A three-tier application uses separate web and app VMs that are scaled in and out regularly. The administrator must allow only the web tier to connect to the app tier on TCP 8080 without continually updating IP addresses. What should be configured in the NSG rule?

Add a subnet-to-subnet peering connection between the web and app subnets.

Peering provides connectivity between VNets, but it does not restrict traffic to only the desired tier or replace NSG rules.

Create a load balancer backend pool rule for TCP 8080.

Load balancer backend pools distribute traffic, but they are not a security control for limiting east-west access between application tiers.

Use a user-defined route that sends TCP 8080 traffic to the app tier.

Routes select next hops and do not provide an allow-list based on source and destination roles like an NSG rule does.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Use application security groups for the web and app tiers and reference those groups in the NSG rule. — Application security groups are designed for this exact problem: you can group the web servers and app servers by workload role, then write an NSG rule that permits traffic from one ASG to the other. That keeps the configuration stable even when VMs are added, removed, or reimaged. It is simpler and safer than maintaining a list of changing IP addresses. Why others are wrong: Peering changes network reachability but does not enforce tier-level access control. Load balancer backend pools are for traffic distribution, not security filtering. User-defined routes influence packet forwarding, not whether a connection is allowed. The requirement is about identity-based network filtering, which is what ASGs and NSGs are meant to solve.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.