Microsoft AZ-700 prep, adaptive plan with ARIA
The Microsoft Azure Network Engineer Associate (AZ-700) is 120 minutes, around 50 questions, 700 out of 1000 to pass, and the credential most often asked for on Azure network engineering job listings. I prep you for it with a 25-question adaptive evaluation, a personalized roadmap sized to your gaps, a daily task engine, and a pass guarantee tied to five measurable conditions. Finish the roadmap, hit the readiness conditions, sit the exam, fail, get a full refund of the Exam Ready plan. Start your free CAT evaluation at claudelab.me/onboarding/select-cert?code=AZ-700.
TL;DR
- 120 minutes, 40 to 60 questions (typically around 50), 700 out of 1000 to pass, five domains weighted 20 / 25 / 30 / 15 / 10.
- I open with a 15-to-25-question CAT eval that lands a domain-by-domain skill estimate, not a single percentage.
- Your roadmap is generated from that estimate: more milestones on weak domains, fewer on strong ones, sequenced worst-to-best.
- Every wrong answer goes into an error backlog and resurfaces at the right interval until the pattern breaks.
- Pass-guarantee eligibility is checked by a database function with five mechanical conditions, not a marketing line.
What the AZ-700 exam is
AZ-700 is the current Microsoft Azure Network Engineer Associate exam (current as of 2026). It tests your ability to design, implement, and manage Azure networking solutions: hybrid connectivity, core infrastructure, routing and load balancing, security, and private access. 120 minutes, 40 to 60 questions (the count varies per session and lands around 50 most of the time), passing score 700 on a 1000-point scaled scale (about 70 percent), $165 USD. Available in English, Japanese, Chinese (Simplified), Korean, German, French, Spanish, and Portuguese. Question formats include multiple choice, multiple response, drag-and-drop, case studies, and short answer.
The blueprint splits into five domains:
| Domain | Weight | What it covers |
|---|---|---|
| Design, Implement, and Manage Hybrid Networking | 20% | Site-to-Site VPN (IKEv2, BGP, active-active), Point-to-Site VPN (OpenVPN, IKEv2, AAD auth), ExpressRoute (circuits, peerings, FastPath, Global Reach), Virtual WAN (hubs, branches, SD-WAN partner integration). |
| Design and Implement Core Networking Infrastructure | 25% | VNets and subnets, IP addressing, name resolution (Private DNS zones, custom DNS), VNet peering, routing fundamentals, VNet integration patterns. |
| Design and Implement Routing and Load Balancing | 30% | UDRs, BGP, Azure Load Balancer (basic vs standard, SKU choice), Application Gateway (WAF, path-based routing), Front Door, Traffic Manager, NVA insertion. |
| Secure and Monitor Networks | 15% | NSGs, Application Security Groups, Azure Firewall (standard, premium, manager), DDoS Protection, Network Watcher, connection monitor, NSG flow logs. |
| Design and Implement Private Access to Azure Services | 10% | Service Endpoints, Private Endpoints, Private Link Service, integrating PaaS into VNets, name resolution for Private Link. |
The weights matter for prep allocation. Domain 3 alone is 30 percent of the exam, and most generic study guides treat it as one block. I do not.
How ARIA preps you for it
ARIA owns your AZ-700 prep end to end. Five pieces, each one running every day you are in the program.
The CAT evaluation. Your first session is a 15-to-25-question adaptive test that converges on your real skill level for each of the five AZ-700 domains. Difficulty adjusts after every answer. The test stops at 95 percent confidence or 25 questions, whichever comes first. The output is a domain-by-domain estimate that decides what your roadmap looks like. Read the full CAT explainer for the mechanics.
The personalized roadmap. The moment the eval closes, I generate three to five phases sequenced from your weakest AZ-700 domain to your strongest, each with two to four milestones. Milestone count scales with starting level: novice on Domain 1 (Hybrid) gets the most milestones; proficient on Domain 5 (Private Access) gets the fewest. Generic plans waste weeks because the five domains are not symmetrical in difficulty for any given learner. A network ops engineer who lives in NSGs every day still tends to score low on Virtual WAN. Full structure: the roadmap overview.
The daily task engine. Every time you reopen the app, I pick the next thing to work on, today. One task. Not a list. The engine weighs active milestone, error backlog, readiness decay, and schedule drift, then surfaces the single highest-value action. Roadmap tasks advance milestones; free-play tasks improve readiness but do not.
The error backlog. Every wrong answer on an AZ-700 question is tagged with the trap pattern, domain, and topic, then queued for return at increasing intervals (1 day, 3 days, 7 days, 21 days). You do not manage decks. I do. The pattern retires only after three correct answers in a row, spaced.
The readiness score. A single 0-to-100 number that estimates your probability of passing AZ-700 today. It blends coverage, accuracy, and recency, and decays roughly 3 points per day of inactivity past the grace window. At 60 it unlocks the demo test, at 80 the gauntlet. With every milestone done, two mock passes, one gauntlet pass, and live readiness at 80, the pass guarantee flips eligible.
Common pitfalls on AZ-700
These five questions quietly cost the most points on this exam. Every prep tool calls them out. Few do anything structural about them. I do.
1. ExpressRoute vs Site-to-Site VPN vs Virtual WAN
The trap: bandwidth, BGP support, redundancy, and SKU all matter. ExpressRoute gives you up to 100 Gbps with a 99.95 percent SLA but costs more and needs a connectivity provider. Site-to-Site VPN tops out at 1.25 Gbps per tunnel on the highest gateway SKU and rides the public internet. Virtual WAN is the orchestration plane on top, not a replacement protocol. The exam writes scenarios where two of the three could technically work, and the right answer is decided by cost, scale, SLA, or branch count, not by which one carries traffic.
What I do about it: every miss tags the design-driver pattern (bandwidth threshold, SLA requirement, branch count, BGP topology), and the backlog ships variants back into your queue until you stop reaching for the wrong protocol. Virtual WAN questions get their own sub-pattern because most candidates pick it whenever "global" appears in the stem.
2. Azure Firewall vs NSG vs Application Gateway WAF vs Azure Front Door WAF
The trap: placement matters more than the product name. NSG is L3 and L4, stateful, on subnet or NIC. Azure Firewall is L3 to L7, stateful, regional, with FQDN filtering and TLS inspection on Premium. Application Gateway WAF is L7, regional, terminates TLS, sits in front of regional web apps. Front Door WAF is L7, global, anycast, sits in front of multi-region or edge-cached apps. Combine the wrong two and you create asymmetric routing or duplicate inspection. The exam loves stems where a candidate stacks Front Door and App Gateway on the same path with overlapping rules.
What I do about it: I drill placement diagrams explicitly. Every miss surfaces a placement matrix on the explanation card, and the backlog brings back layered-defense scenarios until you stop double-inspecting traffic.
3. VNet Peering vs VNet-to-VNet VPN vs Private Link
The trap: peering is L3 with no transitivity, no encrypted tunnel, near-zero latency. Without gateway transit you cannot reach on-prem from a peered spoke. VNet-to-VNet VPN is encrypted, transitive in some topologies, slower, charged per gateway hour. Private Link is not a peering replacement for general VNet traffic; it exposes a specific PaaS service or your own service via a private IP and bypasses peering entirely for that flow. Cross-subscription, cross-tenant, and cross-region scenarios all change which option is right.
What I do about it: the moment you miss this trio once, the backlog injects topology variants every cycle: hub-spoke transitivity, gateway transit toggles, cross-region peering pricing, Private Endpoint DNS resolution. You do not complete the Domain 2 connectivity milestone until you split the three patterns cold.
4. Azure Front Door vs Traffic Manager vs Application Gateway
The trap: Front Door is L7, global, anycast, with caching and WAF. Traffic Manager is DNS-based, global, no traffic on the data path, no anycast, no termination. Application Gateway is L7, regional, single-region path-based routing. The exam loves stems like "global low-latency static and dynamic content with TLS termination at the edge" where Front Door is the right answer, but candidates pick Traffic Manager out of habit because they learned it first on AZ-104.
What I do about it: I tag every miss as a global-vs-regional pattern and rotate scenarios with the deciding factor swapped: cache hit ratio, TLS offload requirement, session affinity, geo-failover RTO. The retry interval gets shorter every time you miss it, not longer.
5. Hub-and-spoke vs Virtual WAN topology
The trap: classic hub-and-spoke is fine up to a point. Once you cross roughly 30 to 50 branches, or you need cross-region transit without manual peering meshes, or you want first-class SD-WAN partner integration, Virtual WAN becomes the right answer. The exam writes migration scenarios where a working hub-and-spoke is described and the candidate has to recognize the threshold that triggers the Virtual WAN move. Most candidates over-pick Virtual WAN on small deployments and under-pick it on the migration stems.
What I do about it: branch count, cross-region routing requirements, and SD-WAN vendor integration each get tagged as separate sub-patterns. The backlog rotates them so you do not memorize one threshold and miss the others. Virtual WAN questions are the most-missed items in Domain 1 historically; I do not let them pass through.
Common questions
Is AZ-700 worth it if I already have AZ-104?
Yes, if your role touches hybrid connectivity, ExpressRoute, Azure Firewall, or Virtual WAN. AZ-104 covers networking at the administrator level: VNet basics, NSGs, peering, simple routing. AZ-700 goes deep on the design and implementation side that AZ-104 only grazes. If you already do network architecture day to day, AZ-700 is the credential the exam blueprint actually maps to your job.
How much CCNA-level networking do I need before AZ-700?
You need solid fundamentals: subnetting, routing tables, BGP basics, the difference between L3 and L7. CCNA-level depth is a strong bonus, not a requirement. The exam tests Azure-specific design choices, not generic networking theory. The CAT evaluation measures what you actually retain, then the roadmap fills the gaps. If you cannot read a route table, I will catch it on question two.
How does ARIA handle AZ-700 hybrid topology design questions?
Hybrid topology is the single largest exam risk on AZ-700. Every wrong answer on ExpressRoute, Site-to-Site VPN, or Virtual WAN trade-offs gets tagged with the design-driver pattern: bandwidth, SLA, BGP, redundancy, branch count, transit. The backlog rotates dual-requirement scenarios until the trade-offs become reflexive. You do not move past Domain 1 until the chain logic is automatic.
AZ-700 vs AZ-305, which fits my career path?
AZ-700 is depth on networking. AZ-305 is breadth across architecture: identity, compute, storage, data, networking, security, all at the design level. If your role is network engineer, network architect, or cloud security with a network slant, AZ-700 maps to your work. If your role is solution architect across the full Azure stack, AZ-305. Most people on the network-specialist path do AZ-104 then AZ-700; most generalists do AZ-104 then AZ-305.
Does the pass guarantee cover AZ-700?
Yes, with five measurable conditions: every milestone completed, every phase completed, two mock exams passed at 70 percent or higher, one gauntlet passed at 80 percent or higher, and a live readiness score of 80 or above. If those are true, you sit the exam in the 60-day window, and you do not pass, you get a full refund of the Exam Ready plan. The full mechanics live on the pass guarantee page.
How long does AZ-700 prep take?
Median time-to-ready for AZ-700 sits between five and ten weeks. The exam is dense on hybrid connectivity and routing, and most candidates underestimate Domain 3 (load balancing). A novice on hybrid networking gets the longest plan; someone already running ExpressRoute circuits in production lands closer to five weeks. The roadmap is sized from your evaluation, not a marketing window.
Start your AZ-700 prep
The cheapest possible signal is the 15-minute CAT evaluation. It tells you which of the five AZ-700 domains you actually own, which one will cost you the exam if you sit it tomorrow, and where the roadmap starts. After that, you decide whether to commit.
Start your free AZ-700 evaluation at claudelab.me/onboarding/select-cert?code=AZ-700.
Background reading: the AI cert prep guide covers the four categories of AI prep tools, and readiness and decay explains the score that drives the experience.