Only the SKU (Standard or WAF).

Think about the standard protocol used for exchanging routing information between different network systems.

29 / 69

29. An Azure Route Server is deployed to simplify dynamic routing between NVAs and a VNet. How does the Route Server learn routes from the NVAs?

Using a VNet service endpoint configured for the NVA's subnet.

Through a Border Gateway Protocol (BGP) peering session established between the Route Server and the NVA.

By reading the routing tables directly from the NVA's operating system.

By manually creating User-Defined Routes (UDRs) that point to the NVA.

Look for the authentication protocol designed to centralize authentication, authorization, and accounting management for users who connect and use a network service.

30 / 69

30. For a Point-to-Site (P2S) VPN, which authentication method allows for integration with an on-premises Active Directory and supports third-party MFA solutions?

RADIUS Authentication

Static Key Authentication

Azure Certificate Authentication

Azure Active Directory Authentication

Consider the security requirements that might necessitate an encrypted tunnel even for traffic between Azure VNets.

31 / 69

31. What is the primary advantage of connecting two VNets using a VPN gateway connection instead of VNet peering?

Encryption of traffic for enhanced security and compliance.

Simpler and faster deployment.

Support for transitive routing by default.

Lower latency and higher bandwidth.

Consider how the firewall can resolve a domain name to an IP address to apply a network-level rule.

32 / 69

32. An administrator needs to enable FQDN filtering for network rules in Azure Firewall. What other feature must be enabled for this to work correctly?

Threat intelligence-based filtering

TLS inspection

DNS Proxy

An Application rule with the same FQDN

Look for a security service that operates at Layer 7 and understands web application protocols.

33 / 69

33. An administrator wants to protect a web application against common exploits like SQL injection and cross-site scripting. Which Azure service or feature should be implemented?

Azure Firewall Premium with IDPS.

Web Application Firewall (WAF)

Azure DDoS Protection Standard

A Network Security Group (NSG) with inbound security rules.

Think about the risk of making a long-term commitment before your resource needs have stabilized.

34 / 69

34. When is it advisable to avoid purchasing Azure Reserved Instances (RIs) early in your cloud journey?

When using services like Azure SQL Database, as RIs only apply to VMs.

When you prefer to manually assign discounts to specific projects.

When your architecture and usage patterns are still evolving.

When you want to maximize savings from the very first invoice.

Look for a tool designed for a quick, on-demand check of security rules for a specific packet.

35 / 69

35. Which Network Watcher tool would you use to determine if a packet with a specific source IP, destination IP, port, and protocol is allowed or denied by an NSG affecting a VM?

Next Hop

IP Flow Verify

Connection Monitor

NSG Flow Logs

Microsoft reserves a small, specific range of 16-bit ASNs for its own platform services.

36 / 69

36. When configuring BGP peering between Azure Route Server and an NVA, which range of Autonomous System Numbers (ASNs) is reserved by Microsoft and cannot be used for the NVA’s ASN?

Any 32-bit ASN

64512-65534

1-1024

65515-65520

The anomaly score increases with the severity level of the matched rule.

37 / 69

37. A WAF policy associated with an Application Gateway uses anomaly scoring. If a request matches a rule with a critical severity, what anomaly score is added to the request?

Consider where the incoming traffic first hits the Front Door service before being routed to a backend.

38 / 69

38. You are deploying a Web Application Firewall (WAF) policy. At which level can this policy be associated when using Azure Front Door?

At the Origin Group level.

At the Domain level within a Front Door profile.

At the individual listener level.

At the Route Path level.

This setting is used for traffic distribution when ‘Priority’ is not sufficient to make a routing decision.

39 / 69

39. What is the primary purpose of the ‘Weight’ setting in an Azure Front Door origin group?

To set the failover order for origins in the group.

To define the maximum number of connections an origin can accept.

To distribute traffic among origins that have the same priority level.

To assign a health score to the origin based on its performance.

Think about how the global load balancer’s IP address is made available across the Azure network.

40 / 69

40. A global (cross-region) Azure Load Balancer is deployed with a home region of ‘East US’. If the ‘East US’ region experiences a complete outage, what happens to the traffic flow?

All traffic is dropped until the home region is restored.

The load balancer converts to a regional load balancer in the closest available region.

Traffic flow is not impacted as the frontend IP is advertised via Anycast from other participating regions.

Traffic automatically fails over to a pre-configured secondary home region.

Consider which service responds to DNS queries to direct clients to the appropriate endpoint.

41 / 69

41. Which Azure load balancing solution operates at the DNS level to direct traffic to service endpoints in different Azure regions based on a configured routing method?

Azure Front Door

Azure Load Balancer

Azure Traffic Manager

Azure Application Gateway

Think about whether a Web Application Firewall policy for a regional service needs to be co-located with that service.

42 / 69

42. If you deploy an Azure Application Gateway and an associated WAF policy in different regions, what is the expected outcome?

The association will fail because the WAF policy and Application Gateway must be in the same region.

This configuration is only possible with a global WAF policy.

The policy will be applied, but with higher latency.

The policy will automatically be replicated to the Application Gateway's region.

Look for a service specifically designed to manage BGP route advertisements within a VNet.

43 / 69

43. Which Azure resource provides a managed service that simplifies dynamic routing between a Network Virtual Appliance (NVA) and an Azure Virtual Network?

Azure Route Server

Azure Load Balancer

Azure Bastion

Azure Firewall

Look for a service that operates at the global level and is optimized for web application delivery.

44 / 69

44. You need to distribute web traffic to backend pools located in multiple Azure regions to provide high availability and low latency for global users. Which Azure service is designed for this purpose?

An internal Azure Load Balancer with multiple backend pools.

Azure Front Door.

Azure Traffic Manager with priority routing.

Azure Application Gateway with a WAF V2 SKU.

The size of the gateway subnet must be large enough to accommodate the IP addresses needed by the gateway instances.

45 / 69

45. What is a key consideration when choosing an IP address range for the GatewaySubnet in a VNet?

It must be named 'AzureGatewaySubnet'.

It must use a public IP address range.

It must have a minimum size of /29 for an active-passive configuration.

It should not have any Network Security Group (NSG) associated with it.

Consider which service’s primary function is to direct traffic between different geographic locations.

46 / 69

46. Which of the following Azure services is considered a ‘non-regional’ or ‘global’ service?

Azure Virtual Machine

Azure Storage Account

Azure Virtual Network (VNet)

Azure Traffic Manager

Look for a tool that performs a fast, on-demand check of security and routing rules for a specific connection path from a VM.

47 / 69

47. An administrator needs to quickly diagnose connectivity from an Azure VM to an on-premises endpoint. Which Network Watcher tool is best suited for this task?

Packet Capture

NSG Diagnostics

IP Flow Verify

VPN Troubleshoot

Consider how you would override Azure’s default traffic flow to inspect traffic.

48 / 69

48. What is the primary mechanism for implementing custom routing in an Azure VNet to direct traffic through a Network Virtual Appliance (NVA)?

Azure Private DNS zones

User-Defined Routes (UDRs)

Network Security Groups (NSGs)

VNet Peering

Think about the HTTP status code that tells search engines to update their index.

49 / 69

49. When configuring a redirection backend target in Azure Application Gateway, which redirection type sends an HTTP 301 response code, indicating a permanent move?

See other

Temporary

Permanent

Found

Configuring a service endpoint involves two steps: one on the network side and one on the resource side.

50 / 69

50. When enabling a service endpoint for `Microsoft.Storage` on a subnet, what is the second mandatory step to complete the configuration and secure the storage account?

Grant access to the subnet at the destination storage account's firewall settings.

Assign an RBAC role like 'Storage Account Contributor' to all VMs in the subnet.

Create a private endpoint for the same storage account.

Associate a route table with the subnet to direct traffic to the storage service.

Consider the default system routes that are present in every VNet subnet.

51 / 69

51. What happens by default to internet-bound traffic originating from a VM in an Azure subnet that has no UDRs or other custom routing configured?

It is routed to the VNet's default gateway and then dropped.

It is blocked by a default NSG rule.

It is routed directly to the internet via Azure's backbone network.

It must be explicitly routed through an Azure Firewall instance.

Think of the ‘hub’ in the vWAN hub-and-spoke model.

52 / 69

52. In Azure Virtual WAN (vWAN), what is the primary component that acts as a central point of connectivity for VNets, branch offices, and remote users within a region?

An ExpressRoute Circuit

A Virtual Network Gateway

A Route Table

A Virtual Hub

Consider the addresses required for the network itself, the gateway, DNS mapping, and broadcast.

53 / 69

53. An Azure VNet is being planned with the address space 10.1.0.0/16. A new subnet is created with the address range 10.1.1.0/24. How many IP addresses within this subnet are reserved by the Azure platform and cannot be allocated to resources?

Consider which firewall tier is designed for organizations with the highest security and compliance requirements.

54 / 69

54. Which Azure Firewall SKU is required for features like TLS inspection and Intrusion Detection and Prevention System (IDPS)?

Premium

Basic

Global

Standard

The next hop type must be a specific network resource or gateway that can handle routing packets.

55 / 69

55. Which of the following is NOT a valid ‘next hop type’ for a User-Defined Route (UDR) in Azure?

Internet

Virtual appliance

Availability Zone

Virtual network gateway

This refers to the physical ‘meet-me’ point where your network provider connects to Microsoft’s network.

56 / 69

56. When creating an ExpressRoute circuit, what does the ‘peering location’ specify?

The physical location where the private connection between Microsoft's network and the connectivity provider's network is established.

The remote on-premises datacenter location.

The logical location for billing and management of the circuit.

The Azure region where your VNets are located.

Consider the OSI layer at which this service operates and what type of attack targets a different layer.

57 / 69

57. Which type of DDoS attack does the Azure DDoS Protection service NOT defend against?

Application (Layer 7) attacks that target web application vulnerabilities.

Volumetric attacks that flood the network with traffic.

Protocol attacks that exploit weaknesses in Layer 3 and Layer 4 protocols.

Attacks against public IP addresses of Azure resources.

Consider how to protect an application from a failure that impacts an entire datacenter, while keeping the application within a single region.

58 / 69

58. What is the function of an Availability Zone in Azure?

To provide a direct, private connection from an on-premises network to Azure.

To replicate data between two geographically separate regions for disaster recovery.

To apply reservations across multiple subscriptions for billing purposes.

To achieve high availability for applications within the same Azure region.

Microsoft requires you to use an approved third-party service to validate your DDoS protection configuration.

59 / 69

59. You need to test your Azure DDoS Protection plan to ensure it is configured correctly. What is a prerequisite for running a simulated DDoS attack?

Ensure the target VM has a Basic SKU public IP address.

Submit a support ticket to Microsoft requesting a test window.

Temporarily disable the DDoS Protection plan during the test.

Use a testing service like BreakingPoint Cloud and authorize it for your Azure subscription.

Look for a managed service that simplifies complex, global network topologies.

60 / 69

60. An architect is designing a solution that connects two branch offices and several Azure VNets across different regions with any-to-any connectivity. Which Azure networking service is best suited for this requirement?

A full mesh of VNet peerings and site-to-site VPNs.

Azure ExpressRoute with Global Reach.

A single VNet with multiple subnets for each branch office and application.

Azure Virtual WAN (vWAN).

Think about the advantages of a private, dedicated link compared to a connection over the shared public internet.

61 / 69

61. To secure data transfer between an on-premises data center and an Azure data center, a company wants to avoid the public internet. What is the primary benefit of a direct connection service like ExpressRoute?

It eliminates the need for any on-premises hardware.

It automatically load balances traffic across multiple regions.

It is a free service included with all Azure subscriptions.

It increases security and provides consistent network performance.

Consider the direction of the network traffic flow that each feature is designed to secure.

62 / 69

62. What is a key difference between a Private Endpoint and VNet Integration for an Azure App Service?

Private Endpoint provides a private IP for inbound traffic to the app, while VNet Integration allows the app to make outbound calls to resources in a VNet.

Private Endpoint secures outbound traffic, while VNet Integration secures inbound traffic.

Both services accomplish the same goal of securing all traffic, but Private Endpoint is easier to configure.

Private Endpoint works only with Linux App Service plans, while VNet Integration works only with Windows.

Think about how Azure needs to know the configuration of the ‘local’ or on-premises side of the VPN connection.

63 / 69

63. You are creating a Site-to-Site (S2S) VPN connection. What does the ‘Local Network Gateway’ resource in Azure represent?

The physical connection provided by an ExpressRoute partner.

A subnet within your Azure VNet dedicated to on-premises traffic.

The Azure VPN gateway deployed in your VNet.

The on-premises VPN device and its public IP address.

The dedicated subnet for Azure Firewall has a specific required name and a minimum size to allow for scaling operations.

64 / 69

64. When deploying an Azure Firewall into a VNet, what is the name and minimum size of the dedicated subnet required for the firewall to scale?

FirewallSubnet, /27

AzureFirewallSubnet, /26

AzureFirewallManagementSubnet, /26

GatewaySubnet, /27

Consider the widespread adoption of this modern VPN protocol across major desktop and mobile platforms.

65 / 69

65. An administrator is setting up a Point-to-Site (P2S) VPN using IKEv2. Which client operating systems have native client support for IKEv2?

Only Windows 10 and above.

Windows, macOS, and Linux only.

Android, Linux, iOS, macOS, and Windows 10 and above.

Only through the Azure VPN Client application.

This BGP parameter is crucial for detecting link failures and initiating a failover.

66 / 69

66. In a BGP session between a customer router and Microsoft edge routers for an ExpressRoute connection, the holdtime is set to 180 seconds. What is the significance of this value?

It is the amount of time a router will wait for a keep-alive message before considering the connection down.

It is the maximum time allowed for the initial BGP session to be established.

It is the frequency at which keep-alive messages are sent between the routers.

It is the time the session will remain active before requiring re-authentication.

Consider where the IP address allocation is managed: inside the guest OS or by the cloud platform itself.

67 / 69

67. You need to assign static private IP addresses to a group of VMs within a subnet. Which of the following is the recommended method?

Create a DHCP reservation server within the VNet.

Use an Azure Policy to assign IPs based on VM tags.

Change the private IP allocation method from Dynamic to Static on the Network Interface (NIC) in the Azure platform.

Manually configure the static IP address within the operating system of each VM.

Think about the geographical scope of connectivity required for your VNets.

68 / 69

68. When is it necessary to choose the Premium SKU for an ExpressRoute circuit?

When needing global connectivity to Azure regions outside of the circuit's geopolitical region.

When the required bandwidth exceeds 1 Gbps.

When connecting to Azure Government regions from commercial regions.

When needing connectivity to Azure PaaS services like Azure Storage.

Look for the billing option that provides a fixed cost for outbound data transfer.

69 / 69

69. An organization requires a direct, private connection to Azure from their on-premises datacenter that bypasses the public internet. They transfer a large and consistent amount of data outbound from Azure. Which ExpressRoute billing model would be most cost-effective?

Metered

Premium

Standard

Unlimited

Your score is

Why You Need This AZ-700 Practice Test (And Not Exam Dumps)

Mastering Core VNet and Subnetting Concepts for the AZ-700

The Five Reserved IPs in Every Subnet (A Critical AZ-700 Detail)

Best Practice: RFC 1918 Address Spaces

Advanced Routing and Hybrid Connectivity (AZ-700 Exam Scenarios)

Implementing Custom Routing with UDRs

Hub-and-Spoke Gateway Transit (A Key AZ-700 Design)

Firewall-Friendly VPN Tunnels

Securing Traffic Flow with AZ-700 Controls

Understanding the Azure Network Security Group (NSG)

Differentiating Load Balancing Services

Conclusion: Pass the AZ-700 with Authority

Related Posts

60+ Free Azure AZ-700 Practice Test Questions to Master Azure Networking in 2025

65+ Free AZ-500 Practice Test Questions to Dominate Azure Security Exam

Free Azure AZ-104 Practice Test: 50+ Essential Questions to Pass Fast