A three-tier application uses separate web and app VMs. The requirement is to allow only the web tier to reach the app tier on TCP 8080. The app subnet NSG already contains a DenyAllInbound rule at priority 200. What should the administrator do?

Move the DenyAllInbound rule to priority 300 so all traffic is blocked first.

A lower-priority deny rule would not block traffic before the allow rule and would not create the required exception.

Add a user-defined route from the web subnet to the app subnet.

Routing controls path selection, but it does not grant or deny access to TCP 8080.

Associate the web and app NICs with the same application security group.

Putting both tiers in one ASG removes the source and destination separation needed for least privilege.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Create an inbound allow rule for the web ASG to the app ASG on TCP 8080 with priority 150. — The app subnet NSG already denies inbound traffic at priority 200, so any exception must be evaluated earlier. Creating an allow rule at priority 150 with the web ASG as source, the app ASG as destination, and TCP 8080 as the port allows only the intended traffic. This design is scalable because the rule follows the application tiers rather than individual IP addresses, which change frequently in Azure environments. Why others are wrong: Changing the deny rule's priority does not create the needed exception and can accidentally disrupt other traffic. A user-defined route affects next-hop selection, not security decisions. Using one ASG for both tiers defeats the purpose of tier-based filtering and makes the rule much less precise than required.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.