Question 346 of 1,170
Implement and Manage Virtual NetworkingmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is to use application security groups for the web and app tiers and reference those groups in the NSG rule. This works because application security groups allow you to group Azure VMs logically by their application role—such as web tier or app tier—rather than by static IP addresses. When you create an inbound NSG rule that allows TCP 8080 from the web-tier ASG to the app-tier ASG, the rule dynamically applies to all VMs within those groups, so scaling in or out never requires updating IP addresses or CIDR ranges. On the AZ-104 exam, this scenario tests your understanding of how ASGs decouple network security from network topology; a common trap is to default to service tags or fixed IP ranges, which fail when VMs scale dynamically. Remember the key advantage: ASGs let you write rules based on application function, not IP address. A helpful memory tip is to think of ASGs as “role-based security labels” for your VMs—once labeled, the NSG rule follows the label, not the IP.

AZ-104 Implement and Manage Virtual Networking Practice Question

This AZ-104 practice question tests your understanding of implement and manage virtual networking. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A three-tier application uses separate web and app VMs that are scaled in and out regularly. The administrator must allow only the web tier to connect to the app tier on TCP 8080 without continually updating IP addresses. What should be configured in the NSG rule?

Question 1mediummultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Use application security groups for the web and app tiers and reference those groups in the NSG rule.

Application security groups (ASGs) allow you to group VMs logically by their application role (e.g., web tier, app tier) and reference those groups directly in NSG rules. This eliminates the need to maintain individual IP addresses or CIDR ranges when VMs scale in or out, because the NSG rule dynamically applies to all VMs in the ASG. By creating an inbound NSG rule that allows TCP 8080 from the web-tier ASG to the app-tier ASG, the administrator achieves the required connectivity without manual IP updates.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Use application security groups for the web and app tiers and reference those groups in the NSG rule.

    Why this is correct

    Application security groups let the administrator group VMs by role rather than by IP address. The NSG rule can then allow traffic from the web ASG to the app ASG on TCP 8080. This is a good fit for environments that scale or change frequently because the NSG does not need constant editing whenever VM addresses change.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Add a subnet-to-subnet peering connection between the web and app subnets.

    Why it's wrong here

    Peering provides connectivity between VNets, but it does not restrict traffic to only the desired tier or replace NSG rules.

  • Create a load balancer backend pool rule for TCP 8080.

    Why it's wrong here

    Load balancer backend pools distribute traffic, but they are not a security control for limiting east-west access between application tiers.

  • Use a user-defined route that sends TCP 8080 traffic to the app tier.

    Why it's wrong here

    Routes select next hops and do not provide an allow-list based on source and destination roles like an NSG rule does.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse network-level controls (like UDRs or VNet peering) with application-layer access control, or they incorrectly assume that a load balancer rule can replace a security rule for source-based filtering.

Detailed technical explanation

How to think about this question

Under the hood, an NSG rule referencing an ASG uses the Azure Fabric Controller to dynamically resolve the private IP addresses of all VMs in the ASG at the time of rule evaluation. This means that as VMs are added or removed during scaling, the NSG automatically updates its effective security rules without any manual intervention. In a real-world scenario, this is critical for auto-scaling environments where IP addresses change frequently, as it avoids the operational overhead of maintaining NSG rule updates or using service tags for custom application tiers.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Implement and Manage Virtual Networking — This question tests Implement and Manage Virtual Networking — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Use application security groups for the web and app tiers and reference those groups in the NSG rule. — Application security groups (ASGs) allow you to group VMs logically by their application role (e.g., web tier, app tier) and reference those groups directly in NSG rules. This eliminates the need to maintain individual IP addresses or CIDR ranges when VMs scale in or out, because the NSG rule dynamically applies to all VMs in the ASG. By creating an inbound NSG rule that allows TCP 8080 from the web-tier ASG to the app-tier ASG, the administrator achieves the required connectivity without manual IP updates.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.