A VM in subnet S1 has two network security groups applied: one at the subnet and one directly on the NIC. The subnet NSG contains DenyAllInbound at priority 100 and AllowHTTPSFromOffice at priority 200. The NIC NSG contains AllowHTTPSFromOffice at priority 150 and no deny rules. Office users still cannot reach the VM on TCP 443. Which two statements are correct? Select two.

The NIC allow rule can override a deny decision already made by the subnet NSG.

A deny at either scope blocks the traffic; a NIC allow does not supersede a subnet deny.

The allow rule must use a private IP source range because public source ranges are not valid in NSG rules.

NSG source prefixes can be public IPs, service tags, or private ranges depending on the design.

A user-defined route with next hop Internet would bypass the NSG deny and restore access.

Routing decisions do not override NSG filtering; a deny rule still blocks the traffic.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: The subnet-level deny rule is evaluated before the later allow rule because lower priority numbers are processed first. — The failure is explained by two NSG behaviors. First, the subnet NSG deny rule at priority 100 is evaluated before the allow rule at 200, so the deny wins for matching traffic. Second, Azure evaluates both subnet and NIC NSGs, and a deny in either scope blocks the packet. Even though the NIC has an allow rule, it cannot override a subnet-level deny that already matched. Why others are wrong: A NIC allow cannot override a subnet deny, so that statement is false. Public source ranges are absolutely valid in NSG rules, so the source does not need to be private. User-defined routes only affect routing, not security filtering, so they cannot bypass an NSG deny.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.