The Exact 8-Week Plan That Got Me Through AZ-700

Forget everything Reddit told you about the AZ-700 being "just networking." This exam will humble you if you think traditional networking knowledge transfers cleanly to Azure. It doesn't. Not really.

I passed AZ-700 with a 780 after 8 weeks of focused study. I have a CCNA and 6 years of network engineering experience. And I still found this exam challenging — not because the networking concepts are hard, but because Azure networking has its own language, its own quirks, and its own way of doing things that doesn't always map to on-prem networking.

Here's the exact plan I followed, week by week. Steal it.

AZ-700 at a Glance

The exam covers four main areas: designing and implementing core networking infrastructure (~25-30%), routing (~25-30%), security (~25-30%), and private access to Azure services (~15-20%). But the real breakdown is messier than that — topics bleed into each other constantly.

Week 1-2: Virtual Networks — The Foundation

Everything in Azure networking starts with Virtual Networks (VNets). If you get VNets wrong, everything else falls apart. Spend two full weeks here.

What to Master

• VNet design — address spaces, subnets, delegation, service endpoints
• VNet peering — global vs. regional, transitivity (spoiler: it's not transitive by default), gateway transit
• Subnet sizing — Azure reserves 5 IPs per subnet. Yes, five. /29 gives you 3 usable IPs, not 6
• Network Security Groups (NSGs) — rules, priority, default rules, effective security rules view
• Application Security Groups (ASGs) — and when they're better than NSGs alone

The Trap Most People Fall Into

Traditional network engineers think in terms of VLANs, trunks, and Layer 2 domains. Azure doesn't have Layer 2. Everything is Layer 3. There's no broadcast domain, no ARP in the traditional sense, no spanning tree. Once you internalize this, Azure networking clicks. Until then, it feels weird.

Week 3-4: Hybrid Connectivity — VPN & ExpressRoute

This is where the exam gets interesting (and where I spent the most study time). Hybrid connectivity is the bread and butter of enterprise Azure networking, and Microsoft tests it heavily.

VPN Gateway Deep Dive

• Site-to-Site (S2S) — IPsec/IKE tunnels between on-prem and Azure. Know the configuration parameters.
• Point-to-Site (P2S) — Individual client VPN connections. OpenVPN, IKEv2, SSTP protocols.
• VNet-to-VNet — Connecting VNets across regions via VPN gateways (vs. peering — know the tradeoffs).
• Gateway SKUs — VpnGw1 through VpnGw5, performance tiers, zone-redundant variants. The exam tests whether you know which SKU supports what throughput.

ExpressRoute — The Premium Option

ExpressRoute is private connectivity to Azure that doesn't go over the internet. It's complex, expensive, and shows up on probably 20% of exam questions. Know these cold:

• Peering types — Azure private peering, Microsoft peering (and why public peering is deprecated)
• ExpressRoute circuits vs. gateways — they're separate resources
• ExpressRoute Global Reach — connecting two on-prem sites through ExpressRoute
• ExpressRoute Direct — when you need more than 10 Gbps
• Failover scenarios — ExpressRoute + VPN as backup is a classic exam scenario

Here's the analogy I used: VPN is like sending mail through the postal service. ExpressRoute is like having a private road built directly to the post office. Both deliver mail. One is cheaper, one is faster and more reliable. The exam tests when to use which.

Week 5: Load Balancing — All Four Types

Azure has four load balancers. Four. And the exam expects you to know when to use each one. This was genuinely confusing until I built a mental decision tree.

The Decision Tree

Is it global or regional? If global, is it HTTP or non-HTTP? If regional, is it Layer 4 or Layer 7?

• Global + HTTP → Front Door
• Global + non-HTTP → Traffic Manager
• Regional + HTTP → Application Gateway
• Regional + non-HTTP → Load Balancer

That decision tree got me through at least 5 questions on the actual exam. Memorize it.

Week 6: Network Security — Firewalls, WAF, and DDoS

Security isn't just about NSGs (though those are important). The exam goes deeper into Azure's security stack:

Azure Firewall

• Standard vs. Premium — Premium adds TLS inspection, IDPS, URL filtering based on categories
• Rule types — Network rules, application rules, NAT rules. Processing order matters!
• Azure Firewall Manager — central management across multiple firewalls
• Forced tunneling — sending all internet-bound traffic through the firewall

Web Application Firewall (WAF)

WAF can be deployed on Application Gateway or Front Door. Know the differences in capability and when you'd choose each deployment option. OWASP rule sets, custom rules, and exclusion lists all come up.

DDoS Protection

Azure DDoS Protection comes in two tiers: Network Protection (per-VNet, includes cost protection guarantee) and IP Protection (per-IP, cheaper). The exam tests when you need one vs. the other and what each tier includes.

Azure Private Link & Private Endpoints

This is increasingly important. Private Link lets you access Azure PaaS services (Storage, SQL, etc.) over a private endpoint in your VNet instead of over the public internet. The configuration involves DNS — and the DNS part trips everyone up.

When you create a private endpoint for Azure SQL, you need a private DNS zone (privatelink.database.windows.net) that resolves the service's FQDN to the private IP. Get this wrong, and your apps still go over the public internet even though you set up the private endpoint. Classic gotcha.

Week 7: Monitoring, Troubleshooting & Azure Virtual WAN

Network Monitoring Tools

• Network Watcher — IP flow verify, NSG flow logs, connection troubleshoot, packet capture
• Connection Monitor — continuous connectivity monitoring between Azure and on-prem
• Traffic Analytics — analyzing NSG flow logs for security and performance insights

Azure Virtual WAN

Virtual WAN is Microsoft's managed hub-and-spoke architecture. It simplifies large-scale networking with virtual hubs, automated branch connectivity, and integrated security (Secure Virtual Hub). The exam tests architecture decisions — when Virtual WAN is better than a manual hub-and-spoke design.

Quick rule of thumb: if the scenario describes many branch offices connecting to multiple Azure regions with VPN and ExpressRoute, think Virtual WAN. If it's a simpler hub-and-spoke with a few VNets, manual design is fine.

Azure DNS

Don't overlook DNS. Public and private DNS zones, DNS forwarding, conditional forwarding with Azure DNS Private Resolver — these all appear on the exam. The private DNS resolver is relatively new and increasingly tested.

Week 8: Practice Exams & Final Review

This is where everything comes together. By now you should have covered all the topics. Week 8 is about:

• Taking 3-4 full practice exams under timed conditions using ExamCert's AZ-700 practice test
• Reviewing every wrong answer — not just reading the explanation, but going back to the source material
• Drilling your weak areas — for me it was ExpressRoute peering configurations and load balancer health probes
• Drawing network diagrams — seriously, grab paper and draw out hub-and-spoke, Virtual WAN, and ExpressRoute topologies from memory

Do I Need AZ-104 First?

Technically no. Practically? Yes.

AZ-700 assumes you understand Azure fundamentals — resource groups, subscriptions, RBAC, the portal. If you're starting from scratch, go AZ-900 → AZ-104 → AZ-700. If you already work with Azure daily, you can probably skip AZ-900 and start at AZ-104.

The networking sections of AZ-104 overlap with about 30% of AZ-700 content. So if you've recently passed AZ-104, you've got a head start.

Study Resources I Actually Used

Top Tier (Use These)

• Microsoft Learn AZ-700 path — free, official, regularly updated. Do every module.
• Hands-on labs — Microsoft's GitHub AZ-700 labs are excellent. Build everything yourself.
• ExamCert AZ-700 practice questions — scenario-based questions that match the exam style
• John Savill's YouTube — his AZ-700 study cram is genuinely world-class

Helpful But Not Essential

• Azure documentation — reference when you need deep dives on specific services
• Reddit r/AzureCertification — community tips and recent exam experiences

5 Things I'd Do Differently

1. Start with labs earlier. I spent too much time reading before doing. The concepts don't stick until you configure a VNet peering or set up a VPN gateway yourself.
2. Draw more diagrams. Azure networking is visual. If you can't draw the topology, you don't understand it.
3. Focus more on Private Link/Endpoints. This topic is growing in exam weight. DNS integration especially.
4. Don't underestimate load balancing. Four different services, each with unique scenarios. The decision tree saved me.
5. Take practice exams earlier. I waited until week 7 and wished I'd started in week 4 to identify gaps sooner.

Frequently Asked Questions

Your Next Move

You've got the plan. Now execute it. Start with Week 1 topics, set up your Azure environment, and commit to 10-12 hours of study per week. The exam isn't easy, but it's absolutely passable with focused preparation.

More resources for your journey:

• ExamCert AZ-700 Practice Test — free scenario-based questions
• AZ-700 Complete Guide
• AZ-700 Practice Questions 2026
• AZ-104 vs AZ-900: Which First?
• Azure Certification Path Guide
• CCNA Networking Certification Path — if you want the Cisco side too