An NSG is associated with a subnet. It contains these inbound rules: - Priority 100: Deny TCP 443 from Internet to Any - Priority 200: Allow TCP 443 from 203.0.113.0/24 to Any A tester at 203.0.113.10 browses to the VM's HTTPS endpoint in that subnet. What happens?

The request is allowed because the more specific source range matches first.

A more specific source range does not matter when an earlier rule with a lower priority number also matches the traffic.

The request is denied only if the VM has no public IP address.

Public IP assignment does not change how the NSG evaluates matching rules. The decision is made from the rule set and packet attributes, not from the presence of a public IP.

The request is allowed because default NSG rules always override custom rules.

Default rules are evaluated after custom rules only when no custom rule matches. They do not override a matching custom deny rule with a higher priority.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: The request is denied because the priority 100 deny rule matches before the allow rule. — Azure NSGs use priority order to decide which matching rule applies. In this scenario, both custom rules match the inbound HTTPS traffic from 203.0.113.10. Because the deny rule has priority 100, it is processed before the allow rule at priority 200, and the traffic is blocked. The source range being more specific does not matter when an earlier rule already matches. Why others are wrong: Azure does not choose the most specific source range if a lower-numbered matching rule already exists. Whether the VM has a public IP is irrelevant to NSG rule evaluation. Default rules are only used when no custom rule matches, so they cannot override the custom deny rule here.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.