A Linux VM in a subnet must accept SSH only from the corporate admin subnet 10.8.4.0/24. The subnet NSG currently has an Allow-SSH rule for Any at priority 300 and a Deny-SSH rule for Any at priority 200. Administrators from 10.8.4.0/24 still cannot connect. What change should the administrator make?

Change the deny rule protocol from TCP to Any so the allow rule is evaluated first.

Rule protocol changes do not alter priority order, so the deny would still win.

Move the existing Allow-SSH rule to priority 400 so it applies later.

Moving the allow to a higher number makes it even less likely to be evaluated before the deny rule.

Add a route table to the subnet so the SSH packets follow a different path.

Routing does not override an NSG deny. The traffic is blocked by the security rule, not by path selection.

What does this AZ-104 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Add an Allow-SSH rule for 10.8.4.0/24 with a priority lower than 200. — The current deny rule at priority 200 is matched before the broader allow rule at 300, so SSH is blocked for everyone. To allow only the corporate admin subnet, the administrator must create a more specific allow rule with a lower priority number than the deny, such as 100. That rule should match the source subnet and TCP 22. This preserves least privilege and uses NSG evaluation order correctly. Why others are wrong: Changing protocol settings does not affect priority, so the deny still takes precedence. Lowering the existing allow to 400 makes it evaluate even later. A route table cannot fix an NSG denial because routing decisions happen independently of security filtering. The problem is rule order and specificity, not packet path.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.