AZ-500 logo
Focused certification exam prep
Start practice

AZ-500 Domain 2: Secure networking (20-25%) - Complete Study Guide 2026

TL;DR
  • Domain 2 (Secure networking) accounts for 20-25% of the AZ-500 exam, tied with Domain 3 for second-largest weight.
  • Expect NSGs, Azure Firewall, Private Link, and VPN/ExpressRoute encryption scenarios in scored and interactive items.
  • The exam allows split-pane access to Microsoft Learn docs, so know where to look, not just what to memorize.
  • AZ-500 retires August 31, 2026 - plan your Domain 2 prep around that hard cutoff.

Domain 2 Overview: Why Networking Carries 20-25% of the AZ-500

Secure networking sits right behind Domain 4 in exam weight, and for good reason: nearly every Azure workload depends on a network boundary somewhere. If you're building a study plan from the official AZ-500 Exam Domains 2026: Complete Guide to All 4 Content Areas, this domain deserves its own dedicated block of time rather than a quick skim between identity and compute topics.

Unlike Domain 1's identity-centric scenarios, Domain 2 tests your ability to design layered network defenses - network security groups, Azure Firewall, Azure DDoS Protection, Web Application Firewall, and private connectivity services like Private Link and Service Endpoints. You'll also be expected to reason about hybrid connectivity through VPN gateways and ExpressRoute, and to know when encryption in transit is enforced by default versus when you must configure it.

Scope Reality: This domain isn't about designing a network from scratch - it's about securing one that already exists. Expect scenario questions describing an existing VNet topology and asking which control closes a specific gap.

Network Security Groups and Application Security Groups

NSGs remain the backbone of Azure network segmentation, and the AZ-500 exam tests them at a level deeper than "allow or deny." You need to understand rule priority, default rules, and how NSGs interact when applied to both a subnet and a NIC simultaneously.

NSG and ASG Fundamentals

Candidates must understand how traffic evaluation actually happens when multiple security layers are stacked.

  • Rule priority ordering and how the lowest number wins
  • Effective security rules when NSGs exist at both subnet and NIC level
  • Using Application Security Groups to group VMs by role instead of by IP address
  • Diagnostic logging and flow logs for NSG traffic analysis
  • Azure Network Watcher tools: IP flow verify, NSG diagnostics, connection troubleshoot

A common exam pattern presents a diagram with two or three NSGs applied at different scopes and asks you to determine whether a specific packet is allowed. Practicing this rule-evaluation logic on paper - not just in the portal - pays off under exam time pressure.

Securing the Perimeter: Firewall, DDoS, and WAF

Beyond NSGs, Domain 2 expects fluency with Azure's managed perimeter services. Azure Firewall questions typically focus on rule collections (network, application, and NAT rules), threat intelligence-based filtering, and forced tunneling scenarios. You should also know the practical differences between Azure Firewall and third-party network virtual appliances when it comes to centralized policy management via Azure Firewall Manager.

Perimeter and Edge Protection

These services are frequently tested together because real architectures layer them.

  • Azure Firewall rule types and processing order
  • Azure DDoS Protection tiers and what's covered under the basic infrastructure-level protection versus the standard plan
  • Web Application Firewall (WAF) policies on Application Gateway and Front Door, including OWASP rule sets
  • Azure Bastion for eliminating public RDP/SSH exposure

Key Takeaway

Memorize which service protects at which OSI layer - DDoS Protection defends network-layer volumetric attacks, while WAF inspects application-layer HTTP/HTTPS traffic. Mixing these up is a frequent wrong-answer trap.

Private Access to Azure Resources

A large slice of Domain 2 content covers keeping traffic off the public internet entirely. Expect questions comparing Private Endpoints (Azure Private Link) against Service Endpoints, and scenarios where you must choose the correct option based on whether traffic needs to stay within the Microsoft backbone, cross VNets, or reach on-premises networks.

Private Connectivity Patterns

Know the trade-offs between these mechanisms cold - they show up as direct comparison questions.

  • Private Endpoint: private IP in your VNet, works across peered networks and on-premises via VPN/ExpressRoute
  • Service Endpoint: extends VNet identity to the service but traffic still uses the service's public IP
  • VNet peering considerations for security boundaries and transitive routing limitations
  • Site-to-site VPN vs. ExpressRoute for hybrid encryption and throughput requirements

If you're unsure whether your grasp of these distinctions is exam-ready, cross-check against the broader AZ-500 Study Guide 2026: How to Pass on Your First Attempt, which maps study depth to each domain's weight.

Host and Network-Level Hardening

The final cluster of Domain 2 topics deals with securing the network path into compute resources themselves - a natural bridge into Domain 3. Expect questions on just-in-time VM access, adaptive network hardening recommendations, and configuring endpoint protection at the network boundary.

  • Just-in-time (JIT) VM access to reduce exposure windows for management ports
  • Adaptive network hardening recommendations surfaced through Microsoft Defender for Cloud
  • Securing management endpoints with Azure Bastion instead of public IPs
  • Network isolation for PaaS services like Azure SQL and Storage using firewalls and virtual network rules
Cross-Domain Overlap: JIT access and adaptive hardening technically live at the intersection of Domain 2 and Domain 4, since both are surfaced through Microsoft Defender for Cloud. Don't be surprised if a networking question references Defender recommendations directly.

How Domain 2 Questions Actually Look on the Exam

The AZ-500 uses multiple-choice questions, case studies, and interactive lab-style items, all within a 100-minute window and typically 40-60 total items. Domain 2 questions tend to favor scenario framing: a diagram or description of an existing environment, followed by a question about which single control addresses a stated risk.

Because the exam is proctored (either online or at a Pearson VUE test center) and includes split-pane access to Microsoft Learn documentation during the test, you're not expected to recite every configuration parameter from memory. What matters more is knowing which service solves which problem and being able to navigate documentation quickly if you need to confirm a detail like a rule-priority range or a firewall SKU limit.

Key Takeaway

Practice looking up Azure Firewall and NSG documentation quickly during mock exams - the split-pane Learn access is a real advantage only if you already know where to search.

For a broader sense of how tough this exam feels in practice across all domains, see How Hard Is the AZ-500 Exam? Complete Difficulty Guide 2026.

A Focused Study Timeline for Domain 2

Given that Domain 2 shares similar weight with Domain 3, many candidates study them back-to-back since networking underpins compute and storage isolation. Here's a compressed two-week block specifically for Domain 2 content, assuming you're running it as part of a larger multi-domain plan.

Week 1

NSGs, ASGs, and Perimeter Services

  • Build and test NSG rule priority scenarios in a sandbox subscription
  • Deploy Azure Firewall with network and application rule collections
  • Configure WAF policies on Application Gateway and compare with Front Door WAF
Week 2

Private Connectivity and Hardening

  • Set up a Private Endpoint for a storage account and verify DNS resolution
  • Compare Service Endpoint vs. Private Endpoint behavior side by side
  • Enable JIT VM access and review Defender for Cloud's adaptive network hardening output
  • Run timed practice questions mixing Domain 2 with Domain 1 identity scenarios

If generic scheduling templates aren't your style, you can adapt this timeline within the fuller plan outlined in the AZ-500 Study Guide 2026: How to Pass on Your First Attempt.

How Domain 2 Compares to the Other Three Domains

Seeing Domain 2 next to the other three domains helps calibrate how much relative effort it deserves versus, say, the heavier Defender for Cloud and Sentinel domain.

DomainWeightCore Focus
Domain 1: Secure identity and access15-20%Entra ID, RBAC, PIM, conditional access
Domain 2: Secure networking20-25%NSGs, firewalls, DDoS, private connectivity
Domain 3: Secure compute, storage, and databases20-25%VM security, container security, data encryption
Domain 4: Secure Azure using Defender for Cloud and Sentinel30-35%Threat detection, SIEM/SOAR, security posture

Notice that Domain 2 and Domain 3 carry identical weight ranges, which is why many study plans treat them as a paired block. For the full picture across all four areas, read AZ-500 Exam Domains 2026: Complete Guide to All 4 Content Areas. If you want domain-by-domain depth beyond networking, the companion guides for Domain 1: Secure identity and access, Domain 3: Secure compute, storage, and databases, and Domain 4: Secure Azure using Microsoft Defender for Cloud and Microsoft Sentinel round out your prep.

Who Hires for These Networking Skills

Networking security skills validated by Domain 2 map directly to roles like cloud security engineer, network security administrator, and Azure infrastructure security specialist. Employers hiring for these positions typically want hands-on evidence of configuring firewalls, segmenting VNets, and locking down public endpoints - not just certification on paper.

If you're evaluating whether this cert translates into job opportunities, the practical answer is that networking depth is one of the more differentiating skill sets on a resume, since many cloud generalists focus on identity or compute but skip deep firewall and private connectivity work. Browse current listings in AZ-500 Jobs to see how often networking-specific requirements appear, and check AZ-500 Salary Guide 2026: Complete Earnings Analysis for how these skills factor into compensation conversations.

Retirement Reminder: AZ-500 retires August 31, 2026, after which it can no longer be earned or renewed. If Domain 2's networking content is your strongest area, that's still not a reason to delay - register with enough runway to sit the exam and, if needed, retake it before the cutoff.

Frequently Asked Questions

How much of the AZ-500 exam is networking-focused?

Domain 2, Secure networking, is weighted at 20-25% of the total exam, making it one of the two mid-weight domains alongside Domain 3.

Do I need hands-on Azure Firewall experience to pass Domain 2 questions?

Practical experience is strongly recommended. The skills outline expects familiarity with networking concepts, and scenario questions are easier to answer correctly when you've configured rule collections yourself rather than only reading about them.

What's the difference between Service Endpoints and Private Endpoints on the exam?

Service Endpoints extend your VNet's identity to a service but keep traffic on the service's public IP, while Private Endpoints assign a private IP inside your VNet and keep traffic off the public internet entirely. Expect direct comparison questions on this distinction.

Can I look up networking documentation during the exam?

Yes. The AZ-500 provides split-pane access to Microsoft Learn documentation during the exam, so you can verify specific configuration details like firewall rule types or NSG defaults if needed.

Is Domain 2 harder than the identity domain?

Difficulty is subjective and depends on your background, but Domain 2 carries more exam weight (20-25% vs. 15-20% for Domain 1) and covers a wider range of services, so it typically requires more study time. See the full difficulty breakdown in How Hard Is the AZ-500 Exam? Complete Difficulty Guide 2026.

Mastering Domain 2 means treating Azure networking as a layered defense system rather than a checklist of individual services. Once NSGs, firewalls, private connectivity, and host-level hardening click together as one coherent story, the rest of your AZ-500 prep - including the heavier Defender for Cloud and Sentinel domain - becomes noticeably easier to absorb. Reinforce what you've learned here with timed scenario practice on our AZ-500 practice test platform, and revisit the main practice test site as you rotate through the other three domains.

Ready to pass your AZ-500 exam?

Put this into practice with free AZ-500 questions across every exam domain.