Match each NSG or ASG scenario to the most accurate Azure security behavior.
Drag a concept onto its matching description — or click a concept then click the description.
The priority 200 deny is evaluated first and blocks the flow.
The destination NIC must be added to ASG-Api for the rule to match.
The service tag does not represent the workstation's IP; a rule for the real source or a VPN path is needed.
NSGs are stateful, so the return traffic is allowed automatically.
The lower-number deny rule wins because NSGs stop at the first matching rule.
Why these pairings
NSGs filter traffic at subnet or NIC level, while ASGs group VMs for scalable rule application. Service tags simplify rules for Azure services.