A web application runs on three VMs in a backend subnet. The backend team wants the load balancer in the frontend tier to reach the VMs on TCP 8443, and they want the rule to keep working even if the backend VM IP addresses change. What should you use in the NSG rule?

Use the individual private IP addresses of each backend VM as the source.

This works only while the VM IPs stay the same and does not simplify rule maintenance when addresses change.

Use the VirtualNetwork service tag for both source and destination.

This is too broad because it can allow traffic from many resources inside the virtual network, not just the frontend tier.

Create a route table entry that sends TCP 8443 traffic to the backend subnet.

Route tables control next-hop selection, not security filtering. They cannot allow or deny traffic on a port.

What does this AZ-104 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Use an application security group for the frontend tier as the source and another ASG for the backend tier as the destination. — Application security groups are designed for tier-based NSG rules. Instead of binding the rule to changing IP addresses, you assign the NICs of the frontend and backend VMs to ASGs and then reference those ASGs in the NSG rule. This keeps the configuration stable when VMs are replaced, resized, or reimaged. It also improves readability because the security rule reflects the application design, not individual IP assignments. Why others are wrong: A is brittle because IPs can change and the rule would need manual updates. C is too broad for least privilege because it does not limit access to just the frontend tier. D is the wrong tool because routing decisions do not grant or restrict port access.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.