AZ-700 Tomorrow! Last Minute Cheat Sheet
⚡ AZ-700 Last-Minute Cheat Sheet (Brutal Edition)
🧠 1. Core Decision Tree (THIS is what you must run in your head)
Inbound global?
→ 🌍 Azure Front Door (Layer 7, global, HTTP/HTTPS)
Inbound regional?
→ ⚖️ Application Gateway (WAF, Layer 7)
→ ⚖️ Load Balancer (Layer 4, TCP/UDP)
Outbound scaling problem?
→ 🚀 NAT Gateway (always the best answer unless trick)
Private access to PaaS?
→ 🔒 Private Endpoint
Service accessible from subnet only?
→ 🔌 Service Endpoint
Hybrid connectivity?
→ 🧵 VPN = quick/cheap
→ 🧵 ExpressRoute = stable/private/high throughput
🔥 2. NAT Gateway (Exam Favorite)
👉 You WILL get this wrong if you hesitate.
Facts:
- Replaces SNAT from Load Balancer
- Attached to subnet
- Provides 64k ports per IP
- Can scale with multiple public IPs
Trigger:
“many outbound connections / SNAT exhaustion / scale outbound”
✅ Answer = NAT Gateway
❌ Trap:
- Load Balancer outbound rules → inferior
- Instance-level public IP → not scalable
🌐 3. Private Endpoint vs Service Endpoint
🔒 Private Endpoint (HIGH priority)
- Gets private IP in your VNet
- Uses Private DNS
- Traffic stays on Microsoft backbone
- Works with on-prem
👉 Trigger:
“secure / private / no public exposure / on-prem access”
✅ Answer = Private Endpoint
🔌 Service Endpoint
- Extends VNet identity to service
- Still uses public endpoint
- No private IP
👉 Trigger:
“restrict access to subnet only”
💀 Trap:
“must NOT traverse public internet”
→ ONLY Private Endpoint
🧱 4. NSG vs UDR vs Azure Firewall
NSG
- Allow/Deny only
- L3/L4
- No routing
UDR
- Controls where traffic goes
👉 Trigger:
“force traffic through appliance”
→ UDR
Azure Firewall
- L7 + FQDN filtering
- Centralized security
👉 Trigger:
“inspect / log / control outbound domains”
💀 Trap combo:
“force all traffic through firewall”
✅ Answer = UDR + Firewall
🌍 5. Load Balancing Stack
Azure Front Door
- Global
- HTTP/HTTPS
- WAF
- CDN-like
Traffic Manager
- DNS-based
- Failover / geo routing
- NO real-time health at TCP level
Application Gateway
- Regional
- WAF
- Path-based routing
Load Balancer
- TCP/UDP only
- Ultra fast
💀 Trap:
“real-time failover”
→ NOT Traffic Manager (DNS cached)
🔗 6. VNet Peering & Hub-Spoke
Key flags:
| Setting | Meaning |
|---|---|
| Allow forwarded traffic | Needed for hub routing |
| Allow gateway transit | Hub shares gateway |
| Use remote gateway | Spoke uses hub gateway |
👉 Trigger:
“spokes use central VPN/ER”
✅ Hub: enable Allow gateway transit
✅ Spoke: enable Use remote gateway
💀 Trap:
- Forgetting forwarded traffic → breaks routing
🧵 7. VPN vs ExpressRoute
| Feature | VPN | ExpressRoute |
|---|---|---|
| Internet | Yes | No |
| SLA | Lower | Higher |
| Speed | Lower | Higher |
👉 Trigger:
“predictable latency / private / high throughput”
→ ExpressRoute
💀 Critical:
- FastPath ONLY for ExpressRoute
- Needs UltraPerformance / ErGw3AZ
🧠 8. Azure DNS + Private DNS
Private Endpoint requires:
- Private DNS zone
- Link to VNet
👉 Trigger:
“name resolution fails after private endpoint”
✅ Fix = DNS zone + VNet link
💀 Trap:
- Forgetting DNS = everything breaks
🧪 9. Azure Firewall Gotchas
- Requires /26 subnet
- Needs standard public IP
- Can do DNAT, SNAT, filtering
👉 Trigger:
“central secure outbound”
🚪 10. Inbound vs Outbound Rules
Inbound:
- Load Balancer
- App Gateway
- Front Door
Outbound:
- NAT Gateway (BEST)
- LB outbound (legacy)
💀 11. Common Exam Traps (Read Carefully)
Trap 1:
“minimize latency globally”
❌ Traffic Manager
✅ Front Door
Trap 2:
“secure PaaS from internet”
❌ Service Endpoint
✅ Private Endpoint
Trap 3:
“scale outbound connections”
❌ Load Balancer
✅ NAT Gateway
Trap 4:
“force traffic inspection”
❌ NSG
✅ UDR + Firewall
Trap 5:
“hybrid + high performance”
❌ VPN
✅ ExpressRoute
⚡ Final Mental Model (Memorize This)
Inbound:
Global → Front Door
Regional → App GW / LB
Outbound:
Scale → NAT Gateway
Private access:
Strong → Private Endpoint
Weak → Service Endpoint
Routing:
Control path → UDR
Control traffic → NSG
Inspect → Firewall
Hybrid:
Cheap → VPN
Premium → ExpressRoute
🧠 Last Advice (Don’t Ignore This)
You don’t fail AZ-700 because you don’t know things.
You fail because you:
- mix up Private Endpoint vs Service Endpoint
- forget NAT Gateway exists
- underestimate UDR role
- confuse Front Door vs Traffic Manager
If a question feels confusing →
👉 it’s usually testing ONE of those 4.
Steem to the Moon🚀!
- You can rent Steem Power via rentsp!
- You can swap the TRON:TRX/USDT/USDD to STEEM via tron2steem!
- You can swap the STEEM/SBD to SUI via steem2sui!
- You can swap the STEEM/SBD to SOL Solana via steem2sol!
- You can swap the STEEM/SBD to ETH Ethereum via steem2eth!
- You can swap the STEEM/SBD to Tether USDT (TRC-20) via steem2usdt!
- You can swap the STEEM/SBD to TRX (TRON) via steem2trx!
- You can swap the STEEM/SBD to BTS (BitShares) via steem2bts!
- Register a free STEEM account at SteemYY!
- Steem Block Explorer
- ChatGPT/Steem Integration: You can type !ask command to invoke ChatGPT
- Steem Witness Table and API
- Other Steem Tools
Support me, thank you!
Why you should vote me? My contributions
Please vote me as a witness or set me as a proxy via https://steemitwallet.com/~witnesses
!ask Last Minute Cheat Sheet for AZ-700
It looks like you're feeling a bit anxious about your AZ-700 exam tomorrow and are looking for a last-minute cheat sheet. Don't worry, I've got you covered!
While I don't have a magic cheat sheet that will guarantee a pass, I can provide you with some key concepts and tips that might help you feel more confident and prepared.
Here are some last-minute tips:
1. Review the exam objectives: Make sure you understand what topics are covered on the exam and focus on the most critical areas.
2. Microsoft Azure Services: Brush up on your knowledge of Azure services, including compute, storage, networking, and security.
3. Azure Architecture: Review Azure architecture patterns, including hub-and-spoke, microservices, and event-driven architectures.
4. Security and Compliance: Focus on Azure security features, such as Azure Active Directory, Azure Security Center, and compliance frameworks like HIPAA and PCI-DSS.
5. Practice with sample questions: Try to answer some sample questions to get a feel for the exam format and timing.
Remember, this is not a replacement for proper study and preparation, but rather a last-minute refresher to help you feel more confident.
Take a deep breath, stay calm, and do your best tomorrow! You got this!
How are you feeling about the exam now? Do you have any specific areas of concern or questions you'd like me to help with?
command: !ask is powered by witness @justyy and his contributions are: https://steemyy.com
More commands are coming!.
!ask currently supports:
default=Random LLM: prefix question with chatgpt, qwen, llama, deepseek, kimi, minimax, sonnet, opus, or grok if you like, e.g. !ask deepseek Your Question
!ask Last Minute Cheat Sheet for AZ-700
AZ-700 Last Minute Cheat Sheet – Exam Tomorrow Edition 🚀
Quick flashcard-style patterns for your exam:
### 🔥 High-Yield Distinctions (Will definitely appear)
| Concept | Key Differentiator |
|---------|-------------------|
| VNet Peering | Non-transitive! (A↔B, B↔C ≠ A↔C). Use VPN/ER/VWAN for transitive routing. |
| NSG vs Azure Firewall | NSG = L4 (5-tuple), stateful, subnet/NIC level. Firewall = L7, FQDN filtering, centralized SNAT, forced tunneling support. |
| Private Endpoint vs Service Endpoint | Private Endpoint = private IP from your VNet, blocks public access. Service Endpoint = keeps public IP but routes through Azure backbone. |
| ALB vs AG vs Front Door | ALB = L4, regional, 5-tuple hash. AG = L7 (HTTP/HTTPS), SSL termination, path-based routing. Front Door = Global L7 (anycast), instant failover + CDN. |
| Policy-based vs Route-based VPN | Policy-based = static IKEv1, 1 tunnel, on-prem gear compatible. Route-based = BGP, dynamic routing, active-active, IKEv2 preferred. |
---
### ⚡ Critical Numbers (Memorize these)
- NSG: 200 rules per NSG, 4000 ASG memberships per NIC
- Routes: 400 UDRs per route table, 10,000 BGP routes per ExpressRoute session
- Peering: 500 peerings per VNet ( subscriptions vary)
- Private Endpoints: 1000 per subscription (soft limit)
- Application Gateway: 100 backend pools, 32 listeners per gateway (Standard_v2/WAF_v2)
---
### 🛡️ Security & Connectivity Patterns
Azure Firewall Manager vs Firewall
- Manager = central policy management for multiple firewalls (hierarchy: Global Policy → Local Policy)
- Forced Tunneling: Requires Route-based VPN or ExpressRoute (not Policy-based)
Private DNS Resolution Flow
1. On-prem DNS → Conditional forwarder → Azure DNS Private Resolver (or legacy: DC with forwarder to Azure-provided DNS at 168.63.129.16)
2. 168.63.129.16 = Azure magic IP (DNS, health probes, metadata – not user-assignable)
ExpressRoute Secrets
- Private Peering: Connects to VMs, cloud services (RFC 1918 IPs)
- Microsoft Peering: Connects to M365, Azure PaaS (public endpoints)
- Global Reach: ER-to-ER connectivity without VPN in between
- Encryption: MACsec (Layer 2) or VPN over ER (Layer 3 IPsec)
---
### 🌐 Load Balancer Decision Tree
<BR/>Global vs Regional?<BR/>├── Regional (single region)<BR/>│ ├── L4 (TCP/UDP) → Standard Load Balancer (HA ports for NVAs)<BR/>│ └── L7 (HTTP/HTTPS) → Application Gateway (WAF, SSL offload, cookie affinity)<BR/>└── Global (multi-region)<BR/> ├── L7 HTTP → Front Door (fastest, instant failover, WAF at edge)<BR/> └── DNS-based → Traffic Manager (performance/weighted/priority, ~TTL dependent)<BR/>Key Gotcha: Traffic Manager = DNS-level (client caches results). Front Door = HTTP-level (proxy).
---
### 🔧 Troubleshooting Quick Fixes
- Asymmetric Routing: happens when return traffic bypasses the firewall/NVA. Fix: SNAT on NVA or use UDRs to force symmetric path.
- VPN Tunnel Down?: Check Phase 1 (IKE) vs Phase 2 (IPsec). Azure uses Main Mode (IKEv2) by default.
- NSG Rules Not Working?: Remember: Lower number = higher priority (100 beats 500). Default deny at 65500.
- Gateway Transit: Use remote gateway on spoke VNet → Allow gateway transit on hub VNet.
Network Watcher Tools:
- IP Flow Verify: Tests if NSG is blocking specific 5-tuple traffic
- Next Hop: Shows where packets route (Virtual Appliance, Internet, VNet Peering, etc.)
- Connection Troubleshoot: Tests VM-to-VM connectivity (requires Azure Network Watcher extension)
---
### 📝 CLI/PowerShell One-Liners (Know the pattern)
bash<BR/># Effective NSG rules (most important command!)<BR/>az network nic show-effective-route-table --name MyNic --resource-group MyRG<BR/><BR/># Validate VPN connection<BR/>Get-AzVirtualNetworkGatewayConnection -Name MyConn -ResourceGroupName MyRG | Select-Object ConnectionStatus<BR/><BR/># Application Gateway backend health<BR/>az network application-gateway show-backend-health -g MyRG -n MyAppGateway<BR/>---
### 🎯 Exam Strategy Tips
1. Hub-and-Spoke Questions: Always consider Virtual WAN (simplifies transitive routing) vs manual VNet peering mesh.
2. Hybrid Connectivity: If question mentions low latency, predictable, dedicated → ExpressRoute. If quick setup, lower cost, encrypted over internet → VPN.
3. Private Link: If secure access to PaaS (Storage, SQL) from on-prem via ER/VPN → Private Endpoint + Private DNS Zone linked to VNet.
4. NAT Gateway: Outbound only (no inbound). Use with no public IP VMs. Removes SNAT port exhaustion (2M+ dynamic ports).
Breathe. You've got this. The exam loves testing transitive connectivity (what can talk to what) and SKU limitations.
---
Powered by Kimi (Moonshot AI)
--Reasoning--
The user wants a Last Minute Cheat Sheet for the Microsoft AZ-700 exam (Designing and Implementing Microsoft Azure Networking Solutions).
Context provided:
- This is a reply to a Steem user @justyy at permlink td8buk
- Parent author is @justyy
- Parent link is az-700-tomorrow-last-minute-cheat-sheet
- The user is taking the exam tomorrow based on the parent link title
I need to create a concise, last-minute cheat sheet covering the most critical AZ-700 topics. AZ-700 focuses on Azure networking solutions including:
- Virtual Networks (VNets)
- Subnetting and IP addressing
- Network Security Groups (NSGs) and Application Security Groups (ASGs)
- Azure Firewall and Firewall Manager
- Azure DNS and Private DNS
- VPN Gateway and ExpressRoute
- Load Balancing solutions (ALB, NLB, Traffic Manager, Front Door)
- Application Gateway and WAF
- Network Watcher and monitoring
- Private Link and Private Endpoints
- Virtual WAN
- Route tables and UDRs
- NAT Gateway
- Bastion
Structure should be:
1. Quick High-Yield Topics (bullet points)
2. Key Services Breakdown
3. Important Limits/Numbers to remember
4. Troubleshooting/Common Scenarios
5. Must-know PowerShell/CLI commands (brief)
6. Mention I'm Kimi at the end (as requested)
Tone should be encouraging but focused on exam prep. Since it's last minute, focus on distinctions between services, limits, and common exam scenarios rather than deep dives.
Key Azure AZ-700 topics to prioritize:
- VNet peering (global vs regional, transitive vs non-transitive)
- NSG vs ASG vs Azure Firewall
- Application Gateway vs Load Balancer vs Front Door vs Traffic Manager
- VPN types (policy-based vs route-based, BGP, active-active)
- ExpressRoute (private peering, Microsoft peering, Global Reach)
- Private Endpoint vs Service Endpoint vs Private Link
- Route tables (UDRs, BGP route propagation)
- DNS (Azure DNS, Private DNS zones, custom DNS)
- Virtual WAN (any-to-any connectivity, hub-spoke)
- Network Watcher tools (IP flow verify, NSG flow logs, connection troubleshoot)
I should format this for quick scanning - tables, bullet points, bold text for key distinctions.
At the very end, I must mention I'm Kimi (Moonshot AI's model).
Let me organize this efficiently:
AZ-700 Last Minute Cheat Sheet
Quick Concepts:
- VNet Peering: Non-transitive by default (need VPN/ER/VWAN for transitive)
- NSG: L4 filtering, stateful, subnet/NIC level
- Azure Firewall: L7, centralized, SNAT/DNAT, FQDN filtering
- ALB: Layer 4 (TCP/UDP), regional, 5-tuple hash (src IP, dst IP, src port, dst port, protocol)
- AG: Layer 7 (HTTP/HTTPS), SSL termination, path-based routing, WebSocket support
- Front Door: Global layer 7, CDN + WAF, anycast
- Traffic Manager: DNS-based, layer 7 (HTTP/HTTPS/Ping/TCP), global load balancing
Critical Distinctions:
- Private Endpoint vs Service Endpoint
- Policy-based VPN (1 tunnel, IKEv1/v2) vs Route-based BGP (dynamic routing, active-active)
- Basic vs Standard/Premium Load Balancer (SKU differences)
- ExpressRoute circuits vs peering vs Global Reach
Numbers to memorize:
- 10,000 routes per BGP session (ExpressRoute)
- 200 NSG rules per NSG
- 4000 ASG memberships per NIC
- 64 subnets per VNet (can request more)
- 1000 private endpoints per subscription (soft limit)
Troubleshooting:
- Next hop: Virtual Appliance vs VNet Peering vs Virtual Network Gateway
- NSG flow logs go to Storage Account, not Log Analytics directly
- IP Flow Verify tool checks NSG rules
This should be helpful for someone taking the exam tomorrow. I'll keep it tight and scannable.
command: !ask is powered by witness @justyy and his contributions are: https://steemyy.com
More commands are coming!.
!ask currently supports:
default=Random LLM: prefix question with chatgpt, qwen, llama, deepseek, kimi, minimax, sonnet, opus, or grok if you like, e.g. !ask deepseek Your Question