An internal line-of-business application runs on two VMs in Azure. Users connect only from a peered virtual network and from on-premises through VPN. The application must not be reachable from the internet, but traffic should be balanced across the two VMs. Which configuration should you choose?

A public Standard Load Balancer with a public frontend IP.

A public frontend exposes the service to the internet, which conflicts with the requirement that the application remain private.

A NAT gateway attached to the application subnet.

A NAT gateway is for outbound SNAT from a subnet. It does not distribute inbound user traffic across multiple VMs.

A network security group rule allowing TCP 443 from the internet.

An NSG can allow or deny traffic, but it cannot balance traffic or provide a private frontend for the app. Allowing internet access would also violate the stated requirement.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: A Standard Load Balancer with a private frontend IP. — A private frontend Standard Load Balancer is the right choice for an internal application that must stay off the internet but still needs traffic distribution across backend VMs. It provides load balancing for private clients, including peered VNets and hybrid-connected users, without publishing the service publicly. This keeps the application reachable only through the organization’s private network paths. Why others are wrong: A public load balancer would expose the app to the internet. NAT gateway handles outbound connectivity only and cannot balance inbound sessions. NSGs are useful for filtering traffic, but they do not perform load balancing or create the private frontend required for an internal service.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.