An NSG attached to a subnet contains these inbound rules: Deny-All-Inbound at priority 200, Allow-HTTPS-Admin at priority 250 from 203.0.113.20/32, and Allow-HTTPS-Internet at priority 300. A VM in the subnet cannot receive HTTPS from the admin workstation even though the source IP is correct. What should the administrator change?

Change the protocol from TCP to Any on the allow rule.

The protocol already matches the traffic type in the scenario. Broadening protocol alone will not help if the deny rule is still evaluated first.

Associate a NAT gateway with the subnet.

A NAT gateway affects outbound source translation. It does not change inbound NSG evaluation or permit management access to a subnet.

Enable service endpoint policies on the subnet.

Service endpoint policies control Azure PaaS access over service endpoints. They are not used to permit inbound HTTPS to a VM.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Move the Allow-HTTPS-Admin rule to a priority number lower than 200. — The problem is rule order, not source IP correctness. NSGs are evaluated from lowest priority number to highest, so the deny rule at 200 blocks the connection before the allow rule at 250 is reached. By moving the admin allow rule to a number lower than 200, the administrator ensures the desired HTTPS traffic is allowed first while the broader deny still blocks other inbound traffic. Why others are wrong: Changing the protocol does not matter when the traffic is already HTTPS and a higher-priority deny is in place. NAT gateway only influences outbound connections. Service endpoint policies do not apply to inbound VM access, so they cannot resolve this NSG conflict.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.