A VM in subnet S1 must accept RDP only from the administrator workstation at 203.0.113.25. The subnet NSG has a custom inbound deny-all rule at priority 200 and a custom allow-RDP rule at priority 300 for source 203.0.113.25, destination Any, TCP 3389. RDP is still blocked from the workstation. What should the administrator change?

Change the allow rule from inbound to outbound traffic.

RDP access to a VM is inbound traffic. Making the rule outbound would not permit remote connections to the server.

Change the protocol from TCP to Any on the deny-all rule.

The problem is rule order, not protocol matching. Broadening the deny rule would not allow the desired RDP session.

Attach a user-defined route so the workstation can reach the VM directly.

Routing controls the path packets take, but it does not override an NSG deny that blocks the port.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Move the allow-RDP rule to a lower priority number than 200. — NSGs are evaluated from the lowest priority number to the highest. Since the deny-all inbound rule has priority 200 and the allow-RDP rule has priority 300, the deny rule wins first and blocks the session. The fix is to give the allow rule a higher precedence by assigning it a smaller number than 200. That way, only the administrator workstation can connect on TCP 3389, while all other inbound traffic remains blocked. Why others are wrong: Changing the rule to outbound does not help because RDP is an inbound connection to the VM. Widening protocol matching on the deny rule still leaves the deny in place. A UDR influences routing, not security filtering, so it cannot bypass an NSG deny. The issue is the evaluation order, not the existence of the rules themselves.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.