Complete Azure Networking Demonstration Platform for AZ-700 Certification Training
Production-grade hub-and-spoke architecture with advanced traffic management and security
ποΈ Architecture | π Demo Guide | βοΈ Blog Series | β‘ Quick Start
New here? Start with the β‘ Quick Start Guide!
Deploy in 5 minutes | From $25/day | Perfect for beginners
A comprehensive, production-ready Azure networking environment designed for AZ-700 certification training, featuring:
- ποΈ Hub-and-Spoke Network Topology - Enterprise-grade VNet architecture
- π Global Traffic Management - Azure Front Door, Traffic Manager, Application Gateway
- π Multi-Layer Security - Dual WAF, Private Link, NSGs, Azure Firewall
- π Dynamic Routing - Route Server with BGP and NVA integration
- π Network Monitoring - VNet Flow Logs, Traffic Analytics, Network Watcher
- ποΈ Centralized Management - Azure Virtual Network Manager (AVNM)
Perfect for: Trainers, students, solution architects, and anyone studying AZ-700 exam objectives.
| Document | Description | Audience |
|---|---|---|
| β‘ Quick Start | 5-minute deployment | π± Beginners & Trainers |
| ποΈ Architecture | Complete diagrams & design | π§ Technical Users |
| π Demo Guide | Step-by-step demos | π All Users |
| βοΈ Blog Series | 4-part deep dive (12,500+ words) | π Learners |
# Install tools
winget install Microsoft.AzureCLI
winget install Microsoft.Azd
# Login
az login
azd auth login# Clone repository
git clone https://github.com/SQLtattoo/az700env.git
cd az700envBefore deploying, edit infra/main.parameters.json to set your feature toggles, then:
# Deploy β azd will prompt interactively for required parameters
azd upDuring azd up you will be prompted for:
| Prompt | Purpose | Example |
|---|---|---|
hubLocation |
Primary region β used for hub, spoke1, and workload VNets | uksouth |
spoke2Location |
Cross-region spoke β must be different from hub to demonstrate multi-region routing | northeurope |
adminPassword |
VM administrator password | (secure input) |
The separate
spoke2Locationprompt is intentional β deploying spoke2 in a different region is a core AZ-700 demo scenario (cross-region VNet peering, Traffic Manager geo-routing, latency-based routing).
| Profile | Daily Cost | What to set to false |
|---|---|---|
| π± Minimal | ~$25/day | deployKeyVault, deployFirewall, deployBastion, deployRouteServer, deployVpnGateway, deployExpressRoute |
| πΏ Essential | ~$50/day | deployFirewall, deployBastion |
| π³ Full | ~$109/day | Nothing β deploy everything |
β οΈ DISCLAIMER: Costs based on my testing (Feb 2026, UK South/North Europe).
Your costs WILL vary. Use Azure Pricing Calculator.
| Mode | Daily | Monthly* | Savings |
|---|---|---|---|
| Full 24/7 | $109 | $3,284 | Baseline |
| Essential 24/7 | $50 | $1,500 | 54% β¬οΈ |
| Minimal 24/7 | $25 | $750 | 77% β¬οΈ |
| Deploy-on-Demand | Variable | $100 | 97% β¬οΈ β¨ |
*30-day month
Use FREE Bastion Developer SKU instead of Standard!
Saves $435/month - SetdeployBastion: falseand deploy free Dev SKU when needed.
π Full cost analysis: Blog Part 4
β
Hub-and-spoke VNet topology
β
VNet peering with gateway transit
β
Application Gateway WAF v2
β
Traffic Manager (global DNS)
β
Azure Virtual Network Manager (AVNM)
β
Private Endpoints & DNS Zones
β
VNet Flow Logs + Traffic Analytics
βοΈ Azure Firewall Premium (deployFirewall)
βοΈ Route Server + BGP NVA (deployRouteServer)
βοΈ VPN Gateway + P2S (deployVpnGateway / enableP2S)
βοΈ ExpressRoute demo (deployExpressRoute)
βοΈ Azure Bastion (deployBastion - use FREE Dev SKU!)
βοΈ NAT Gateway (deployNatGateway)
β οΈ Azure Front Door is currently disabled in the template (App Service Plan quota requirement). Useinfra/deploy-afd-simple.bicepseparately if needed.
This environment supports all major AZ-700 exam scenarios:
- π Global Traffic Management - Traffic Manager routing
- π Multi-Layer Security - AFD β App Gateway β App Service
- π BGP Dynamic Routing - Route Server with FRRouting
- ποΈ Centralized Management - AVNM network groups
- π₯ Azure Firewall - Network/app rules (optional)
- π ExpressRoute - Enterprise connectivity (demo)
- π Network Monitoring - Flow Logs & Traffic Analytics
π Step-by-step instructions: Demo Guide
β
Design, implement, and manage hybrid networking
β
Design and implement core networking infrastructure
β
Design and implement routing
β
Secure and monitor networks
β
Design and implement Private access to Azure Services
All exam modules covered!
# View deployed resources
az resource list --resource-group rg-az700-<env> -o table
# Get environment info (URLs, IPs)
azd env get-values
# Delete everything (stop costs!)
azd down --purge --force
# Redeploy with saved settings
azd upAll feature toggles and configuration live in infra/main.parameters.json. Edit it before running azd up:
"deployFirewall": { "value": false }, // Save $87.50/day
"deployBastion": { "value": false }, // Save $14.52/day (use FREE Dev SKU)
"deployRouteServer": { "value": false }, // Save $15.37/day
"deployVpnGateway": { "value": false }, // Save $13.84/day
"deployExpressRoute": { "value": false }, // Demo only
"enableP2S": { "value": false } // Requires deployVpnGateway: trueIf enabling Route Server, you need to provide your SSH public key in main.parameters.json for the BGP NVA VM.
Generate a key pair (run once, keep the private key safe):
# Windows / Linux / macOS
ssh-keygen -t rsa -b 4096 -f ~/.ssh/az700-nvaThen copy the public key into main.parameters.json:
Get-Content ~/.ssh/az700-nva.pubPaste the output as the value for nvaSshPublicKey in infra/main.parameters.json.
To connect to the NVA later:
ssh -i ~/.ssh/az700-nva azadmin@<nva-private-ip>π All parameters: Architecture - Cost Optimization
- π Quick Start - Beginner walkthrough
- ποΈ Architecture - Technical deep dive
- π Blog Series - Learning resource
- π GitHub Issues - Report bugs
Contributions welcome! Submit issues or pull requests on GitHub.
MIT License - Free to use and modify
Built with β€οΈ for the Azure community
Repository: github.com/SQLtattoo/az700env
Last Updated: February 5, 2026