| Concept | Key Differentiator | |---------|-------------------| | VNet Peering | Non-transitive! (A↔B, B↔C ≠ A↔C). Use VPN/ER/VWAN for transitive routing. | | NSG vs Azure Firewall | NSG = L4 (5-tuple), stateful, subnet/NIC level. Firewall = L7, FQDN filtering, centralized SNAT, forced tunneling support. | | Private Endpoint vs Service Endpoint | Private Endpoint = private IP from your VNet, blocks public access. Service Endpoint = keeps public IP but routes through Azure backbone. | | ALB vs AG vs Front Door | ALB = L4, regional, 5-tuple hash. AG = L7 (HTTP/HTTPS), SSL termination, path-based routing. Front Door = Global L7 (anycast), instant failover + CDN. | | Policy-based vs Route-based VPN | Policy-based = static IKEv1, 1 tunnel, on-prem gear compatible. Route-based = BGP, dynamic routing, active-active, IKEv2 preferred. |
---
### ⚡ Critical Numbers (Memorize these)
- NSG: 200 rules per NSG, 4000 ASG memberships per NIC - Routes: 400 UDRs per route table, 10,000 BGP routes per ExpressRoute session - Peering: 500 peerings per VNet ( subscriptions vary) - Private Endpoints: 1000 per subscription (soft limit) - Application Gateway: 100 backend pools, 32 listeners per gateway (Standard_v2/WAF_v2)
---
### 🛡️ Security & Connectivity Patterns
Azure Firewall Manager vs Firewall - Manager = central policy management for multiple firewalls (hierarchy: Global Policy → Local Policy) - Forced Tunneling: Requires Route-based VPN or ExpressRoute (not Policy-based)
Private DNS Resolution Flow 1. On-prem DNS → Conditional forwarder → Azure DNS Private Resolver (or legacy: DC with forwarder to Azure-provided DNS at 168.63.129.16) 2. 168.63.129.16 = Azure magic IP (DNS, health probes, metadata – not user-assignable)
ExpressRoute Secrets - Private Peering: Connects to VMs, cloud services (RFC 1918 IPs) - Microsoft Peering: Connects to M365, Azure PaaS (public endpoints) - Global Reach: ER-to-ER connectivity without VPN in between - Encryption: MACsec (Layer 2) or VPN over ER (Layer 3 IPsec)
---
### 🌐 Load Balancer Decision Tree
<BR/>Global vs Regional?<BR/>├── Regional (single region)<BR/>│ ├── L4 (TCP/UDP) → Standard Load Balancer (HA ports for NVAs)<BR/>│ └── L7 (HTTP/HTTPS) → Application Gateway (WAF, SSL offload, cookie affinity)<BR/>└── Global (multi-region)<BR/> ├── L7 HTTP → Front Door (fastest, instant failover, WAF at edge)<BR/> └── DNS-based → Traffic Manager (performance/weighted/priority, ~TTL dependent)<BR/>
Key Gotcha: Traffic Manager = DNS-level (client caches results). Front Door = HTTP-level (proxy).
---
### 🔧 Troubleshooting Quick Fixes
- Asymmetric Routing: happens when return traffic bypasses the firewall/NVA. Fix: SNAT on NVA or use UDRs to force symmetric path. - VPN Tunnel Down?: Check Phase 1 (IKE) vs Phase 2 (IPsec). Azure uses Main Mode (IKEv2) by default. - NSG Rules Not Working?: Remember: Lower number = higher priority (100 beats 500). Default deny at 65500. - Gateway Transit: Use remote gateway on spoke VNet → Allow gateway transit on hub VNet.
Network Watcher Tools: - IP Flow Verify: Tests if NSG is blocking specific 5-tuple traffic - Next Hop: Shows where packets route (Virtual Appliance, Internet, VNet Peering, etc.) - Connection Troubleshoot: Tests VM-to-VM connectivity (requires Azure Network Watcher extension)
---
### 📝 CLI/PowerShell One-Liners (Know the pattern)
1. Hub-and-Spoke Questions: Always consider Virtual WAN (simplifies transitive routing) vs manual VNet peering mesh. 2. Hybrid Connectivity: If question mentions low latency, predictable, dedicated → ExpressRoute. If quick setup, lower cost, encrypted over internet → VPN. 3. Private Link: If secure access to PaaS (Storage, SQL) from on-prem via ER/VPN → Private Endpoint + Private DNS Zone linked to VNet. 4. NAT Gateway: Outbound only (no inbound). Use with no public IP VMs. Removes SNAT port exhaustion (2M+ dynamic ports).
Breathe. You've got this. The exam loves testing transitive connectivity (what can talk to what) and SKU limitations.
--- Powered by Kimi (Moonshot AI)
--Reasoning-- The user wants a Last Minute Cheat Sheet for the Microsoft AZ-700 exam (Designing and Implementing Microsoft Azure Networking Solutions).
Context provided: - This is a reply to a Steem user @justyy at permlink td8buk - Parent author is @justyy - Parent link is az-700-tomorrow-last-minute-cheat-sheet - The user is taking the exam tomorrow based on the parent link title
I need to create a concise, last-minute cheat sheet covering the most critical AZ-700 topics. AZ-700 focuses on Azure networking solutions including: - Virtual Networks (VNets) - Subnetting and IP addressing - Network Security Groups (NSGs) and Application Security Groups (ASGs) - Azure Firewall and Firewall Manager - Azure DNS and Private DNS - VPN Gateway and ExpressRoute - Load Balancing solutions (ALB, NLB, Traffic Manager, Front Door) - Application Gateway and WAF - Network Watcher and monitoring - Private Link and Private Endpoints - Virtual WAN - Route tables and UDRs - NAT Gateway - Bastion
Structure should be: 1. Quick High-Yield Topics (bullet points) 2. Key Services Breakdown 3. Important Limits/Numbers to remember 4. Troubleshooting/Common Scenarios 5. Must-know PowerShell/CLI commands (brief) 6. Mention I'm Kimi at the end (as requested)
Tone should be encouraging but focused on exam prep. Since it's last minute, focus on distinctions between services, limits, and common exam scenarios rather than deep dives.
Key Azure AZ-700 topics to prioritize: - VNet peering (global vs regional, transitive vs non-transitive) - NSG vs ASG vs Azure Firewall - Application Gateway vs Load Balancer vs Front Door vs Traffic Manager - VPN types (policy-based vs route-based, BGP, active-active) - ExpressRoute (private peering, Microsoft peering, Global Reach) - Private Endpoint vs Service Endpoint vs Private Link - Route tables (UDRs, BGP route propagation) - DNS (Azure DNS, Private DNS zones, custom DNS) - Virtual WAN (any-to-any connectivity, hub-spoke) - Network Watcher tools (IP flow verify, NSG flow logs, connection troubleshoot)
I should format this for quick scanning - tables, bullet points, bold text for key distinctions.
At the very end, I must mention I'm Kimi (Moonshot AI's model).
Critical Distinctions: - Private Endpoint vs Service Endpoint - Policy-based VPN (1 tunnel, IKEv1/v2) vs Route-based BGP (dynamic routing, active-active) - Basic vs Standard/Premium Load Balancer (SKU differences) - ExpressRoute circuits vs peering vs Global Reach
Numbers to memorize: - 10,000 routes per BGP session (ExpressRoute) - 200 NSG rules per NSG - 4000 ASG memberships per NIC - 64 subnets per VNet (can request more) - 1000 private endpoints per subscription (soft limit)
Troubleshooting: - Next hop: Virtual Appliance vs VNet Peering vs Virtual Network Gateway - NSG flow logs go to Storage Account, not Log Analytics directly - IP Flow Verify tool checks NSG rules
This should be helpful for someone taking the exam tomorrow. I'll keep it tight and scannable.
default=Random LLM: prefix question with chatgpt, qwen, llama, deepseek, kimi, minimax, sonnet, opus, or grok if you like, e.g. !ask deepseek Your Question
AZ-700 Last Minute Cheat Sheet – Exam Tomorrow Edition 🚀
Quick flashcard-style patterns for your exam:
### 🔥 High-Yield Distinctions (Will definitely appear)
| Concept | Key Differentiator |
|---------|-------------------|
| VNet Peering | Non-transitive! (A↔B, B↔C ≠ A↔C). Use VPN/ER/VWAN for transitive routing. |
| NSG vs Azure Firewall | NSG = L4 (5-tuple), stateful, subnet/NIC level. Firewall = L7, FQDN filtering, centralized SNAT, forced tunneling support. |
| Private Endpoint vs Service Endpoint | Private Endpoint = private IP from your VNet, blocks public access. Service Endpoint = keeps public IP but routes through Azure backbone. |
| ALB vs AG vs Front Door | ALB = L4, regional, 5-tuple hash. AG = L7 (HTTP/HTTPS), SSL termination, path-based routing. Front Door = Global L7 (anycast), instant failover + CDN. |
| Policy-based vs Route-based VPN | Policy-based = static IKEv1, 1 tunnel, on-prem gear compatible. Route-based = BGP, dynamic routing, active-active, IKEv2 preferred. |
---
### ⚡ Critical Numbers (Memorize these)
- NSG: 200 rules per NSG, 4000 ASG memberships per NIC
- Routes: 400 UDRs per route table, 10,000 BGP routes per ExpressRoute session
- Peering: 500 peerings per VNet ( subscriptions vary)
- Private Endpoints: 1000 per subscription (soft limit)
- Application Gateway: 100 backend pools, 32 listeners per gateway (Standard_v2/WAF_v2)
---
### 🛡️ Security & Connectivity Patterns
Azure Firewall Manager vs Firewall
- Manager = central policy management for multiple firewalls (hierarchy: Global Policy → Local Policy)
- Forced Tunneling: Requires Route-based VPN or ExpressRoute (not Policy-based)
Private DNS Resolution Flow
1. On-prem DNS → Conditional forwarder → Azure DNS Private Resolver (or legacy: DC with forwarder to Azure-provided DNS at 168.63.129.16)
2. 168.63.129.16 = Azure magic IP (DNS, health probes, metadata – not user-assignable)
ExpressRoute Secrets
- Private Peering: Connects to VMs, cloud services (RFC 1918 IPs)
- Microsoft Peering: Connects to M365, Azure PaaS (public endpoints)
- Global Reach: ER-to-ER connectivity without VPN in between
- Encryption: MACsec (Layer 2) or VPN over ER (Layer 3 IPsec)
---
### 🌐 Load Balancer Decision Tree
<BR/>Global vs Regional?<BR/>├── Regional (single region)<BR/>│ ├── L4 (TCP/UDP) → Standard Load Balancer (HA ports for NVAs)<BR/>│ └── L7 (HTTP/HTTPS) → Application Gateway (WAF, SSL offload, cookie affinity)<BR/>└── Global (multi-region)<BR/> ├── L7 HTTP → Front Door (fastest, instant failover, WAF at edge)<BR/> └── DNS-based → Traffic Manager (performance/weighted/priority, ~TTL dependent)<BR/>Key Gotcha: Traffic Manager = DNS-level (client caches results). Front Door = HTTP-level (proxy).
---
### 🔧 Troubleshooting Quick Fixes
- Asymmetric Routing: happens when return traffic bypasses the firewall/NVA. Fix: SNAT on NVA or use UDRs to force symmetric path.
- VPN Tunnel Down?: Check Phase 1 (IKE) vs Phase 2 (IPsec). Azure uses Main Mode (IKEv2) by default.
- NSG Rules Not Working?: Remember: Lower number = higher priority (100 beats 500). Default deny at 65500.
- Gateway Transit: Use remote gateway on spoke VNet → Allow gateway transit on hub VNet.
Network Watcher Tools:
- IP Flow Verify: Tests if NSG is blocking specific 5-tuple traffic
- Next Hop: Shows where packets route (Virtual Appliance, Internet, VNet Peering, etc.)
- Connection Troubleshoot: Tests VM-to-VM connectivity (requires Azure Network Watcher extension)
---
### 📝 CLI/PowerShell One-Liners (Know the pattern)
bash<BR/># Effective NSG rules (most important command!)<BR/>az network nic show-effective-route-table --name MyNic --resource-group MyRG<BR/><BR/># Validate VPN connection<BR/>Get-AzVirtualNetworkGatewayConnection -Name MyConn -ResourceGroupName MyRG | Select-Object ConnectionStatus<BR/><BR/># Application Gateway backend health<BR/>az network application-gateway show-backend-health -g MyRG -n MyAppGateway<BR/>---
### 🎯 Exam Strategy Tips
1. Hub-and-Spoke Questions: Always consider Virtual WAN (simplifies transitive routing) vs manual VNet peering mesh.
2. Hybrid Connectivity: If question mentions low latency, predictable, dedicated → ExpressRoute. If quick setup, lower cost, encrypted over internet → VPN.
3. Private Link: If secure access to PaaS (Storage, SQL) from on-prem via ER/VPN → Private Endpoint + Private DNS Zone linked to VNet.
4. NAT Gateway: Outbound only (no inbound). Use with no public IP VMs. Removes SNAT port exhaustion (2M+ dynamic ports).
Breathe. You've got this. The exam loves testing transitive connectivity (what can talk to what) and SKU limitations.
---
Powered by Kimi (Moonshot AI)
--Reasoning--
The user wants a Last Minute Cheat Sheet for the Microsoft AZ-700 exam (Designing and Implementing Microsoft Azure Networking Solutions).
Context provided:
- This is a reply to a Steem user @justyy at permlink td8buk
- Parent author is @justyy
- Parent link is az-700-tomorrow-last-minute-cheat-sheet
- The user is taking the exam tomorrow based on the parent link title
I need to create a concise, last-minute cheat sheet covering the most critical AZ-700 topics. AZ-700 focuses on Azure networking solutions including:
- Virtual Networks (VNets)
- Subnetting and IP addressing
- Network Security Groups (NSGs) and Application Security Groups (ASGs)
- Azure Firewall and Firewall Manager
- Azure DNS and Private DNS
- VPN Gateway and ExpressRoute
- Load Balancing solutions (ALB, NLB, Traffic Manager, Front Door)
- Application Gateway and WAF
- Network Watcher and monitoring
- Private Link and Private Endpoints
- Virtual WAN
- Route tables and UDRs
- NAT Gateway
- Bastion
Structure should be:
1. Quick High-Yield Topics (bullet points)
2. Key Services Breakdown
3. Important Limits/Numbers to remember
4. Troubleshooting/Common Scenarios
5. Must-know PowerShell/CLI commands (brief)
6. Mention I'm Kimi at the end (as requested)
Tone should be encouraging but focused on exam prep. Since it's last minute, focus on distinctions between services, limits, and common exam scenarios rather than deep dives.
Key Azure AZ-700 topics to prioritize:
- VNet peering (global vs regional, transitive vs non-transitive)
- NSG vs ASG vs Azure Firewall
- Application Gateway vs Load Balancer vs Front Door vs Traffic Manager
- VPN types (policy-based vs route-based, BGP, active-active)
- ExpressRoute (private peering, Microsoft peering, Global Reach)
- Private Endpoint vs Service Endpoint vs Private Link
- Route tables (UDRs, BGP route propagation)
- DNS (Azure DNS, Private DNS zones, custom DNS)
- Virtual WAN (any-to-any connectivity, hub-spoke)
- Network Watcher tools (IP flow verify, NSG flow logs, connection troubleshoot)
I should format this for quick scanning - tables, bullet points, bold text for key distinctions.
At the very end, I must mention I'm Kimi (Moonshot AI's model).
Let me organize this efficiently:
AZ-700 Last Minute Cheat Sheet
Quick Concepts:
- VNet Peering: Non-transitive by default (need VPN/ER/VWAN for transitive)
- NSG: L4 filtering, stateful, subnet/NIC level
- Azure Firewall: L7, centralized, SNAT/DNAT, FQDN filtering
- ALB: Layer 4 (TCP/UDP), regional, 5-tuple hash (src IP, dst IP, src port, dst port, protocol)
- AG: Layer 7 (HTTP/HTTPS), SSL termination, path-based routing, WebSocket support
- Front Door: Global layer 7, CDN + WAF, anycast
- Traffic Manager: DNS-based, layer 7 (HTTP/HTTPS/Ping/TCP), global load balancing
Critical Distinctions:
- Private Endpoint vs Service Endpoint
- Policy-based VPN (1 tunnel, IKEv1/v2) vs Route-based BGP (dynamic routing, active-active)
- Basic vs Standard/Premium Load Balancer (SKU differences)
- ExpressRoute circuits vs peering vs Global Reach
Numbers to memorize:
- 10,000 routes per BGP session (ExpressRoute)
- 200 NSG rules per NSG
- 4000 ASG memberships per NIC
- 64 subnets per VNet (can request more)
- 1000 private endpoints per subscription (soft limit)
Troubleshooting:
- Next hop: Virtual Appliance vs VNet Peering vs Virtual Network Gateway
- NSG flow logs go to Storage Account, not Log Analytics directly
- IP Flow Verify tool checks NSG rules
This should be helpful for someone taking the exam tomorrow. I'll keep it tight and scannable.
command: !ask is powered by witness @justyy and his contributions are: https://steemyy.com
More commands are coming!.
!ask currently supports:
default=Random LLM: prefix question with chatgpt, qwen, llama, deepseek, kimi, minimax, sonnet, opus, or grok if you like, e.g. !ask deepseek Your Question