MCA Microsoft Certified Associate Azure Network Engineer Study Guide E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

About the Technical Editor

Table of Exercises

Introduction

What Is Azure?

About the AZ-700 Certification Exam

Why Become a Certified Microsoft Azure Network Engineer Associate?

Preparing to Become a Certified Microsoft Azure Network Engineer Associate

How to Become a Microsoft Certified Azure Network Engineer

Who Should Buy This Book

How This Book Is Organized

Interactive Online Learning Environment and Test Bank

Conventions Used in This Book

Using This Book

AZ-700 EXAM OBJECTIVES

Skill Measured: Design, Implement, and Manage Hybrid Networking

Skill Measured: Design and Implement Core Networking Infrastructure

Skill Measured: Design and Implement Routing

Skill Measured: Secure and Monitor Networks

Skill Measured: Design and Implement Private Access to Azure Services

How to Contact the Publisher

Assessment Test

Answers to Assessment Test

Chapter 1: Getting Started with AZ-700 Certification for Azure Networking

Basics of Cloud Computing and Networking

Microsoft Azure Overview

Azure Virtual Network

Configure Public IP Services

Configuring Domain Name Services

Configuring Cross-Virtual Network Connectivity with Peering

Configuring Virtual Network Traffic Routing

Configuring Internet Access with Azure Virtual NAT

Summary

Exam Essentials

Hands-On Lab: Design and Deploy a Virtual Network via the Azure Portal

Review Questions

Chapter 2: Design, Deploy, and Manage a Site-to-Site VPN Connection and Point-to-Site VPN Connection

Overview of Azure VPN Gateway

Designing an Azure VPN Connection

Choosing a Virtual Network Gateway SKU for Site-to-Site VPN

Using Policy-Based VPNs vs. Route-Based VPNs

Building and Configuring a Virtual Network Gateway

Building and Configuring a Local Network Gateway

Building and Configuring an IPsec/IKE Policy

Configuration Workflow

Diagnosing and Resolving VPN Gateway Connectivity Issues

Choosing a VNet Gateway SKU for Point-to-Site VPNs

Configuring RADIUS, Certificate-Based, and Azure AD Authentication

Diagnosing and Resolving Client-Side and Authentication Issues

Summary

Exam Essentials

Review Questions

Chapter 3: Design, Deploy, and Manage Azure ExpressRoute

Getting Started with Azure ExpressRoute

Choosing Between the Network Service Provider and ExpressRoute Direct

Designing and Deploying Azure Cross-Region Connectivity between Multiple ExpressRoute Locations

Choosing an Appropriate ExpressRoute SKU and Tier

Designing and Deploying ExpressRoute Global Reach

Deploying ExpressRoute Global Reach

Designing and Deploying ExpressRoute FastPath

Evaluate Private Peering Only, Microsoft Peering Only, or Both

Setting Up Private Peering

Setting Up Microsoft Peering

Building and Configuring an ExpressRoute Gateway

Connect a Virtual Network to an ExpressRoute Circuit

Recommend a Route Advertisement Configuration

Configure Encryption over ExpressRoute

Deploy Bidirectional Forwarding Detection

Diagnose and Resolve ExpressRoute Connection Issues

Summary

Exam Essentials

Review Questions

Chapter 4: Design and Deploy Core Networking Infrastructure: Private IP and DNS

Designing Private IP Addressing for VNets

Deploying a VNet

Preparing Subnetting for Services

Configuring Subnetting for Services

Preparing and Configuring a Subnet Delegation

Planning and Configuring Subnetting for Azure Route Server

Designing and Configuring Public DNS Zones

Creating an Azure DNS Zone and Record Using PowerShell

Designing and Configuring Private DNS Zones

Designing Name Resolution Inside a VNet

Linking a Private DNS Zone to a VNet

Summary

Exam Essentials

Review Questions

Chapter 5: Design and Deploy Core Networking Infrastructure and Virtual WANs

Overview of Virtual Network Peering, Service Chaining, and Gateway Transit

Design VPN Connectivity between VNets

Deploy VNet Peering

Design an Azure Virtual WAN Architecture

Choosing SKUs and Services for Virtual WANs

Connect a VNet Gateway to an Azure Virtual WAN and Build a Hub in a Virtual WAN

Build a Virtual Network Appliance (NVA) in a Virtual Hub

Set Up Virtual Hub Routing

Build a Connection Unit

Summary

Exam Essentials

Review Questions

Chapter 6: Design and Deploy VNet Routing and Azure Load Balancer

Design and Deploy User-Defined Routes

Associate a Route Table with a Subnet

Set Up Forced Tunneling

Diagnose and Resolve Routing Issues

Design and Deploy Azure Route Server

Choosing an Azure Load Balancer SKU

Choosing Between Public and Internal Load Balancers

Build and Configure an Azure Load Balancer (Including Cross-Region)

Deploy a Load Balancing Rule

Build and Configure Inbound NAT Rules

Build Explicit Outbound Rules for a Load Balancer

Summary

Exam Essentials

Review Questions

Chapter 7: Design and Deploy Azure application gateway, Azure front door, and Virtual NAT

Azure Application Gateway Overview

Scaling Options for Application Gateway and WAF

Overview of Application Gateway Deployment

Redirection Overview

Features and Capabilities of Azure Front Door SKUs

SSL Termination and End-to-End SSL Encryption

Multisite Listeners

Back-Ends, Back-End Pools, Back-End Host Headers, and Back-End Health Probes

Routing and Routing Rules

URL Redirection and URL Rewriting in Front Door Standard and Premium

Design and Deploy Traffic Manager Profiles

Traffic Manager Routing Methods

Virtual Network NAT

Associate a Virtual Network NAT with a Subnet

Summary

Exam Essentials

Review Questions

Chapter 8: Design, Deploy, and Manage Azure Firewall and Network Security Groups

Azure Firewall and Firewall Manager Features

Build and Configure an Azure Firewall Deployment

Azure Firewall Policy

Build and Configure a Secure Hub within an Azure Virtual WAN Hub

Integrate an Azure Virtual WAN Hub with a Third-Party Network Virtual Appliance

Create and Attach a Network Security Group to a Resource

Create an Application Security Group and Attach It to a NIC

Create and Configure NSG Rules and Read Network Security Group Flow Logs

Validate NSG Flow Rules

Verify IP Flow

Summary

Exam Essentials

Review Questions

Chapter 9: Design and Deploy Azure Web Application Firewall and Monitor Networks

Azure Web Application Firewall Functions and Features

Set Up Detection or Prevention Mode

Azure Front Door WAF Policy Rule Sets

Application Gateway WAF Policy Rule Sets

Deploy and Attach WAF Policies

Set Up Network Health Alerts and Logging Using Azure Monitor

Build and Configure Azure Network Watcher

Build and Configure a Connection Monitor Instance

Build, Configure, and Use Traffic Analytics

Build and Configure NSG Flow Logs

Enable and Set Up Diagnostic Logging

Summary

Exam Essentials

Review Questions

Chapter 10: Design and Deploy Private Access to Azure Services

Overview of Private Link Services and Private Endpoints

Plan Private Endpoints

Configure Access to Private Endpoints

Integrate Private Link with DNS and Private Link Services with On-Premises Clients

Set Up Service Endpoints and Configure Service Endpoint Policies

Overview of Service Tags and Access to Service Endpoints

Integrating App Services into Regional VNets

Configure Azure Kubernetes Service (AKS) for Regional VNet Integration

Configure Clients to Access the App Service Environment

Summary

Exam Essentials

Review Questions

Appendix: Answers to Review Questions

Chapter 1: Getting Started with AZ-700 Certification for Azure Networking

Chapter 2: Design, Deploy, and Manage a Site-to-Site VPN Connection and Point-to-Site VPN Connection

Chapter 3: Design, Deploy, and Manage Azure ExpressRoute

Chapter 4: Design and Deploy Core Networking Infrastructure: Private IP and DNS

Chapter 5: Design and Deploy Core Networking Infrastructure and Virtual WANs

Chapter 6: Design and Deploy VNet Routing and Azure Load Balancer

Chapter 7: Design and Deploy Azure application gateway, Azure front door, and Virtual NAT

Chapter 8: Design, Deploy, and Manage Azure Firewall and Network Security Groups

Chapter 9: Design and Deploy Azure Web Application Firewall and Monitor Networks

Chapter 10: Design and Deploy Private Access to Azure Services

Index

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 Azure geography

TABLE 1.2 Azure region

TABLE 1.3 Public IP address for key Azure Network Services (Part 1)

TABLE 1.4 Public IP address for Key Azure Network Services (Part 2)

TABLE 1.5 Azure default system routes

TABLE 1.6 Azure optional default routes

Chapter 2

TABLE 2.1 Planning table

TABLE 2.2 Microsoft-validated VPN devices and device configuration

TABLE 2.3 Gateway SKUs by tunnel, connection, and throughput

TABLE 2.4 Gateway SKU by feature set

TABLE 2.5 Supported list of cryptographic algorithms

TABLE 2.6 VNet gateway SKU for point-to-site VPNs

TABLE 2.7 Point-to-site VPN IKEv2 policies

TABLE 2.8 Point-to-site VPN IPsec policies

Chapter 3

TABLE 3.1 Difference between ExpressRoute and ExpressRoute Direct

TABLE 3.2 Azure ExpressRoute regions and location availability

TABLE 3.3 Comparison of gateway SKUs

TABLE 3.4 Comparison of Peering

Chapter 4

TABLE 4.1 Azure services hosted on a dedicated subnet or shared

TABLE 4.2 Name resolution solutions

Chapter 5

TABLE 5.1 Custom roles

TABLE 5.2 Virtual WAN SKU comparison

Chapter 6

TABLE 6.1 Default Routes

TABLE 6.2 Optional default route

TABLE 6.3 Azure load balancing services

TABLE 6.4 Azure Load Balancer SKU comparison

TABLE 6.5 Azure outbound connectivity

Chapter 7

TABLE 7.1 Overview of the Azure Application Gateway and WAF SKUs

TABLE 7.2 Default health probe configuration

TABLE 7.3 Custom health probe configuration

TABLE 7.4 Front Door Standard vs. Front Door Premium

TABLE 7.5 Front Door Standard and Front Door Premium Feature comparison

TABLE 7.6 Health Probe responses

TABLE 7.7 Routing methods

Chapter 8

TABLE 8.1 Key features of Azure Firewall Standard

TABLE 8.2 Key features of Azure Firewall Premium

TABLE 8.3 Features of the Azure Firewall Manager

TABLE 8.4 Three Types of Rules

TABLE 8.5 Key configuration for NAT rules

TABLE 8.6 Key configuration for network rules

TABLE 8.7 Key configuration for application rules

TABLE 8.8 Types of virtual hubs

TABLE 8.9 Features offered by NVAs deployed through the virtual WAN hub

TABLE 8.10 Azure regions currently offering NVA in virtual hubs

TABLE 8.11 Property and description for NSG

TABLE 8.12 NSG default rules

Chapter 9

TABLE 9.1 Default Rule Set 2.0 rule groups

TABLE 9.2 Default Rule Set 1.1

TABLE 9.3 Default Rule Set 1.0

TABLE 9.4 Bot Rules

TABLE 9.5 Custom rule fields and descriptions

TABLE 9.6 Supported custom status codes

TABLE 9.7 Core rule set 3.2

TABLE 9.8 Core rule set 3.1

TABLE 9.9 Core rule set 3.0

TABLE 9.10 Core rule set 2.2.9

TABLE 9.11 Custom rule fields and descriptions

Chapter 10

TABLE 10.1 Service provider action for Private Endpoints

TABLE 10.2 Subset of supported tags

TABLE 10.3 Service tag supports

TABLE 10.4 Full range of addresses per CIDR block

TABLE 10.5 Role-based access control permission

TABLE 10.6 Kubenet versus Azure CNI

List of Illustrations

Chapter 1

FIGURE 1.1 Cloud networks

FIGURE 1.2 Network classification

FIGURE 1.3 OSI model compared to TCP/IP model

FIGURE 1.4 The building blocks of Azure

FIGURE 1.5 Azure global infrastructure logical view

FIGURE 1.6 Overview of Azure Network Services

FIGURE 1.7 Cross-virtual network connectivity with peering

FIGURE 1.8 Hub-spoke deployment model

FIGURE 1.9 Step-by-step workflow

FIGURE 1.10 Azure portal

FIGURE 1.11 Azure portal: Virtual Network

FIGURE 1.12 Create Virtual Network: Basics

FIGURE 1.13 Create Virtual Network: IP Addresses

FIGURE 1.14 Create Virtual Network: Review + Create

FIGURE 1.15 Azure portal

FIGURE 1.16 Azure portal: Virtual Network

FIGURE 1.17 Create Virtual Network: Basics

FIGURE 1.18 Azure portal

FIGURE 1.19 Azure portal: Virtual Network

FIGURE 1.20 Create Virtual Network: Basics

FIGURE 1.21 Virtual Network: Validate

Chapter 2

FIGURE 2.1 Single-site VPN connection

FIGURE 2.2 Multiple-site VPN connection

FIGURE 2.3 Point-to-site VPN connection

FIGURE 2.4 VNet-to-VNet VPN connection

FIGURE 2.5 VPN gateway redundancy

FIGURE 2.6 Multiple on-premises VPN devices

FIGURE 2.7 Active/active VPN gateway

FIGURE 2.8 Dual-redundancy: active/active VPN gateway

FIGURE 2.9 Highly available VNet-to-VNet

FIGURE 2.10 VPN gateway connection

FIGURE 2.11 Point-to-site VPN connection with Azure

FIGURE 2.12 Point-to-site configuration

FIGURE 2.13 Tunnel types

FIGURE 2.14 Point-to-site VPN

FIGURE 2.15 Point-to-site configuration: Tunnel Type

FIGURE 2.16 Point-to-site configuration: Authentication Type

FIGURE 2.17 Point-to-site configuration: Root Certificate

FIGURE 2.18 Authenticating using Active Directory domain server(AD DS)

Chapter 3

FIGURE 3.1 ExpressRoute circuits

FIGURE 3.2 ExpressRoute with MSEE

FIGURE 3.3 ExpressRoute with cloud exchange co-location

FIGURE 3.4 ExpressRoute with a point-to-point Ethernet connection

FIGURE 3.5 ExpressRoute with any-to-any (IPVPN) connection

FIGURE 3.6 ExpressRoute Direct connection

FIGURE 3.7 An ExpressRoute circuit optimized to maximize its availability

FIGURE 3.8 NAT choices for Microsoft peering

FIGURE 3.9 Geo-redundant ExpressRoute connectivity

FIGURE 3.10 ExpressRoute path selection using more specific route advertisem...

FIGURE 3.11 ExpressRoute path selection using connection weight

FIGURE 3.12 ExpressRoute path selection with AS path prepended

FIGURE 3.13 Two different Azure regions via ExpressRoute circuits in two dif...

FIGURE 3.14 Disaster recovery—choice 1

FIGURE 3.15 Disaster recovery—choice 2

FIGURE 3.16 ExpressRoute without Global Reach

FIGURE 3.17 ExpressRoute Circuits in Microsoft Global network Without global...

FIGURE 3.18 Peering types

FIGURE 3.19 ExpressRoute shared deployment mode

Chapter 4

FIGURE 4.1 Subnetting: example building blocks

FIGURE 4.2 NSG planning

FIGURE 4.3 Azure Route Server with an SD-WAN NVA

FIGURE 4.4 Design principles of Azure public DNS zones

FIGURE 4.5 Azure DNS zone example

FIGURE 4.6 Private DNS resolution

Chapter 5

FIGURE 5.1 Service chaining

FIGURE 5.2 Virtual network peering using Gateway Transit

FIGURE 5.3 Azure peering nontransparency

FIGURE 5.4 Hub-and-spoke model

FIGURE 5.5 VPN connectivity deployment model

FIGURE 5.6 VNet-to-VNet VPN connection in the same region

FIGURE 5.7 VNet-to-VNet VPN connection in different regions

FIGURE 5.8 Virtual WAN building blocks

FIGURE 5.9 Virtual WAN connectivity

FIGURE 5.10 Global transit network with Virtual WAN

FIGURE 5.11 Hub-to-hub connectivity

FIGURE 5.12 Virtual WAN traffic paths 1, 2, and 3

FIGURE 5.13 Virtual WAN traffic paths 4, 5, and 6

FIGURE 5.14 Virtual WAN traffic paths 7 and 8

FIGURE 5.15 Virtual WAN traffic paths 9 and 10

FIGURE 5.16 Virtual WAN traffic paths 11 and 12

FIGURE 5.17 Virtual WAN traffic path 13

FIGURE 5.18 Workflow for Azure Virtual WAN deployment

FIGURE 5.19 Workflow for establishing a Virtual WAN

FIGURE 5.20 Workflow for establishing a connection to Azure using a user VPN...

FIGURE 5.21 Workflow for establishing an Azure connection over an ExpressRou...

Chapter 6

FIGURE 6.1 Network routing overview

FIGURE 6.2 Forced tunneling

FIGURE 6.3 Three-tier VNet demonstrates UDR

FIGURE 6.4 Route Server Design Pattern 1

FIGURE 6.5 Route Server Design Pattern 2

FIGURE 6.6 Route Server design with VNet peering pattern

FIGURE 6.7 Dual-home network with Route Server

FIGURE 6.8 Dual-homed networks with ExpressRoute

FIGURE 6.9 Route Server path type

FIGURE 6.10 Azure Load Balancer overview

FIGURE 6.11 Azure load balancing services

FIGURE 6.12 Decision chart for Azure load balancing

FIGURE 6.13 Zone load balancer

FIGURE 6.14 Zone-redundant load balancer

FIGURE 6.15 Load balancer building block

FIGURE 6.16 Cross-regional load balancer

Chapter 7

FIGURE 7.1 Application Gateway overview

FIGURE 7.2 Building blocks of Application Gateway

FIGURE 7.3 Redirection types supported

FIGURE 7.4 Routing rules supported by Application Gateway

FIGURE 7.5 Request and response header's logical flow

FIGURE 7.6 Rewrite logical workflow

FIGURE 7.7 Rewrite configuration's logical flow

FIGURE 7.8 Front Door design pattern

FIGURE 7.9 Azure Traffic Manager Overview

FIGURE 7.10 Priority-based traffic routing

FIGURE 7.11 Weighted-based traffic routing

FIGURE 7.12 Performance-based traffic routing

FIGURE 7.13 Geographic-based traffic routing

FIGURE 7.14 Architecture overview of Azure Traffic Manager (ATM)

FIGURE 7.15 Virtual network NAT benefits

FIGURE 7.16 High-level workflow to deploy NAT

FIGURE 7.17 NAT gateway with a public load balancer

FIGURE 7.18 NAT gateway with a public load balancer at instance level

Chapter 8

FIGURE 8.1 Azure Firewall Standard overview

FIGURE 8.2 Azure Firewall Premium overview

FIGURE 8.3 Azure Firewall Manager overview

FIGURE 8.4 Azure Firewall deployment architecture overview

FIGURE 8.5 Azure Firewall for one VNet

FIGURE 8.6 Azure Firewall Policy management

FIGURE 8.7 Overview of the NIC ASG attachment

Chapter 9

FIGURE 9.1 Azure WAF overview

FIGURE 9.2 Types of Azure WAF rules

FIGURE 9.3 Azure Monitor overview

FIGURE 9.4 Azure Monitor alerts

FIGURE 9.5 Azure Monitor: Networks

FIGURE 9.6 Network Watcher overview

FIGURE 9.7 Connection Monitor overview

FIGURE 9.8 Log Analytics workspace's data flow

Chapter 10

FIGURE 10.1 Overview of Azure Private Link and Azure service endpoint

FIGURE 10.2 Overview of Private Endpoints

FIGURE 10.3 Private Endpoint enablement process

FIGURE 10.4 Workloads on virtual networks without a custom DNS server

FIGURE 10.5 Hub-and-spoke networking topology

FIGURE 10.6 Workloads that use a DNS forwarder on-premises

FIGURE 10.7 On-premises workloads using a DNS forwarder

FIGURE 10.8 DNS forwarder for virtual network workloads and on-premises work...

FIGURE 10.9 Overview of Azure regional VNet integration

FIGURE 10.10 Azure Kubernetes Service (AKS) for regional VNet integration

FIGURE 10.11 Kubernetes overview

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Authors

Table of Exercises

Introduction

Begin Reading

Appendix: Answers to Review Questions

Index

End User License Agreement

Pages

iii

iv

v

vii

ix

xxi

xxii

xxiii

xxv

xxvi

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

xl

xli

xlii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

577

578

579

580

581

582

583

584

585

586

587

588

589

590

591

592

593

594

595

596

597

598

599

600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712

713

714

715

716

717

718

719

720

721

MCAMicrosoft® Certified Associate Azure® Network Engineer Study Guide

Exam AZ-700

Copyright © 2023 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada.

ISBN: 978-1-119-87292-4ISBN: 978-1-119-87294-8 (ebk.)ISBN: 978-1-119-87293-1 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. Microsoft and Azure are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Control Number: 2022939051

Cover image: © Jeremy Woodhouse/Getty ImagesCover design: Wiley

To the Wiley team for all their support.

—Kathiravan Udayakumar

To my mother and father, who taught me everything.

To my beloved better half—thanks for everything you do for me in thriving in our life journey.

To my dearest brother and mentor of my lifetime.

—Puthiyavan Udayakumar

Acknowledgments

We want to express our sincere thanks to Sybex for continuing to support this project.

Although this book bears our name as authors, numerous people contributed to its design and development of the content. They helped make this book possible, or at best, it would be in a lesser form without them. Kenyon Brown was the acquisitions editor and so helped get the book started. Christine O'Connor, the managing editor, oversaw the book as it progressed through all its stages. Jon Buhagiar was the technical editor who checked the text for technical errors and omissions—but any remaining mistakes are our own. Tom Dinse, the development editor, helped keep the text understandable. Liz Welch, the copyeditor, helped keep the text grammatical. Barath Kumar Rajasekaran, content refinement specialist, and others from his team helped check the text for typos and shaped the content.

About the Authors

Puthiyavan Udayakumar is an infrastructure architect with over 14 years of experience in modernizing and securing IT infrastructure, including the cloud. He has been writing technical books for more than 10 years on various infrastructure and security domains. He has designed, deployed, and secured IT infrastructure out of on-premises and the cloud, including servers, networks, storage, and desktops for various industries, such as pharmaceutical, banking, healthcare, aviation, and federal entities. He is an Open Group Master Certified Architect (Open CA).

Kathiravan Udayakumar is Head of Delivery & Chief Architect for Oracle Digital Technologies (Europe Practice) at Cognizant, covering various elements of the technology stack in on-premises and the cloud. He has over 18 years of experience in architecture, design, implementation, administration, and integration with greenfield IT systems, ERP, cloud platforms, and solutions across various business domains and industries. He has a passion for networking from his undergraduate studies and has a Cisco Certified Network Associate (CCNA). He also proposed protocols for optimal routings in complex networks, DRIP (Differential Routing Information Protocol) to avoid pinhole congestion in his undergraduate thesis.

About the Technical Editor

Jon Buhagiar (Network+, A+, CCNA, MCSA, MCSE, BS/ITM) is an information technology professional with two decades of experience in higher education. During the past 22 years he has been responsible for network operations at Pittsburgh Technical College and has led several projects, such as virtualization (server and desktop), VoIP, Microsoft 365, and many other projects supporting the quality of education at the college. He has achieved several certifications from Cisco, CompTIA, and Microsoft and has taught many of the certification paths. He is the author of several books, including Sybex's CompTIA A+ Complete Study Guide: Exam 220-1101 and Exam 220-1102 (2022), CompTIA Network+ Review Guide: Exam N10-008 (2021), and CCNA Certification Practice Tests: Exam 200-301 (2020).

Table of Exercises

Exercise  1.1

Deploying a Virtual Network with the Azure Portal

Exercise  1.2

Setting Up Azure Az PowerShell

Exercise  1.3

Deploying a Route Table with the Azure Portal

Exercise  1.4

Deploying a Route Using the Azure Portal

Exercise  2.1

Creating a Virtual Network Gateway in the Azure Portal

Exercise  2.2

Creating a Local Network Gateway in the Azure Portal

Exercise  2.3

Creating and Configuring an IPsec/IKE Policy for a VPN Gateway Connection

Exercise  2.4

Resetting the Azure VPN via the Azure Portal

Exercise  2.5

Building a Point-to-Site VPN Using Azure Active Directory

Exercise  2.6

Building a Point-to-Site VPN Using Active Directory Domain Server(AD DS)

Exercise  3.1

Creating a Network Gateway Subnet in the Azure Portal

Exercise  3.2

Creating a Virtual Network Gateway in the Azure Portal

Exercise  3.3

Troubleshoot Azure ExpressRoute Connectivity

Exercise  4.1

Deploying a Virtual Network in Azure via Azure Cloud Shell

Exercise  4.2

Adding a Subnet via the Azure Portal

Exercise  4.3

Changing a Subnet via the Azure Portal

Exercise  4.4

Deleting a Subnet via the Azure Portal

Exercise  4.5

Delegating a Subnet

Exercise  4.6

Removing a Subnet Delegation

Exercise  4.7

Creating an Azure DNS Zone and Record Using PowerShell

Exercise  4.8

Creating a DNS Zone and Record with PowerShell in Azure

Exercise  4.9

Configuring a Virtual Network Link

Exercise  5.1

Configuring User-Defined Routing via the Azure Portal

Exercise  5.2

Create a Virtual WAN Using the Azure Portal

Exercise  5.3

Create a Virtual HUB in a Virtual WAN Using the Azure Portal

Exercise  5.4

Connect a Virtual Network to a Virtual WAN Hub Using the Azure Portal

Exercise  5.5

Connect a VNet Gateway to Azure Virtual WAN

Exercise  5.6

Create an NVA via the Azure Portal

Exercise  5.7

Create a Route Table via the Azure Portal

Exercise  6.1

Configure User-Defined Routing Using the Azure Portal

Exercise  6.2

Change User-Defined Routing Settings Using the Azure Portal

Exercise  6.3

Associate a Route Table with a Subnet Using the Azure Portal

Exercise  6.4

Use User-Defined Routes to Create a Route Table That Adds a Default Route and Associates the Route Table with a Subnet to Enable Forced Tunneling

Exercise  6.5

Configure Azure Load Balancing Rules via the Azure Portal

Exercise  6.6

Configure Azure Load Balancing Inbound NAT Rules via the Azure Portal

Exercise  6.7

Configure Azure Load Balancing Outbound Rules via the Azure Portal

Exercise  7.1

Design and Deploy an Azure Application Gateway via the Azure Portal

Exercise  7.2

Deploy Front Door for Web Applications with a High-Availability Design Pattern

Exercise  7.3

Build a Traffic Manager Profile

Exercise  7.4

Create a NAT Gateway

Exercise  7.5

Associate a VNet NAT with a Subnet

Exercise  8.1

Deploy Network Prerequisites: Develop a Resource Group

Exercise  8.2

Deploy Network Prerequisites: Deploy a Virtual Network via the Azure Portal

Exercise  8.3

Deploy Network Prerequisites: Create a Virtual Machine

Exercise  8.4

Deploy an Azure Firewall

Exercise  8.5

Configure the Outbound Default Route Through the Azure Firewall

Exercise  8.6

Configure an Application Rule

Exercise  8.7

Create DNAT Rule

Exercise  8.8

Create a Network Security Group

Exercise  8.9

Attach a Network Security Group to a Resource

Exercise  8.10

Create a New Application Security Group

Exercise  8.11

Create a New Application Group

Exercise  8.12

Create Network Security Group Rules

Exercise  8.13

IP Flow Verify Using the Azure Portal

Exercise  9.1

Set Up Detection or Prevention Mode Using the Azure Portal

Exercise  9.2

Set Up Rule Sets for Front Door Using the Azure Portal

Exercise  9.3

Set Up Rule Sets for Azure Application Gateway Using the Azure Portal

Exercise  9.4

Set Up Rule Sets for a WAF Policy Using the Azure Portal

Exercise  9.5

Set Up Network Health Alerts Using the Azure Portal

Exercise  9.6

Build and Configure an Azure Network Watcher

Exercise  9.7

Build and Configure a Connection Monitor Instance

Exercise  9.8

Build and Configure an NSG Flow Log Using the Azure PowerShell

Exercise  9.9

Build and Configure NSG Flow Logs Using the Azure Portal

Exercise  10.1

Set Up a Private Link Service and Private Endpoints

Exercise  10.2

Create a Private Endpoint Using the Azure Portal

Exercise  10.3

Create a Subnet

Exercise  10.4

Enable a Service Endpoint

Exercise  10.5

Bind Network Access to Azure PaaS Resources

Introduction

Welcome to MCA Microsoft® Certified Associate Azure® Network Engineer Study Guide. This book offers a firm grounding for Microsoft's Exam AZ-700: Designing and Implementing Microsoft Azure Networking Solutions. This introduction provides a basic overview of this book and the Microsoft Certified Associate AZ-700 exam.

What Is Azure?

Organizations worldwide can become more digitally connected with Microsoft Azure, and networking can transform their processes. In a cloud environment, networking as a service provides scale, speed, elasticity, and managed oversight to customers. The network engineer's role continues to evolve in the cloud landscape as professionals migrate workloads to the cloud, manage hybrid connectivity, empower remote workers, and support strategic scenario-led digital transformations.

About the AZ-700 Certification Exam

The AZ-700 certification exam tests your knowledge and understanding of Microsoft Azure networking solutions. Specifically, the certification aims to validate your expertise in designing, deploying, and maintaining Azure networking solutions, including hybrid networking, routing, security, connectivity, and private access to Azure services.

You will be tested on your capabilities to translate requirements into secure, scalable, and reliable cloud network design and deployment of networking solutions.

Why Become a Certified Microsoft Azure Network Engineer Associate?

Would you like to demonstrate your Microsoft Azure networking skills and experience to your company or clients by planning, designing, deploying, and managing their Azure networking solutions?

Because Microsoft certification is a globally recognized and industry-endorsed proof of mastering real-world skills, those with such a certification are known to be more productive and efficient. Microsoft certifications differentiate you by proving your broad set of skills and experience with current Microsoft network solutions.

A Microsoft certification exam is a great way to demonstrate your level of expertise and build your résumé. You can validate your product knowledge and experience by taking the Microsoft certification AZ-700 exam.

During and following the COVID-19 pandemic that began in 2020, many testing organizations changed their on-site testing procedures, some even offering remote exam proctoring. In light of this, be sure you check with Microsoft's website and the provider where you plan to take the exam prior to registration and again prior to exam day for the latest, up-to-the-minute changes in exam site procedures.

Preparing to Become a Certified Microsoft Azure Network Engineer Associate

Exam takers should have expertise in planning, implementing, and maintaining Azure networking solutions because the exam benchmarks your ability in these areas: hybrid networking; core networking infrastructure; routing; networking; and VPN access to Azure services.

The best preparation for the exam is by studying and hands-on practice. By studying this book, you will learn the necessary information and skills to prepare for the Azure Network Engineer Associate Certification AZ-700.

We recommend planning to devote 10 weeks or so of intensive study for the AZ-700 exam. Here are some recommendations to maximize your learning time; you can modify this list as necessary based on your own learning experiences:

Get hands on with the Azure portal daily, read articles about Azure, and learn Azure networking terminology.

Take one or two evenings to read each chapter in this book and work through its review materials.

Answer all the review questions and take the practice exam provided on the book's website.

Complete the exercises for each chapter.

Review the Microsoft Azure AZ-700 skills measured on Microsoft's page for this exam at:

https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4PaHw

You'll find a “skills measured” section on every exam and Microsoft certification page. Listed below are the primary skills that will be assessed for the AZ-700 exam. A detailed outline can be downloaded from the Microsoft site for this exam.

Design, implement and manage hybrid networking.

Design and implement core networking infrastructure.

Design and implement routing.

Secure and monitor networks.

Design and implement private access to Azure services.

Use the flashcards included with the online study tools for this book to reinforce your understanding of concepts.

Take free hands-on learning courses on Microsoft Learn at:

https://docs.microsoft.com/en-us/learn/paths/design-implement-microsoft-azure-networking-solutions-az-700

Read the Microsoft Azure documentation at:

https://docs.microsoft.com/en-us/azure/?product=popular

How to Become a Microsoft Certified Azure Network Engineer

You can register for your exam from the Microsoft Certification AZ-700 exam details page once you are prepared:

https://docs.microsoft.com/en-us/learn/certifications/exams/az-700

On the certification details page, you'll find the choice to register in the “Schedule Exam” section.

You can take the exam online or at a local testing center, so you need to choose a test center or use online proctoring. There are advantages to each. Local test centers provide a secure environment. By taking your exam online, you can take it almost anywhere at any time. However, a reliable connection and a secure browser are required. When you take your test online, your system will first be checked to be sure it meets the requirements.

Who Should Buy This Book

Anybody who wants to pass the Microsoft AZ-700 exams will benefit from reading this book. If you're new to Azure networking, this book covers the material you will need to learn starting from the basics. It continues by providing the knowledge you need up to a proficiency level sufficient to pass the AZ-700 exams. You can pick up this book and learn from it even if you've never used Azure networking before, although you'll find it an easier read if you've at least casually used networking or virtual networking for a few days. If you're already familiar with networking, this book can serve as a review and a refresher course for the information you might not be entirely aware of. Reading this book will help you pass the Microsoft AZ-700 exams in either case.

This book is written with the assumption that you know at least a little bit about Azure and basic networking: what it is, and specifically what virtual machines, TCP/IP, the Domain Name System (DNS), virtual private networks (VPNs), firewalls, software-defined networking (SDN), wide area networks (WANs), and encryption technologies are. We also assume that you know some basics about creating Azure login accounts or setting up your Azure subscription. You can still use this book to fill in gaps in your knowledge.

How This Book Is Organized

This book consists of 10 chapters plus supplementary information. The chapters are organized as follows:

Chapter 1

, “Getting Started with AZ-700 Certification for Azure Virtual Networking,”

covers the basics of cloud networking, introduction to Azure virtual networks, configuring public IP address services, designing name resolution for your virtual network, enabling cross-virtual network connectivity with peering, deploying virtual network traffic routing, and configuring Internet access with Azure virtual NAT.

Chapter 2

, “Design, Deploy, and Manage a Site-to-Site VPN Connection and Point-to-Site VPN Connection,”

covers designing a site-to-site VPN connection, building and configuring a virtual network gateway, how to choose a virtual network (VNet) gateway SKU that is appropriate for your network, how to use policy-based VPN versus route-based VPN, building and configuring a local network gateway and IPsec/IKE policy, preparing and configuring RADIUS authentication, certificate-based authentication, OpenVPN authentication, and Azure Active Directory authentication, deploying a VPN client configuration file, diagnosing and resolving VPN gateway connectivity issues, and diagnosing and resolving client-side and authentication issues.

Chapter 3

, “Design, Deploy, and Manage Azure ExpressRoute,”

covers how to choose between the network service provider and direct model (ExpressRoute Direct), designing and deploying Azure cross-region connectivity between multiple ExpressRoute locations, how to choose an appropriate ExpressRoute SKU and tier, designing and deploying ExpressRoute Global Reach, designing and deploying ExpressRoute FastPath, evaluating between private peering only, Microsoft peering only, or both, how to set up private peering, how to set up Microsoft peering, building and configuring an ExpressRoute gateway, connecting a virtual network to an ExpressRoute circuit, recommending a route advertisement configuration, configuring encryption over ExpressRoute, deploying bidirectional forwarding detection, and diagnosing and resolving ExpressRoute connection issues.

Chapter 4

, “Design and Deploy Core Networking Infrastructure: Private IP and DNS,”

covers designing private IP addressing to VNets, deploying a VNet, preparing and configuring subnetting for services, including VNet gateways, Private Endpoints, firewalls, application gateways, and VNet-integrated platform services, preparing and configuring subnet delegation, designing public and private DNS zones, designing name resolution inside a VNet, and joining a private DNS zone to a VNet.

Chapter 5

, “Design and Deploy Core Networking Infrastructure and Virtual WANs,”

covers designing service chaining inclusive of gateway transit, designing VPN connectivity between VNets, deploying VNet peering, design an Azure virtual WAN architecture, how to choose SKUs and services, connecting a VNet gateway to Azure virtual WANs, building a hub in a virtual WAN, building a virtual network appliance (NVA) in a virtual hub, setting up virtual hub routing, building a connection unit.

Chapter 6

, “Design and Deploy VNet Routing and Azure Load Balancer,”

covers designing and deploying user-defined routes (UDRs), attaching a route table with a subnet, setting up forced tunneling, diagnosing and resolving routing issues, how to choose an Azure Load Balancer SKU, how to choose public and internal Azure Load Balancer-building and configuring an Azure Load Balancer (including cross-region), deploying a load balancing rule, building and configuring inbound NAT rules, and building explicit outbound rules for a load balancer.

Chapter 7

, “Design and Deploy Azure application gateway, Azure front door, and Virtual NAT,”

covers defining Azure Application Gateway deployment options, how to choose between manual and autoscale, building a back-end pool, building and configuring health probes, listeners, and routing rules, building and configuring HTTP settings and Transport Layer Security (TLS), how to choose an Azure Front Door SKU, setting up health probes, including customization of HTTP response codes, setting up SSL termination and end-to-end SSL encryption, setting up multisite listeners, back-end targets, and routing rules, including redirection rules, building a routing method (mode), endpoints and HTTP settings, how to use a virtual network NAT, allocate public IP or public IP address prefixes for a NAT gateway, and associating a virtual network NAT with a subnet.

Chapter 8

, “Design, Deploy, and Manage Azure Firewall and Network Security Groups,”

covers designing, building, and configuring an Azure firewall deployment, building and configuring Azure firewall rules and policies, building and configuring a secure hub within an Azure virtual WAN hub, integrating an Azure virtual WAN hub with a third-party NVA, creating an NSG and attaching it to a resource, creating an application security group (ASG) and attaching it to a NIC, creating and configuring NSG rules, reading NSG flow logs, validating NSG flow rules, and verifying IP address flow.

Chapter 9

, “Design and Deploy Azure Web Application Firewall and Monitor Networks,”

covers setting up Detection or Prevention mode, setting up rule sets for Azure Front Door, including Microsoft-managed and user-defined, setting up rule sets for Application Gateway, including Microsoft-managed and user-defined, deploying and attaching WAF policies, setting up network health alerts and logging by using Azure Monitor, building and configuring a Connection Monitor instance, building, configuring, and using traffic analytics, building and configuring NSG flow logs, enabling diagnostic logging, and Azure Network Watcher.

Chapter 10

, “Design and Deploy Private Access to Azure Services,”

covers setting up a Private Link service and Private Endpoints, preparing Private Endpoints, building and configuring access to remote endpoints, integrating Private Link with DNS and with on-premises clients, setting up service endpoints and configuring service endpoint policies, building service tags and access to service endpoints, building app service for regional VNet integration, building Azure Kubernetes Service (AKS) for regional VNet integration, and building clients to access App Service Environment.

Chapter Features

Each chapter begins with a list of the Azure Network Engineer Associate AZ-700 exam objectives covered in that chapter. Note that the book doesn't cover the goals in order. Thus, you shouldn't be alarmed at some of the odd ordering of the objectives within the book.

The exercises within each chapter are intended to reinforce the content just learned. We have listed a few elements you can use to prepare for the exam for each chapter:

Exam Essentials

   This section aims to provide an overview of the critical information presented in the chapter. It should be possible for you to complete each task or convey the information requested.

Review Questions

   There are 20 review questions at the end of each chapter. The answers to these questions are provided in the

Appendix

at the back of the book; you can check your answers there. You should review the chapter or the sections you are having trouble understanding if you can't answer at least 80 percent of these questions correctly.

The review questions, assessment test, and other testing elements included in this book are not derived from the AZ-700 exam questions, so don't memorize the answers to these questions and assume that doing so will enable you to pass the exam. You should learn the underlying topic, as described in the text of the book. This will let you answer the questions provided with this book and pass the exam. Learning the underlying topic is also the approach that will serve you best in the workplace—the goal of a certification like AZ-700.

To get the most out of this book, you should read each chapter from start to finish and then check your memory and understanding with the chapter-end elements. Even if you're already familiar with a topic, you should skim the chapter; Azure networking is complex enough that there are often multiple ways to accomplish a task, so you may learn something even if you're already competent in an area.

Interactive Online Learning Environment and Test Bank

We've put together some great online tools to help you pass the AZ-700 exam. The interactive online learning environment that accompanies MCA Microsoft® Certified Associate Azure® Network Engineer Study Guide provides a test bank and study tools to help you prepare for the exam.

Items available among these companion files include the following:

Practice Tests

   All of the questions in this book appear in our proprietary digital test engine—including the 30-question assessment test at the end of this introduction, a 65-question practice exam, and the 200 questions that make up the review question sections at the end of each chapter. In addition, there is a 30-question bonus exam.

Electronic “Flashcards”

   The digital companion files include 100 questions in flashcard format (a question followed by a single correct answer). You can use these to review your knowledge of the AZ-700 exam objectives.

Glossary

   The key terms from this book, and their definitions, are available as a fully searchable PDF.

Interactive Online Learning Environment and Test Bank

You can access all these resources at www.wiley.com/go/sybextestprep. Once there, select your book from the list, complete the registration, including the question to show you own the book, and you will be emailed your personal PIN code. When you receive the PIN code, follow the directions in the email or go to www.wiley.com/go/sybextestprep where you will activate the PIN code and sign up for an account or add your new book to an existing account.

Conventions Used in This Book

This book uses certain typographic styles in order to help you quickly identify important information and to avoid confusion over the meaning of words such as on-screen prompts. In particular, look for the following styles:

Italicized text

indicates key terms that are described at length for the first time in a chapter. (Italics are also used for emphasis.)

A monospaced font

indicates the contents of configuration files, messages displayed at a text-mode Linux shell prompt, filenames, text-mode command names, and Internet URLs.

Italicized monospaced text

indicates a variable—information that differs from one system or command run to another, such as the name of a client computer or a process ID number.

Bold monospaced text

is information that you're to type into the computer, for example at a shell prompt. This text can also be italicized to indicate that you should substitute an appropriate value for your system.

In addition to these text conventions, which can apply to individual words or entire paragraphs, a few conventions highlight segments of text:

A tip provides information that can save you time or frustration and that may not be entirely obvious. A tip might describe how to get around a limitation or how to use a feature to perform an unusual task.

A note indicates information that's useful or interesting or provides additional relevant information that's somewhat peripheral to the main text.

Sidebars

A sidebar is like a note but longer. The information in a sidebar is useful, but it doesn't fit into the main flow of the text.

EXERCISES

An exercise is a procedure you should try out on your own Azure environment to help you learn about the material in the chapter. Don't limit yourself to the procedures described in the exercises, though! Try other PowerShell commands and procedures to really learn about Azure networking.

Using This Book

To get the most out of this book, all you need is an Azure subscription (paid), and a connection to the Internet, which is required to use and practice the online exercises for this book.

In addition to its web-based console, the Azure portal is available for desktop, tablet, and mobile devices. JavaScript must be enabled on your browser to use the portal. Make sure you use the latest browser for your operating system.

There are detailed explanations of real-world examples and scenarios included in this book covering all AZ-700 networking exam objectives. With this exam reference, IT network professionals will learn the critical thinking and decision-making skills they need to succeed.

While we have made every effort to ensure this book is as accurate as possible, Azure is constantly changing. In this book, some screenshots referring to the Azure portal may look different from what you see on your monitor because the Azure portal is different now than it was when the book was published. Additionally, minor interface changes, a name change, and so forth might have taken place as well.

As a network engineer, your responsibilities include designing and deploying Azure networking solutions. You're expected to maintain performance, resiliency, scale, and security of networking solutions. This book will help you design, deploy, and manage networking solutions using the Azure portal, PowerShell, Azure command-line interface, and Azure Resource Manager (ARM) templates.

For those preparing for the examination, this book will provide prescriptive guidance.

While this book covers all the topics found on the exam, you won't find every question that might appear in the real exam. We cannot cover specific questions because only Microsoft examination team members have access to exam questions, and Microsoft continuously adds new exam questions. So view this book as a complement to your related real-world experience and other study materials.

Technology Requirements

In addition to a paid Azure subscription and a connection to the Internet, the following are good to have for going through the book easily:

An Azure Subscription (must have):

You can sign up by visiting

https://azure.microsoft.com

.

PowerShell:

Run

$PSVersionTable.PSVersion

to check which version of PowerShell you have installed. You must have PowerShell 7.0.6 LTS or PowerShell 7.1.3 or higher.

Azure PowerShell Module:

Download the latest PowerShell module for Azure networking modules. You will not have it all by default.

Azure PowerShell:

To run PowerShell, a Windows 10 or 11 machine with 4 GB of RAM is sufficient.

AZ-700 EXAM OBJECTIVES

The structure of this book follows Microsoft's published “Exam AZ-700: Designing and Implementing Microsoft Azure Networking Solutions – Skills Measured” document (available at https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4OV0k). AZ-700 covers the following five major topic areas:

Subject Area

% of Exam

Design, Implement, and Manage Hybrid and Private Networking

10%–15%

Design and Implement Core Networking Infrastructure

20%–25%

Design and Implement Routing

25%–30%

Secure and Monitor Networks

15%–20%

Design and Implement Private Access to Azure Services

10%–15%

The book's 10 chapters are mapped to the Azure skills measured. The following tables show which chapter covers which objective.

Skill Measured: Design, Implement, and Manage Hybrid Networking

Exam Objective

Chapter

Introduction and Azure Networking Overview

1

Design, implement, and manage a site-to-site VPN connection

2

Design, implement, and manage a point-to-site VPN connection

2

Design, implement, and manage Azure ExpressRoute

3

Skill Measured: Design and Implement Core Networking Infrastructure

Exam Objective

Chapter

Design and implement private IP addressing for VNetx

4

Design and implement name resolution

4

Design and implement cross-VNet connectivity

5

Design and implement an Azure Virtual WAN architecture

5

Skill Measured: Design and Implement Routing

Exam Objective

Chapter

Design, implement, and manage VNet routing

6

Design and implement an Azure Load Balancer

6

Design and implement Azure Application Gateway

7

Implement Azure Front Door

7

Implement an Azure Traffic Manager profile

7

Design and implement an Azure Virtual Network NAT

7

Skill Measured: Secure and Monitor Networks

Exam Objective

Chapter

Design, implement, and manage an Azure Firewall deployment

8

Implement and manage network security groups (NSGs)

8

Implement a Web Application Firewall (WAF) deployment

9

Monitor networks

9

Skill Measured: Design and Implement Private Access to Azure Services

Exam Objective

Chapter

Design and implement Azure Private Link service and Azure Private Endpoint

10

Design and implement service endpoints

10

Configure VNet integration for dedicated platform as a service (PaaS) services

10

Microsoft reserves the right to change exam domains and objectives without prior notice. The most up-to-date information can be found on the Microsoft website at:

https://docs.microsoft.com/en-us/learn/certifications/azure-network-engineer-associate

Like all exams, the MCA Azure Network Engineer certification from Microsoft is updated periodically and may eventually be retired or replaced. At some point after Microsoft is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired, or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam’s online Sybex tools will be available once the exam is no longer available.

How to Contact the Publisher

If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.In order to submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

Assessment Test

Sybex wants to configure record types in Azure DNS. Which of the following are supported record types?

A

AAAA

CNAME

All the above

Sybex wants to create a VNet. Which of the following protocol(s) are supported in an Azure virtual network?

TCP

UDP

ICMP TCP/IP

All of the above

True or False: Sybex wants to use HTTP/2. Azure Front Door provides the support for this requirement.

True

False

Azure ExpressRoute will allow Sybex to connect its on-premises network to Microsoft's cloud. Which of the following options is not an ExpressRoute standard that Sybex can use?

Any to any connection

Site-to-site VPN

Point-to-site VPN

CloudExchange co-location

True or False: Customers want to move from standard to WAF SKU without downtime.

True

False

True or False: It is possible for Sybex to reserve a private IP address for a VM that they will create at a later time.

True

False

True or False: You can use global VNet peering with Azure Basic Load Balancer.

True

False

True or False: You can have ExpressRoute circuits from different service providers.

True

False

True or False: You want to create an always-on VPN. Active VPN profiles can connect automatically and remain connected based on triggers, such as user sign-in, network state change, or device screen activity. You can deploy this solution for Windows 10 users.

True

False

True or False: You want to use your own favorite network virtual appliance (in an NVA VNet) with Azure Virtual WAN. Azure virtual WAN can support this requirement.

True

False