A subnet has these inbound NSG rules: Rule 100 denies TCP 3389 from Internet, Rule 200 allows TCP 3389 from 10.0.0.0/8, and Rule 300 allows TCP 3389 from AzureLoadBalancer. An administrator in 10.20.5.4 cannot RDP to a VM in the subnet. Why is the connection denied?

The AzureLoadBalancer service tag blocks all other inbound traffic on that port.

The AzureLoadBalancer tag does not block traffic from non-Azure sources; it only matches load balancer probe traffic.

The VM needs a public IP address for RDP to work from a private source.

A public IP is not required for RDP inside Azure or from an appropriate private network path.

NSG rules are processed by longest prefix match, so the /8 source loses to the /32 VM address.

NSGs do not use longest-prefix match. They are processed by priority, then rule match criteria.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: The deny rule at priority 100 matches before the allow rule at priority 200. — NSG evaluation is based on priority, and the lowest priority number wins. If a deny rule matches earlier than an allow rule, the connection is blocked even when the administrator expects the allow rule to apply. In operational troubleshooting, you should always check whether a broader deny rule has a higher precedence than the intended allow rule. Rule order is a common source of unexpected access failures in Azure networking. Why others are wrong: B confuses a service tag with a blocking mechanism. C is incorrect because private RDP access does not require a public IP. D describes routing behavior, not NSG rule processing.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.