AZ-104 Router R1 Cannot Reach R3 Practice Questions

Explanation: NSG processing is based on priority, and the lowest numbered matching rule is applied first. In this case, the deny rule at priority 100 matches TCP 3389 from Any before the allow rule at 200 can be considered. The correct fix is to give the allow rule a lower number than the deny rule, such as 90, so the admin subnet is allowed while everyone else is still denied. Why others are wrong: Changing protocol settings does not change the evaluation order, so the deny still takes precedence. A UDR cannot override NSG behavior because routing and filtering are separate functions. An ASG can reduce IP management work, but it cannot make a lower-priority allow rule beat a higher-priority deny rule.

Explanation: For a small VM fleet, Azure Monitor platform metrics are the most cost-efficient way to track CPU because they are already available without collecting extra guest logs. Limiting diagnostic categories and performance counters further reduces ingestion and storage cost. Together, these choices provide the needed operational visibility while avoiding unnecessary log volume and workspace clutter. Why others are wrong: Collecting all Windows event logs or enabling verbose logging creates more data than this simple monitoring task requires. A separate workspace per VM adds complexity and usually does not improve cost efficiency. These choices are common mistakes when teams overcollect telemetry instead of using built-in metrics first.

Explanation: The 0.0.0.0/0 UDR is forcing all internet traffic to the virtual appliance, which prevents the NAT gateway from being used. NAT gateway applies to outbound internet traffic when a more specific user-defined route does not override it. Removing the default route and retaining only specific private-prefix routes is the correct way to let internet traffic egress through NAT while still steering internal destinations as needed. Why others are wrong: Adding another NAT gateway is not a supported fix and does not address route precedence. NSGs filter traffic but do not decide the next hop. Gateway route propagation only controls whether routes learned from a gateway are added to the effective route table; it does not override a manually configured 0.0.0.0/0 route.

Explanation: NSG processing is based on priority, where the lowest numerical value is evaluated first. In this case, the deny-all rule at priority 200 matches before the allow-HTTPS rule at 300, so inbound 443 traffic is blocked. The correct fix is to give the allow rule a lower number than the deny rule, such as 100, so HTTPS is permitted while the broader deny remains in place. Why others are wrong: A NIC-level allow rule cannot override a subnet-level deny that is evaluated first. Changing protocol settings does not change rule precedence. A route table does not provide access control, so it cannot open port 443. The problem is rule order, not routing or protocol syntax.

Explanation: The failure is explained by two NSG behaviors. First, the subnet NSG deny rule at priority 100 is evaluated before the allow rule at 200, so the deny wins for matching traffic. Second, Azure evaluates both subnet and NIC NSGs, and a deny in either scope blocks the packet. Even though the NIC has an allow rule, it cannot override a subnet-level deny that already matched. Why others are wrong: A NIC allow cannot override a subnet deny, so that statement is false. Public source ranges are absolutely valid in NSG rules, so the source does not need to be private. User-defined routes only affect routing, not security filtering, so they cannot bypass an NSG deny.