AZ-700 study notes: what I've learned about Azure networking so far

I'm about halfway through my AZ-700 (Azure Network Engineer Associate) preparation and it's already proven to be a more interesting certification than I expected. When I started, I assumed it would be a straightforward extension of the networking concepts I'd already covered in AZ-104. I was partially right. The fundamentals transfer. But AZ-700 goes several layers deeper into territory that I've touched in production but never had to fully articulate.

What I already knew (and what needed sharpening)

Coming from AZ-104 and several years working with Azure environments in a CSP context, I had solid working knowledge of VNets, NSGs, VPN Gateway, and the general hub-and-spoke topology. What I didn't realise is how much decision-making depth AZ-700 tests at.

The exam isn't just asking "what is ExpressRoute?" It's asking when ExpressRoute is the right call over a VPN Gateway, what the failover model looks like, when you'd use a Zone-Redundant Gateway SKU versus not, and how that interacts with a specific customer's SLA requirements. That decision-layer thinking is where most of my study time has gone.

The things that surprised me

Azure Firewall Premium vs. Azure Firewall Standard

I'd used Azure Firewall in customer environments before, mostly at Standard tier. The Premium SKU's TLS inspection capability — and the architectural requirements it brings around certificate management — is something I hadn't fully understood before starting this exam prep. The way it integrates with Key Vault for certificates is elegant, but it adds real operational complexity that you need to plan for upfront.

Private DNS Zones and autoregistration

The DNS resolution chain for private endpoints is more nuanced than the portal makes it look. When you're dealing with cross-region or cross-tenant scenarios, the DNS forwarding setup (particularly with on-premises DNS resolvers) has several failure modes that are worth understanding deeply. I've hit a few of these in production and worked through them intuitively — AZ-700 is giving me the vocabulary to describe what I was actually doing.

Application Gateway WAF tuning

The WAF (Web Application Firewall) component of Application Gateway is something I'd mostly treated as a checkbox feature. Learning to think about WAF rule exclusions, custom rules, and the difference between Detection and Prevention mode in the context of specific attack vectors has been one of the more practically useful parts of this exam prep.

How I'm structuring my study

I've deliberately moved away from video-first learning for this one. My approach:

• Microsoft Learn modules first — for structured coverage of each domain area
• Lab environment for everything — if I can't deploy it and break it, I don't really understand it
• Architecture review — I read Azure reference architectures for scenarios like hub-and-spoke, DMZ, and hybrid connectivity, then try to reason about the design tradeoffs before reading the justification
• Customer scenarios as study material — I work with A/NZ partners on Azure every day. I've started framing real customer questions through the lens of exam topic areas

What's left

I still have ExpressRoute Global Reach, Virtual WAN, and the more advanced BGP scenarios to cover properly. Those are the areas where I feel least confident in production experience, so they'll get the most lab time.

More notes to come as I push toward the exam. If you're also studying for AZ-700 and want to compare notes, hit me up via the contact page.