Microsoft Azure Network Engineer Associate Quick Facts (2025)

Exam Domain Breakdown

Domain 1: Design and implement core networking infrastructure (28% of the exam)

Design and implement IP addressing for Azure resources

• Plan and implement network segmentation and address spaces
• Create a virtual network (VNet)
• Plan and configure subnetting for services, including VNet gateways, private endpoints, service endpoints, firewalls, application gateways, VNet-integrated platform services, and Azure Bastion
• Plan and configure subnet delegation
• Plan and configure shared or dedicated subnets
• Create a prefix for public IP addresses
• Choose when to use a public IP address prefix
• Plan and implement a custom public IP address prefix (bring your own IP)
• Create a public IP address
• Associate public IP addresses to resources
• Upgrade IP address SKU

Section summary: This section establishes the foundation of any Azure network by focusing on IP address planning and subnet design. You will learn how to create VNets, segment networks with subnets, and use both shared and dedicated subnet configurations effectively. Special attention is given to services like Azure Bastion, VNet gateways, and service endpoints, equipping you to optimize connectivity and security across Azure environments.

As you progress, you will also become proficient in working with public IP addresses. This includes knowing when and how to use prefixes, planning for bring-your-own-IP scenarios, and associating IPs to meet architectural needs. By understanding these capabilities, you are able to design scalable and secure solutions that align with enterprise-grade cloud networking requirements.

Design and implement name resolution

• Design name resolution inside a VNet
• Configure DNS settings for a VNet
• Design public DNS zones
• Design private DNS zones
• Configure public and private DNS zones
• Link a private DNS zone to a VNet
• Design and implement Azure DNS Private Resolver

Section summary: This section ensures you understand DNS architecture within Azure, both for internal resolution and public-facing services. You’ll gain practical knowledge on when and how to configure DNS for VNets, making workloads discoverable and properly integrated across environments. You’ll also practice creating and managing public and private DNS zones while designing flexible solutions for hybrid name resolution.

The introduction of the Azure DNS Private Resolver adds a powerful capability for enterprises. By mastering its use, you’ll learn how to integrate Azure DNS with on-premises resources, creating consistent hybrid lookup scenarios. This enables seamless naming conventions across complex infrastructures and provides a more reliable networking environment.

Design and implement VNet connectivity and routing

• Design service chaining, including gateway transit
• Implement VNet peering
• Implement and manage virtual network connectivity by using Azure Virtual Network Manager
• Design and implement user-defined routes (UDRs)
• Associate a route table with a subnet
• Configure forced tunneling
• Diagnose and resolve routing issues
• Design and implement Azure Route Server
• Identify appropriate use cases for a network address translation (NAT) gateway
• Implement a NAT gateway

Section summary: This section equips you with the skills needed to interconnect multiple networks within Azure. You’ll understand how to use VNet peering, service chaining, and Virtual Network Manager to create seamless connectivity scenarios for enterprise-grade deployments. You’ll also gain hands-on experience implementing user-defined routes and forced tunneling to optimize traffic flows and enhance security compliance.

Additionally, the section explores advanced routing solutions such as the Azure Route Server and NAT gateway. These tools simplify BGP integration and outbound Internet routing strategies, vital for maintaining scalability. By mastering connectivity services and routing issues, you can ensure that large-scale Azure networks remain efficient and secure.

Monitor networks

• Configure monitoring, network diagnostics, and logs in Azure Network Watcher
• Monitor and troubleshoot network health by using Azure Network Watcher
• Monitor and troubleshoot networks by using Azure Monitor Network Insights
• Activate and monitor distributed denial-of-service (DDoS) protection
• Evaluate network security recommendations identified by Microsoft Defender for Cloud Secure Score
• Evaluate network security recommendations identified by Microsoft Defender For Cloud Attack Path Analysis
• Identify network resources by using Microsoft Defender for Cloud Security Explorer

Section summary: This section emphasizes proactive monitoring and troubleshooting in Azure. Through tools like Network Watcher and Azure Monitor Network Insights, you will learn how to collect diagnostic data, evaluate health, and respond quickly to network performance issues. You’ll also learn how to use logs and built-in monitoring capabilities to keep networks highly available.

Security-focused insights are also covered in detail. You’ll explore how DDoS protection and Microsoft Defender for Cloud complement your monitoring efforts, providing recommendations and attack path analyses. This ensures you can secure environments effectively while keeping networks optimized and future-ready.

Domain 2: Design, implement, and manage connectivity services (23% of the exam)

Design, implement, and manage a site-to-site VPN connection

• Design a site-to-site VPN connection, including for high availability
• Select an appropriate VNet gateway stock-keeping unit (SKU) for site-to-site VPN requirements
• Implement a site-to-site VPN connection
• Identify when to use a policy-based VPN versus a route-based VPN connection
• Create and configure a local network gateway
• Create and configure an IPsec/Internet Key Exchange (IKE) policy
• Create and configure a virtual network gateway
• Diagnose and resolve virtual network gateway connectivity issues
• Implement Azure Extended Network

Section summary: This section covers how to design and establish secure VPN connectivity between Azure VNets and on-premises resources. You will understand policy-based and route-based VPN designs, security policies like IPsec/IKE, and how to select the right gateway SKU for different business requirements. These skills ensure hybrid networks are reliable and secure.

You will also master how to troubleshoot connectivity issues and extend on-premises environments through Azure Extended Network. By gaining this insight, you’ll be equipped to ensure resilient hybrid workloads across diverse enterprise landscapes.

Design, implement, and manage a point-to-site VPN connection

• Select an appropriate virtual network gateway SKU for point-to-site VPN requirements
• Select and configure a tunnel type
• Select an appropriate authentication method
• Configure RADIUS authentication
• Configure authentication by using Microsoft Entra ID
• Implement a VPN client configuration file
• Diagnose and resolve client-side and authentication issues
• Specify Azure requirements for Always On VPN
• Specify Azure requirements for Azure Network Adapter

Section summary: This section focuses on point-to-site VPN solutions that allow individual clients to connect securely to Azure. You’ll understand how to choose the right VPN gateway SKU, configure authentication methods like RADIUS and Entra ID, and implement custom VPN client configurations.

These capabilities provide flexibility for organizations supporting remote teams and distributed users. You’ll also learn best practices for Always On VPN and Azure Network Adapter, ensuring connectivity remains simple and secure for end-users while reinforcing enterprise networking policies.

Design, implement, and manage Azure ExpressRoute

• Select an ExpressRoute connectivity model
• Select an appropriate ExpressRoute SKU and tier
• Design and implement ExpressRoute to meet requirements, including cross-region connectivity, redundancy, and disaster recovery
• Design and implement ExpressRoute options, including Global Reach, FastPath, and ExpressRoute Direct
• Choose between Azure private peering only, Microsoft peering only, or both
• Configure Azure private peering
• Configure Microsoft peering
• Create and configure an ExpressRoute gateway
• Connect a virtual network to an ExpressRoute circuit
• Recommend a route advertisement configuration
• Configure encryption over ExpressRoute
• Implement Bidirectional Forwarding Detection
• Diagnose and resolve ExpressRoute connection issues

Section summary: This section emphasizes the design and implementation of private dedicated Azure connectivity using ExpressRoute. You’ll evaluate models, SKUs, and peering options tailored to workloads requiring redundancy, security, and predictable latency.

With additional features like Global Reach, FastPath, and Direct connections, ExpressRoute offers enterprise-grade performance across regions. By exploring encryption options and troubleshooting processes, you’ll ensure ExpressRoute delivers consistent and secure cross-network performance.

Design and implement an Azure Virtual WAN architecture

• Select a Virtual WAN SKU
• Design a Virtual WAN architecture, including selecting types and services
• Create a hub in Virtual WAN
• Choose an appropriate scale unit for each gateway type
• Deploy a gateway into a Virtual WAN hub
• Configure virtual hub routing
• Integrate a Virtual WAN hub with a third-party NVA for cloud connectivity

Section summary: This section dives into Virtual WAN, Microsoft’s simplified networking service for connecting branches, remote users, and cloud workloads. You’ll learn how to select SKUs, create hubs, configure gateways, and integrate with routing requirements.

These practices make it easier to scale secure global connectivity. You’ll also explore how to integrate third-party NVAs, enhancing workloads with specialized cloud connectivity features in distributed enterprise environments.

Domain 3: Design and implement application delivery services (18% of the exam)

Design and implement Azure Load Balancer and Azure Traffic Manager

• Map requirements to features and capabilities of Azure Load Balancer
• Identify appropriate use cases for Azure Load Balancer
• Choose an Azure Load Balancer SKU and tier
• Choose between public and internal load balancers
• Choose between regional and global load balancers
• Create and configure an Azure Load Balancer
• Implement Azure Traffic Manager
• Implement a gateway load balancer
• Implement a load balancing rule
• Create and configure inbound NAT rules
• Create and configure explicit outbound rules, including source network address translation (SNAT)

Section summary: This section highlights Azure Load Balancer and Traffic Manager as key services for distributing workloads globally and regionally. You’ll learn how to map requirements to features, select the right SKU and tier, and implement load balancer rules effectively.

Alongside performance optimization, the curriculum also covers NAT rules and outbound connections, ensuring that workloads remain accessible and secure. Combining regional and global approaches with services like gateway load balancer creates a resilient traffic management strategy.

Design and implement Azure Application Gateway

• Map requirements to features and capabilities of Azure Application Gateway
• Identify appropriate use cases for Azure Application Gateway
• Choose between manual and autoscale
• Create a back-end pool
• Configure health probes
• Configure listeners
• Configure routing rules
• Configure HTTP settings
• Configure Transport Layer Security (TLS)
• Configure rewrite sets

Section summary: This section explores Azure Application Gateway, an application-level load balancer with features like WAF integration and TLS termination. You’ll discover how to map it to business requirements, choose scaling strategies, and implement health probes to ensure workloads are always healthy.

By learning to configure routing rules and HTTP settings, you’ll also gain practical expertise in achieving secure, high-performing application delivery. TLS configuration and rewrite sets add additional flexibility for advanced traffic management.

Design and implement Azure Front Door

• Map requirements to features and capabilities of Azure Front Door
• Identify appropriate use cases for Azure Front Door
• Choose an appropriate tier
• Configure an Azure Front Door, including routing, origins, and endpoints
• Configure SSL termination and end-to-end SSL encryption
• Configure caching
• Configure traffic acceleration
• Implement rules, URL rewrite, and URL redirect
• Secure an origin by using Azure Private Link in Azure Front Door

Section summary: This section focuses on Azure Front Door, a global entry point for fast, secure delivery of modern web applications. You’ll explore how to configure routing, endpoints, and origins, while enabling performance capabilities such as caching and acceleration.

Security concepts are also emphasized, with SSL encryption and origin protection through Private Link. This combination helps enterprises achieve secure, global traffic distribution while minimizing latency.

Domain 4: Design and implement private access to Azure services (13% of the exam)

Design and implement Azure Private Link service and Azure private endpoints

• Plan private endpoints
• Create private endpoints
• Configure access to private endpoints
• Create a Private Link service
• Integrate Private Link and Private Endpoint with DNS
• Integrate a Private Link service with on-premises clients

Section summary: This section introduces Azure Private Link, which provides secured access to Azure services directly over private connectivity. You’ll learn how to create and configure private endpoints for workloads and services within the cloud.

Configuring DNS integration and connecting on-premises clients with private endpoints ensures a seamless hybrid experience. These capabilities strengthen security and reduce exposure to public internet traffic.

Design and implement service endpoints

• Choose when to use a service endpoint
• Create service endpoints
• Configure service endpoint policies
• Configure access to service endpoints

Section summary: This section compares service endpoints against Private Link, exploring the advantages of routing traffic directly from VNets to Azure services. You’ll learn how to create service endpoints and manage service endpoint policies.

By understanding when to use endpoints, you’ll simplify configurations while securing workloads. These choices support scenarios requiring direct, high-throughput connections within Azure.

Domain 5: Design and implement Azure network security services (18% of the exam)

Implement and manage network security groups

• Create a network security group (NSG)
• Associate a NSG to a resource
• Create an application security group (ASG)
• Associate an ASG to a network interface card (NIC)
• Create and configure NSG rules
• Implement virtual network flow logs
• Interpret virtual network flow logs
• Interpret NSG flow logs
• Validate NSG flow rules
• Verify IP flow
• Configure an NSG for remote server administration, including Azure Bastion
• Implement and manage virtual network security by using Azure Virtual Network Manager

Section summary: This section explains how to secure networks using NSGs and ASGs. You’ll practice creating rule sets, verifying flows, and associating groups with resources or NICs. These tools form the core of Azure’s internal access control capabilities.

Complementing these, Azure Virtual Network Manager and Bastion extend visibility and secure access to networks. By interpreting flow logs and implementing governance rules, you’ll have everything you need to tightly control traffic flows in modern cloud deployments.

Design and implement Azure Firewall and Azure Firewall Manager

• Map requirements to features and capabilities of Azure Firewall
• Select an appropriate Azure Firewall SKU
• Design an Azure Firewall deployment
• Create and implement an Azure Firewall deployment
• Configure Azure Firewall rules
• Create and implement Azure Firewall Manager policies
• Create a secure hub by deploying Azure Firewall inside an Azure Virtual WAN hub

Section summary: This section shows how to design and deploy Azure Firewall as a cloud-native firewall solution. You’ll create rules, select the right SKUs, and design deployments that meet real-world enterprise security requirements.

Additionally, Firewall Manager enables you to centralize policies across environments, including Virtual WAN hubs. This ensures consistent, scalable network security across distributed architectures.

Design and implement a Web Application Firewall (WAF) deployment

• Map requirements to features and capabilities of WAF
• Design a WAF deployment
• Configure detection or prevention mode
• Configure rule sets for WAF on Azure Front Door
• Configure rule sets for WAF on Application Gateway
• Implement a WAF policy
• Associate a WAF policy

Section summary: This section focuses on deploying WAF to protect applications from web vulnerabilities. You’ll understand where WAF fits in different scenarios, such as within Application Gateway and Azure Front Door, and learn to configure policies.

By configuring detection and prevention modes, rule sets, and policy associations, you will strengthen applications against a broad range of threats. These skills are crucial for delivering secure web applications at scale.