Hands-On Exercises for AZ-700: Designing and Implementing Networking Solutions in Microsoft Azure
The Microsoft AZ-700 certification, formally titled Designing and Implementing Microsoft Azure Networking Solutions, represents one of the most technically focused credentials in the Microsoft Azure certification portfolio. This examination targets network engineers, cloud architects, and infrastructure professionals who specialize in designing, implementing, and managing the networking components of Azure-based solutions. Unlike broader Azure certifications that cover a wide range of cloud services, the AZ-700 goes deep into the specific domain of Azure networking, testing candidates on their ability to design and build network architectures that are secure, highly available, scalable, and optimized for performance. The hands-on component of preparing for this exam is not optional but essential, as the exam presents scenario-based questions that can only be answered confidently by professionals who have built and tested these configurations themselves.
The significance of hands-on practice for AZ-700 preparation stems from the nature of Azure networking itself. Networking concepts such as routing, address space design, hybrid connectivity, and traffic inspection involve interactions between multiple components that cannot be fully understood through reading alone. When a candidate actually deploys a hub-and-spoke virtual network topology, connects it to an on-premises environment through a VPN gateway, and tests traffic flows between spokes, they develop an intuitive understanding of how the components interact that no textbook or video course can replicate. This article presents a comprehensive set of hands-on exercises that cover the major domains of the AZ-700 exam, providing structured practice that builds both technical proficiency and the architectural judgment that the exam rewards.
Setting Up Azure Lab Environment
Before beginning any of the hands-on exercises described in this article, establishing a properly configured Azure lab environment is an essential first step. A free Azure account provides 200 US dollars in credits for the first 30 days along with access to a range of free-tier services, which is sufficient to complete most networking exercises at a small scale. For candidates who already have an Azure subscription through work or a Visual Studio subscription, using a dedicated resource group for lab exercises keeps costs visible and makes cleanup straightforward when exercises are complete. Creating all lab resources within a single subscription and region where possible reduces complexity and makes it easier to understand network traffic flows during testing.
Before creating any resources, spend time designing the address space that will be used across all exercises. Using a consistent and well-planned IP addressing scheme from the beginning prevents address conflicts as the lab environment grows to include multiple virtual networks, VPN connections, and peered networks. A practical approach is to allocate the 10.0.0.0/8 address space for all lab resources, dividing it into blocks for hub networks, spoke networks, on-premises simulation networks, and specialized workloads. Documenting this addressing plan before creating any resources establishes good architectural habits and makes it easier to troubleshoot connectivity problems that arise during exercises. Having a running notes document that records resource names, IP addresses, and configuration decisions for each exercise is equally valuable and serves as a personal reference during exam preparation.
Virtual Network Creation and Subnetting
The first and most fundamental hands-on exercise for AZ-700 preparation involves creating virtual networks with carefully designed subnet structures. Begin by creating a virtual network with an address space of 10.1.0.0/16 in your chosen Azure region. Within this virtual network, create four subnets that serve different purposes: a general workload subnet using 10.1.1.0/24, a management subnet using 10.1.2.0/24, a gateway subnet using 10.1.255.0/27 which follows Microsoft's requirement for the GatewaySubnet name and a minimum prefix length of /27, and an Azure Bastion subnet using 10.1.254.0/26 which requires the specific name AzureBastionSubnet and a minimum prefix length of /26. These naming and sizing requirements are tested in the AZ-700 exam and must be followed exactly for the associated services to function.
After creating the subnets, deploy a small virtual machine into the workload subnet and another into the management subnet to serve as test endpoints for connectivity verification in later exercises. When deploying these virtual machines, configure them without public IP addresses and without open inbound ports in their network security groups, as you will use Azure Bastion for management access rather than exposing them directly to the internet. This configuration reflects security best practices that the AZ-700 exam endorses and gives you practical experience with the principle of minimizing public exposure of Azure resources. Once the virtual machines are deployed, verify that they appear in the Azure portal with their assigned private IP addresses and that the network interface cards are associated with the correct subnets.
Network Security Group Implementation
Network security groups are the primary mechanism for controlling inbound and outbound traffic at the subnet and network interface levels in Azure, and configuring them correctly is a core skill tested by the AZ-700 exam. In this exercise, create a network security group and associate it with the workload subnet created in the previous exercise. Begin by examining the default rules that Azure adds to every new network security group, which include rules that allow all inbound traffic from within the virtual network, allow all outbound traffic to the internet and virtual network, and deny all other inbound traffic. Understanding these default rules and how they interact with custom rules you add is essential for predicting the effective security policy applied to traffic flowing through the subnet.
Add custom inbound rules to allow ICMP traffic from the management subnet to the workload subnet, which will be used for connectivity testing in later exercises. Also add a rule that denies all inbound traffic on port 3389 from the internet, demonstrating the use of deny rules to block specific traffic patterns. After configuring the network security group, use the IP flow verify tool in Azure Network Watcher to test whether specific traffic flows are permitted or denied by the current security group configuration. This tool is invaluable for diagnosing network security group behavior without needing to deploy additional test infrastructure, and familiarity with it is directly relevant to the troubleshooting scenarios that appear in the AZ-700 exam. Document the effective security rules that result from your configuration and verify that they match your intended policy.
Azure Bastion Deployment and Usage
Azure Bastion provides secure browser-based connectivity to Azure virtual machines without requiring public IP addresses or open RDP and SSH ports in network security groups, making it the recommended management access solution for Azure virtual machines in security-conscious deployments. Deploying Azure Bastion in your lab environment gives you both practical experience with the service and a convenient tool for accessing your test virtual machines during subsequent exercises. In the virtual network created earlier, deploy an Azure Bastion instance into the AzureBastionSubnet you created. The deployment requires a Standard or Basic tier Bastion resource and a public IP address that Bastion uses for browser-based connections.
After deployment, connect to one of your test virtual machines through the Azure portal using Azure Bastion and verify that the connection succeeds without requiring any changes to the virtual machine's network security group. This exercise demonstrates concretely how Azure Bastion provides management access while keeping virtual machines isolated from direct internet exposure. From within the connected virtual machine session, attempt to ping the other virtual machine in the management subnet using its private IP address. Depending on your network security group configuration, this ping may or may not succeed, providing a practical lesson in how network security groups filter traffic between subnets within the same virtual network. Adjust your network security group rules as needed to control this traffic flow and observe how quickly the changes take effect.
Hub and Spoke Topology Construction
The hub-and-spoke network topology is the most commonly recommended architecture for enterprise Azure deployments, and designing and implementing it is a central topic in the AZ-700 exam. This exercise involves creating a hub virtual network and two spoke virtual networks, then connecting them through virtual network peering. Create a hub virtual network with an address space of 10.0.0.0/16 that will host shared services such as firewalls, VPN gateways, and management infrastructure. Create two spoke virtual networks using address spaces of 10.1.0.0/16 and 10.2.0.0/16 respectively, each representing a different application or business unit workload.
Configure virtual network peering between the hub and each spoke, ensuring that you enable the Allow Gateway Transit option on the hub side of each peering and the Use Remote Gateways option on the spoke side. These settings are required if you want spoke virtual networks to use a VPN or ExpressRoute gateway deployed in the hub, and they represent one of the most commonly tested configuration details in the AZ-700 exam. After configuring peering, deploy a virtual machine in each spoke network and verify connectivity between the spoke virtual machines. By default, spoke virtual machines cannot communicate with each other directly through peering because Azure virtual network peering is not transitive. Observing this behavior directly, and then implementing a solution such as an Azure Firewall or a user-defined route through the hub to enable spoke-to-spoke communication, provides deep practical understanding of how hub-and-spoke routing works.
User-Defined Route Configuration
User-defined routes allow Azure administrators to override the default routing behavior of Azure virtual networks, directing traffic through specific network appliances or gateways rather than following Azure's built-in system routes. This capability is essential in hub-and-spoke architectures where spoke-to-spoke traffic must be inspected by a firewall in the hub before reaching its destination. In this exercise, create a route table and add a custom route that directs all traffic destined for the second spoke's address space through a network virtual appliance or Azure Firewall deployed in the hub. Associate this route table with the subnet in the first spoke where your test virtual machine resides.
After configuring the route table, verify the effective routes on the network interface of the test virtual machine using the Effective Routes view in the Azure portal. This view shows all routes that are currently active on the network interface, combining system routes, gateway routes, and user-defined routes into a single prioritized list. Confirm that your custom route appears in the effective routes and that it has the correct next hop type and next hop address. Test traffic flow from the first spoke to the second spoke and use Azure Network Watcher connection troubleshoot to trace the path that traffic takes through the network. Understanding how to read and interpret effective routes is a skill that appears directly in AZ-700 exam scenarios and is equally valuable for diagnosing routing problems in production environments.
VPN Gateway Deployment Exercise
Azure VPN Gateway provides encrypted connectivity between Azure virtual networks and on-premises networks or between different Azure virtual networks using the IPsec/IKE protocol. Deploying a VPN gateway in the hub virtual network of your lab environment is an important hands-on exercise for AZ-700 preparation, though it requires patience as VPN gateway deployment typically takes 30 to 45 minutes to complete. Deploy a VPN gateway in the GatewaySubnet of your hub virtual network, selecting the VpnGw1 or VpnGw2 SKU depending on the features and throughput you want to practice with. The gateway SKU determines which VPN protocol versions, connection speeds, and high availability configurations are supported.
To simulate an on-premises environment for VPN connectivity testing, create a second Azure virtual network in a different region with a non-overlapping address space and deploy a VPN gateway in that network as well. This two-gateway configuration allows you to create a VNet-to-VNet connection that behaves similarly to a site-to-site VPN connection between Azure and an on-premises environment. Configure the local network gateways on each side to represent the remote network, then create the VPN connection objects and verify that the connections enter a connected state. Deploy virtual machines on both sides of the connection and verify end-to-end connectivity by pinging between them. This exercise provides direct experience with the connection objects, shared keys, and routing configurations that the AZ-700 exam tests in VPN scenarios.
Azure DNS Zone Configuration
DNS configuration is a frequently tested topic in the AZ-700 exam that spans both Azure-provided DNS services and the integration of custom DNS solutions. This exercise covers the creation and configuration of both public and private DNS zones in Azure. Begin by creating a public DNS zone for a domain name you control or a test domain, then add several record types including A records, CNAME records, and MX records to familiarize yourself with the record management interface. Observe how the Azure DNS name servers assigned to your zone differ from the default Azure name servers, and understand how you would delegate a real domain to Azure DNS by updating the NS records at your domain registrar.
Private DNS zones are more directly relevant to most AZ-700 exam scenarios and deserve particular attention. Create a private DNS zone and link it to your hub and spoke virtual networks using virtual network links with auto-registration enabled for the hub. With auto-registration enabled, Azure automatically creates DNS records in the private zone for virtual machines deployed in the linked virtual network, eliminating the need to manually manage DNS records as virtual machines are created and deleted. Deploy a virtual machine in one of your spoke networks and verify that an A record is automatically created in the private DNS zone. Then verify that the virtual machine can resolve the hostnames of other virtual machines using the private DNS zone, confirming that the name resolution configuration is working correctly end-to-end.
Azure Load Balancer Implementation
Azure Load Balancer distributes inbound network traffic across multiple backend virtual machines to ensure that no single instance becomes overwhelmed and that the application remains available even if individual virtual machines fail. The AZ-700 exam covers both public and internal load balancers, and this exercise provides hands-on experience with both types. Begin with an internal load balancer deployed in the workload subnet of your hub virtual network. Create a backend pool containing two or more virtual machines, configure a health probe that checks whether the virtual machines are responding on a specific port, and create a load balancing rule that distributes TCP traffic on port 80 across the backend pool.
After configuring the internal load balancer, install a simple web server on each backend virtual machine and verify that requests sent to the load balancer's frontend IP address are distributed across the backend virtual machines. Simulate a virtual machine failure by stopping one of the backend virtual machines and observe how the load balancer's health probe detects the failure and stops sending traffic to the unavailable instance. This behavior, known as health-based routing, is a fundamental characteristic of Azure Load Balancer that the exam tests. Then configure a public load balancer that exposes a service to the internet, noting the differences in configuration compared to the internal load balancer including the requirement for a public IP address as the frontend and the option to configure outbound rules that control how backend virtual machines access the internet through the load balancer.
Azure Application Gateway Configuration
Azure Application Gateway is a layer seven load balancer that makes routing decisions based on HTTP and HTTPS request attributes such as URL paths, host headers, and cookies, enabling more sophisticated traffic distribution patterns than are possible with a layer four load balancer. This exercise involves deploying an Application Gateway and configuring it to route traffic to different backend pools based on the URL path of incoming requests. Create an Application Gateway in a dedicated subnet of your hub virtual network, noting that Application Gateway requires a dedicated subnet that cannot contain any other resources. Configure two backend pools representing different application components, such as an API service and a web frontend.
Configure path-based routing rules in the Application Gateway that direct requests with a path beginning with /api to the API backend pool and all other requests to the web frontend pool. After configuring and testing path-based routing, add a Web Application Firewall policy to the Application Gateway and observe how WAF rules can be configured to detect and block common web attack patterns such as SQL injection and cross-site scripting attempts. The AZ-700 exam tests candidates on the differences between Application Gateway SKUs, the configuration of routing rules and HTTP settings, and the integration of WAF capabilities, all of which this exercise addresses through direct hands-on experience. Testing your configuration by sending requests with different URL paths and verifying that they reach the correct backend pools reinforces the practical understanding that exam scenarios demand.
Azure Front Door and Traffic Manager
Azure Front Door and Azure Traffic Manager are two global traffic management services that serve different use cases and operate at different layers of the network stack. Azure Front Door is a global layer seven service that provides application acceleration, SSL offloading, and URL-based routing for web applications hosted in multiple Azure regions. Azure Traffic Manager is a DNS-based traffic routing service that distributes traffic across endpoints in different regions based on routing methods such as performance, weighted, priority, and geographic routing. Understanding the differences between these services and when to use each one is a key competency tested in the AZ-700 exam.
In this exercise, deploy simple web applications in two different Azure regions and configure both Azure Front Door and Azure Traffic Manager to distribute traffic across them. For Azure Front Door, configure an origin group containing both regional deployments, enable health probing to detect regional availability, and observe how Front Door routes requests to the nearest healthy origin based on latency. For Azure Traffic Manager, create a profile using performance-based routing and add endpoints corresponding to each regional deployment. Use the Traffic Manager endpoint monitoring feature to observe how the service detects endpoint health and adjusts DNS responses accordingly. Comparing the behavior of these two services side by side in a real deployment provides the practical context needed to answer exam questions that ask candidates to select the appropriate global traffic management solution for a given set of requirements.
Private Endpoint and Private Link
Azure Private Link allows services such as Azure Storage, Azure SQL Database, and Azure Kubernetes Service to be accessed from within a virtual network using a private IP address rather than a public endpoint, eliminating the exposure of traffic to the public internet. Private endpoints are the network interface resources through which private link connectivity is established, and configuring them correctly is a topic that the AZ-700 exam tests in multiple scenarios. In this exercise, create an Azure Storage account and deploy a private endpoint that connects the storage account to the workload subnet of your hub virtual network.
After creating the private endpoint, observe that a DNS record is automatically created in the private DNS zone associated with your virtual network, mapping the storage account's public hostname to the private IP address of the private endpoint. Connect to a virtual machine in the workload subnet and verify that DNS resolution for the storage account returns the private endpoint IP address rather than the public IP address. Attempt to access the storage account from within the virtual machine and confirm that the connection succeeds through the private endpoint. Then attempt to access the same storage account from a virtual machine in a peered spoke network to observe how private endpoint DNS resolution behaves across peered virtual networks. This behavior, particularly the DNS resolution aspects of private endpoints, is one of the more nuanced topics in the AZ-700 exam and benefits greatly from direct hands-on investigation.
ExpressRoute Gateway Configuration Practice
ExpressRoute provides dedicated private connectivity between on-premises networks and Azure, bypassing the public internet entirely to deliver consistent bandwidth and lower latency than is achievable with internet-based VPN connections. While most candidates preparing for the AZ-700 exam will not have access to a real ExpressRoute circuit, practicing the configuration of ExpressRoute gateways and understanding the associated concepts through documentation and simulation exercises is still highly valuable. In this exercise, deploy an ExpressRoute gateway in the GatewaySubnet of your hub virtual network, selecting an appropriate gateway SKU based on the bandwidth and redundancy requirements described in a practice scenario.
Study the configuration of ExpressRoute circuit objects, peering configurations, and the connection objects that link circuits to virtual network gateways. Understand the difference between private peering, which connects to Azure virtual networks, and Microsoft peering, which connects to Microsoft online services such as Office 365. Practice configuring route filters that control which Microsoft peering routes are advertised to the on-premises network, as this is a specific configuration task that appears in AZ-700 exam questions. Also practice the configuration of ExpressRoute Global Reach, which allows on-premises networks connected to different ExpressRoute circuits to communicate with each other through the Microsoft backbone network without routing traffic through Azure virtual networks. While you may not be able to test end-to-end ExpressRoute connectivity without a real circuit, understanding the configuration objects and their relationships through careful study and partial hands-on practice is sufficient for exam preparation purposes.
Network Monitoring with Network Watcher
Azure Network Watcher is the primary tool for monitoring, diagnosing, and gaining insight into Azure network infrastructure, and proficiency with its capabilities is directly tested in the AZ-700 exam. This exercise covers the full range of Network Watcher diagnostic tools through hands-on use in your lab environment. Begin with the topology view, which generates a visual diagram of your virtual network resources and their relationships. This view provides a high-level confirmation that your network architecture matches your design intent and is useful for identifying unexpected resource configurations.
Practice using the connection monitor feature to continuously test connectivity between specific source and destination endpoints, recording latency, packet loss, and connection success rates over time. Configure a connection monitor between virtual machines in different spokes of your hub-and-spoke topology and observe how the metrics change when you modify route tables or network security group rules that affect the path between them. Also practice using the packet capture feature, which allows you to capture network traffic on a virtual machine network interface for offline analysis. Triggering a packet capture, generating some network traffic, downloading the capture file, and analyzing it in a tool such as Wireshark provides direct experience with a diagnostic workflow that is valuable both for the exam and for real-world troubleshooting scenarios.
Azure Firewall Deployment and Policy
Azure Firewall is a managed cloud-native network security service that provides stateful inspection, threat intelligence-based filtering, and application-level traffic control for Azure virtual networks. Deploying Azure Firewall in the hub of a hub-and-spoke topology and using it as the central inspection point for all traffic flowing between spokes and to the internet is a common enterprise architecture pattern that the AZ-700 exam tests extensively. Deploy an Azure Firewall instance in a dedicated AzureFirewallSubnet within your hub virtual network. This subnet must be named exactly AzureFirewallSubnet and must have a minimum prefix length of /26.
After deploying Azure Firewall, create firewall policies that define the rules controlling which traffic is allowed and denied. Configure application rules that allow specific FQDN destinations for outbound internet traffic from spoke virtual machines, network rules that permit specific IP and port combinations for lateral traffic between spokes, and DNAT rules that translate public IP addresses to private endpoint addresses for inbound traffic scenarios. Update the user-defined routes in your spoke subnets to direct all traffic through the Azure Firewall as the next hop, then test traffic flows and verify that they are correctly permitted or denied according to your rule configuration. Review the firewall logs in Azure Monitor to observe how allowed and denied traffic appears in the diagnostic data, practicing the log analysis skills that the exam tests in troubleshooting scenarios.
Comprehensive Lab Review and Exam Readiness
After completing the individual exercises described throughout this article, spending time reviewing the complete lab environment as a unified architecture is a valuable consolidation activity. Draw a network diagram that captures every resource deployed during the exercises, including virtual networks, subnets, gateways, load balancers, firewalls, private endpoints, and DNS zones, along with the IP addresses assigned to each. Verify that this diagram matches the actual configuration in the Azure portal by cross-referencing each element. This review activity reinforces architectural thinking and helps identify any configuration gaps or inconsistencies that should be corrected before moving to exam preparation.
Use this consolidated lab environment to practice troubleshooting scenarios by deliberately introducing configuration problems and attempting to diagnose and resolve them using only the tools available in the Azure portal and Network Watcher. For example, remove a required route from a route table and observe the effect on traffic flows before using the effective routes tool to identify the missing route. Modify a network security group rule to block traffic that should be allowed and use the IP flow verify tool to identify the blocking rule. These self-directed troubleshooting exercises develop the diagnostic instincts that the AZ-700 exam tests in its scenario-based questions. Candidates who can quickly identify the likely cause of a network problem and know which tool to use for confirmation will handle the exam's troubleshooting scenarios with confidence and accuracy.
Conclusion
Hands-on practice is the most effective preparation strategy for the AZ-700 exam, and the exercises presented in this article collectively cover every major domain of the examination through direct engagement with real Azure networking services. The progression from foundational virtual network creation through advanced topics such as Azure Firewall policy configuration, ExpressRoute gateway deployment, and private endpoint DNS resolution mirrors the depth and breadth of knowledge that the exam expects. Candidates who work through these exercises systematically and take the time to understand not just how to perform each configuration step but why each configuration decision matters will develop the architectural judgment that distinguishes a strong AZ-700 candidate from one who has only memorized product documentation.
The value of hands-on preparation extends well beyond the examination itself. Every exercise in this article represents a skill that Azure networking professionals use in real deployments, and the confidence that comes from having actually built these configurations in a real environment translates directly into better performance on the job. When a candidate who has personally deployed a hub-and-spoke topology with Azure Firewall and user-defined routes encounters a routing problem in a production environment, they bring a depth of understanding to the diagnosis that no amount of reading can replicate. The AZ-700 certification validates this depth of understanding, and the hands-on preparation approach is what builds it.
As Azure networking continues to evolve with new services, updated capabilities, and emerging architectural patterns, the foundational skills developed through these exercises remain relevant and valuable. Understanding how virtual networks, routing, security controls, and connectivity services interact provides a mental model that makes it easier to evaluate and adopt new Azure networking capabilities as they are introduced. Professionals who invest in building this foundational depth through hands-on practice will find that their knowledge stays current with less effort because new features build on concepts they already understand thoroughly. The AZ-700 certification and the hands-on preparation that earns it represent an investment in professional capability that pays returns throughout a career in Azure networking and cloud infrastructure design.
