dc dotCreds
Reference guide

AZ-700 Course Notes

Study AZ-700 section notes, then jump straight into the guided course or related practice questions without losing your place.

Continue Course Start Practice
Checking access

Checking Pro access...

Looking for your active Pro access before showing Course Notes. This usually takes just a moment.

Course Notes preview

Unlock Pro for the full per-exam reference guide.

Preview one piece from each section. Pro includes every Course Notes section, summary, key point, common mistake, exam tip, related-question review, and PDF export.

Includes full Course Mode and Course Notes.

Section 1 Networking Foundations Preview
More in this section
  • Full summary in Pro version
  • 13 more key points in Pro version
  • 3 more common mistakes in Pro version
  • 3 more exam tips in Pro version
  • 43 more related questions in Pro version

Summary

Core Azure network design starts with address space, subnet boundaries, and the traffic paths those boundaries create. Virtual network peering gives low-latency private connectivity between VNets, but it is not transitive by default. Gateway transit is the clue that a spoke should use a hub gateway instead of deploying its own, while user-defined routes and virtual appliances decide whether east-west or north-south traffic is inspected.

Key Points

  • Azure Virtual Network: Choose this when workloads need private IP address space, subnet segmentation, peering, route control, and integration with Azure network services.

Common Mistakes

  • Assuming VNet peering is transitive and that spokes can automatically route through each other without explicit hub routing.

Exam Tips

  • Use peering for private VNet connectivity, gateway transit for shared gateway access, and UDRs when the next hop must change.
Section 2 Connectivity Services Preview
More in this section
  • Full summary in Pro version
  • 12 more key points in Pro version
  • 3 more common mistakes in Pro version
  • 3 more exam tips in Pro version
  • 31 more related questions in Pro version

Summary

Hybrid connectivity decisions usually start with transport and resiliency. Site-to-site VPN is faster to deploy and encrypted over the internet, while ExpressRoute gives private, provider-backed connectivity with more predictable routing and performance. Active-active VPN gateways add tunnel resiliency and throughput, but the gateway SKU still controls limits, availability zone support, and cost.

Key Points

  • VPN Gateway: Choose this when Azure needs encrypted site-to-site, point-to-site, or VNet-to-VNet tunnels over the internet.

Common Mistakes

  • Choosing VPN Gateway for workloads that require ExpressRoute private routing, predictable performance, or provider-backed connectivity.

Exam Tips

  • Use VPN for encrypted internet tunnels and ExpressRoute for private predictable enterprise connectivity.
Section 3 Application Delivery Preview
More in this section
  • Full summary in Pro version
  • 10 more key points in Pro version
  • 3 more common mistakes in Pro version
  • 3 more exam tips in Pro version
  • 27 more related questions in Pro version

Summary

Application delivery architecture starts by choosing the layer that should make the decision. Azure Load Balancer is layer 4 and distributes TCP or UDP flows using frontend IPs, backend pools, rules, and health probes. Application Gateway is layer 7 and can route HTTP or HTTPS by host name, URL path, headers, and WAF policy. Front Door is the global edge option for internet-facing HTTP applications, while Traffic Manager is DNS-based endpoint selection and never sees the actual request payload.

Key Points

  • Azure Load Balancer: Choose this when TCP or UDP traffic needs layer 4 distribution across backend instances in a regional Azure deployment.

Common Mistakes

  • Choosing Traffic Manager when the scenario needs layer 7 routing, TLS termination, WAF, or HTTP path decisions.

Exam Tips

  • Load Balancer is layer 4, Application Gateway is regional layer 7, Front Door is global edge layer 7, and Traffic Manager is DNS steering.
Section 4 Private Access Preview
More in this section
  • Full summary in Pro version
  • 10 more key points in Pro version
  • 3 more common mistakes in Pro version
  • 3 more exam tips in Pro version
  • 17 more related questions in Pro version

Summary

Private access questions often turn on Service Endpoint versus Private Endpoint. A service endpoint keeps traffic from a subnet to a supported Azure service on the Microsoft backbone, but the service still uses its public endpoint and public IP space. A private endpoint creates a network interface with a private IP in the VNet, so clients reach the service through private addressing and DNS rather than the public endpoint.

Key Points

  • Service Endpoint: Choose this when a subnet should reach a supported Azure service over the Azure backbone while the service still uses its public endpoint.

Common Mistakes

  • Treating service endpoints and private endpoints as the same design even though private endpoints create a private IP in the VNet.

Exam Tips

  • Service endpoints keep service traffic on the Azure backbone but still target the public service endpoint.
Section 5 Network Security Preview
More in this section
  • Full summary in Pro version
  • 12 more key points in Pro version
  • 3 more common mistakes in Pro version
  • 3 more exam tips in Pro version
  • 27 more related questions in Pro version

Summary

Layered Azure network security starts by separating subnet filtering from centralized inspection. NSGs are the right control for allowing or denying traffic at subnet or NIC boundaries with priority-based rules. Azure Firewall is the right control when traffic must be inspected, logged, NATed, filtered by FQDN or application rule, or forced through a hub. A common design mistake is using NSGs as if they provide stateful centralized egress inspection.

Key Points

  • Network Security Group (NSG): Choose this when subnet or NIC traffic needs priority-based allow and deny filtering by source, destination, port, and protocol.

Common Mistakes

  • Using NSGs as if they provide centralized egress inspection, FQDN filtering, or application rules like Azure Firewall.

Exam Tips

  • NSGs filter at subnet or NIC boundaries; Azure Firewall provides centralized stateful inspection and logging.