Question 334 of 1,170
Implement and Manage Virtual NetworkinghardMultiple ChoiceObjective-mapped

Azure NSG Rule Priority Order

This AZ-104 practice question tests your understanding of implement and manage virtual networking. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A subnet NSG contains these inbound rules: Priority 100 denies TCP 8443 from VirtualNetwork to any destination, Priority 110 allows TCP 8443 from AzureLoadBalancer to any destination, and Priority 200 allows TCP 8443 from ASG-Web to ASG-App. The app VM NIC has no additional inbound rules. Web servers are members of ASG-Web and the app VM is a member of ASG-App. The web tier still cannot connect to TCP 8443. What should the administrator change?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Move the allow rule for ASG-Web to ASG-App to a priority lower than 100.

The correct answer is A because NSG rules are evaluated in priority order, from lowest to highest number. The deny rule at priority 100 explicitly blocks TCP 8443 from VirtualNetwork, which includes traffic from ASG-Web (since ASG-Web members are within the virtual network). The allow rule at priority 110 only permits traffic from AzureLoadBalancer, not from ASG-Web. The allow rule at priority 200 is never evaluated because the deny rule at priority 100 matches first. By moving the allow rule for ASG-Web to ASG-App to a priority lower than 100 (e.g., 90), it will be evaluated before the deny rule, allowing the web servers to connect.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Move the allow rule for ASG-Web to ASG-App to a priority lower than 100.

    Why this is correct

    NSG rules are processed in priority order, and the first matching rule wins. The deny rule at priority 100 matches traffic from the web tier because it comes from the same virtual network. Moving the specific allow rule to a lower number than 100 lets it match first while still keeping the source and destination restricted to the intended application security groups.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Replace ASG-Web with the VirtualNetwork service tag in the allow rule.

    Why it's wrong here

    Using VirtualNetwork would broaden the rule to more sources, not narrow it. It would also still lose to the deny rule at priority 100 unless the rule order changes.

    When this WOULD be correct

    If the question involved allowing traffic from all Azure virtual networks (e.g., for multi-subnet access) and there was no conflicting deny rule, using the VirtualNetwork service tag would be appropriate.

  • Add a route table that sends TCP 8443 traffic to the app subnet.

    Why it's wrong here

    A route table controls next hop selection, not NSG filtering. Routing changes cannot override an inbound deny rule, so the connection would still be blocked.

    When this WOULD be correct

    A route table would be correct if the question stated that traffic from the web tier to the app VM is being dropped due to missing routing (e.g., the app subnet has a default route pointing to a network virtual appliance that is not forwarding the traffic), and the NSG is already allowing the traffic.

  • Create a second NSG on the app NIC with an allow rule at priority 50.

    Why it's wrong here

    A NIC-level allow rule cannot override a subnet-level deny that already matched traffic first. The effective decision is still deny when the subnet rule with the lower priority number applies.

    When this WOULD be correct

    This option would be correct if the question stated that the app VM's subnet NSG had no relevant rules (or only allow rules) and the web tier's traffic was being blocked by a default deny on the subnet NSG. In that case, adding a higher-priority allow rule on the NIC NSG would permit the traffic.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The AZ-104 exam frequently reuses these exact scenarios with slightly different constraints.

Move the allow rule for ASG-Web to ASG-App to a priority lower than 100.Correct answer

Why this is correct

NSG rules are processed in priority order, and the first matching rule wins. The deny rule at priority 100 matches traffic from the web tier because it comes from the same virtual network. Moving the specific allow rule to a lower number than 100 lets it match first while still keeping the source and destination restricted to the intended application security groups.

Replace ASG-Web with the VirtualNetwork service tag in the allow rule.Wrong answer — click to see why

Why this is wrong here

The deny rule at priority 100 blocks all traffic from VirtualNetwork, which includes ASG-Web. Replacing ASG-Web with VirtualNetwork would not resolve the issue because the deny rule still applies to VirtualNetwork traffic.

★ When this WOULD be the correct answer

If the question involved allowing traffic from all Azure virtual networks (e.g., for multi-subnet access) and there was no conflicting deny rule, using the VirtualNetwork service tag would be appropriate.

Why candidates choose this

Candidates may think that using a broader service tag like VirtualNetwork would override the deny rule, not realizing that the deny rule also uses VirtualNetwork and has higher priority.

Add a route table that sends TCP 8443 traffic to the app subnet.Wrong answer — click to see why

Why this is wrong here

Route tables control traffic between subnets or to on-premises/VNet, but they do not override NSG rules. Since the NSG is blocking the traffic, adding a route table does not bypass the NSG; the traffic is still denied by the NSG.

★ When this WOULD be the correct answer

A route table would be correct if the question stated that traffic from the web tier to the app VM is being dropped due to missing routing (e.g., the app subnet has a default route pointing to a network virtual appliance that is not forwarding the traffic), and the NSG is already allowing the traffic.

Why candidates choose this

Candidates may confuse the roles of NSGs and route tables, thinking that a route can override an NSG deny rule, or they may assume that traffic is being dropped at the routing layer rather than by the NSG.

Create a second NSG on the app NIC with an allow rule at priority 50.Wrong answer — click to see why

Why this is wrong here

Creating a second NSG on the app NIC with an allow rule at priority 50 would not help because the subnet NSG's deny rule at priority 100 still applies to traffic from the web tier (which is in the VirtualNetwork). The NIC NSG cannot override a subnet NSG deny rule; both are evaluated, and a deny in either blocks traffic.

★ When this WOULD be the correct answer

This option would be correct if the question stated that the app VM's subnet NSG had no relevant rules (or only allow rules) and the web tier's traffic was being blocked by a default deny on the subnet NSG. In that case, adding a higher-priority allow rule on the NIC NSG would permit the traffic.

Why candidates choose this

Candidates may think that a NIC NSG with a higher priority rule can override a subnet NSG deny rule, or they may confuse the evaluation order of subnet vs. NIC NSGs.

Analysis generated from the official AZ-104blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume a more specific rule (like ASG-Web to ASG-App) will override a broader deny rule, but NSG priority is strictly numeric, not based on specificity, so a lower-priority allow rule is never evaluated if a higher-priority deny rule matches first.

Detailed technical explanation

How to think about this question

NSG rules are processed in ascending priority order, and once a rule matches, no further rules are evaluated for that packet. The VirtualNetwork service tag encompasses all virtual network IP ranges, including ASG members, so a deny rule with that tag blocks traffic from any VM in the virtual network. Application security groups (ASGs) allow grouping of VMs by application role, but they do not override priority-based rule evaluation; the rule with the lowest priority number wins regardless of specificity.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

Visual reference

Source Router + ACL permit 10.0.0.0/8 deny any Server 10.0.0.5 ✓ 192.168.1.1 ✗ dropped ACLs evaluate top-down; first match wins — implicit deny all at end

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Implement and Manage Virtual Networking — This question tests Implement and Manage Virtual Networking — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Move the allow rule for ASG-Web to ASG-App to a priority lower than 100. — The correct answer is A because NSG rules are evaluated in priority order, from lowest to highest number. The deny rule at priority 100 explicitly blocks TCP 8443 from VirtualNetwork, which includes traffic from ASG-Web (since ASG-Web members are within the virtual network). The allow rule at priority 110 only permits traffic from AzureLoadBalancer, not from ASG-Web. The allow rule at priority 200 is never evaluated because the deny rule at priority 100 matches first. By moving the allow rule for ASG-Web to ASG-App to a priority lower than 100 (e.g., 90), it will be evaluated before the deny rule, allowing the web servers to connect.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

6 more ways this is tested on AZ-104

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Based on the exhibit, why is TCP 8443 traffic from the web tier still denied to the app tier, and what should you do to allow only the web tier?

medium
  • A.Change the deny-all rule at priority 200 to allow TCP 8443 from ASG-Web.
  • B.Add an inbound allow rule for TCP 8443 from ASG-Web to ASG-App with a priority lower than 100.
  • C.Add a route table entry for 8443 traffic from the web tier to the app tier.
  • D.Remove the AzureLoadBalancer rule because it is overriding the web tier traffic.

Why B: Option B is correct because in Azure Network Security Groups (NSGs), rules are evaluated in priority order, with lower numbers evaluated first. The existing rule at priority 100 allows traffic from the web tier but does not explicitly allow TCP 8443, so a subsequent deny-all rule at priority 200 blocks it. To allow only the web tier, you must add an inbound allow rule for TCP 8443 from ASG-Web with a priority lower than 100 (e.g., 90). This new rule is evaluated before the existing rule at priority 100, permitting the desired traffic while still blocking other sources.

Variation 2. A web tier and API tier run in different subnets. The API subnet NSG currently has Deny-8443 from Any at priority 200 and Allow-8443-WebToApi from ASG-Web to ASG-Api at priority 300. Web requests on TCP 8443 are failing. Which two changes should the administrator make? Select two.

medium
  • A.Move the allow rule to a higher priority number than 200.
  • B.Move the allow rule to a lower priority number than 200.
  • C.Ensure the web NICs are added to ASG-Web and the API NICs are added to ASG-Api.
  • D.Change the rule protocol from TCP to Any.
  • E.Attach a route table to the API subnet to override the deny behavior.

Why B: B is correct because NSG rules are evaluated in priority order, with lower numbers having higher priority. The Deny-8443 rule at priority 200 is evaluated before the Allow-8443-WebToApi rule at priority 300, so the deny rule blocks the traffic. Moving the allow rule to a lower priority number (e.g., 100) ensures it is evaluated first, allowing the traffic. C is correct because the allow rule uses application security groups (ASGs); if the web and API NICs are not assigned to the respective ASGs, the rule will not match any traffic, effectively making it a no-op.

Variation 3. A Linux VM in a subnet must accept SSH only from the corporate admin subnet 10.8.4.0/24. The subnet NSG currently has an Allow-SSH rule for Any at priority 300 and a Deny-SSH rule for Any at priority 200. Administrators from 10.8.4.0/24 still cannot connect. What change should the administrator make?

medium
  • A.Change the deny rule protocol from TCP to Any so the allow rule is evaluated first.
  • B.Add an Allow-SSH rule for 10.8.4.0/24 with a priority lower than 200.
  • C.Move the existing Allow-SSH rule to priority 400 so it applies later.
  • D.Add a route table to the subnet so the SSH packets follow a different path.

Why B: The subnet NSG has a Deny-SSH rule for Any at priority 200, which blocks all SSH traffic regardless of source. To allow SSH only from 10.8.4.0/24, an Allow-SSH rule for that specific subnet must be added with a priority lower (numerically smaller) than 200, such as 150, so it is evaluated before the deny rule. Since NSG rules are processed in ascending priority order (lowest number first), the allow rule at a lower number will match traffic from 10.8.4.0/24 and permit it, preventing the deny rule from being evaluated for that source. Option B correctly describes adding an allow rule with priority lower than 200.

Variation 4. A VM in subnet S1 must accept RDP only from the administrator workstation at 203.0.113.25. The subnet NSG has a custom inbound deny-all rule at priority 200 and a custom allow-RDP rule at priority 300 for source 203.0.113.25, destination Any, TCP 3389. RDP is still blocked from the workstation. What should the administrator change?

medium
  • A.Move the allow-RDP rule to a lower priority number than 200.
  • B.Change the allow rule from inbound to outbound traffic.
  • C.Change the protocol from TCP to Any on the deny-all rule.
  • D.Attach a user-defined route so the workstation can reach the VM directly.

Why A: Network Security Group (NSG) rules are evaluated in priority order, with lower numbers having higher precedence. The deny-all rule at priority 200 is evaluated before the allow-RDP rule at priority 300, so the deny rule blocks the RDP traffic before the allow rule can be applied. To allow RDP from the workstation, the allow-RDP rule must have a lower priority number (e.g., 100) than the deny-all rule, ensuring it is evaluated first.

Variation 5. A VM in Azure cannot accept RDP connections from your office public IP. The subnet NSG already has an inbound deny-all rule at priority 200, and you added an allow rule for TCP 3389 from 198.51.100.25/32 at priority 300. What should you do to allow the connection?

medium
  • A.Change the source to Internet so the allow rule matches more traffic.
  • B.Create or move the allow rule to priority 100 so it is evaluated before the deny rule.
  • C.Change the protocol from TCP to Any to bypass the deny rule.
  • D.Assign a public IP directly to the VM to override the subnet NSG behavior.

Why B: Network Security Group (NSG) rules are evaluated in priority order, with lower numbers having higher precedence. Since the deny-all rule at priority 200 is evaluated before the allow rule at priority 300, the deny rule blocks the RDP traffic. To allow the connection, the allow rule must be created or moved to a priority lower than 200 (e.g., 100) so it is evaluated first, permitting traffic from 198.51.100.25/32 on TCP 3389 before the deny rule is reached.

Variation 6. Which two statements about network security group processing are correct? Select two.

easy
  • A.NSG rules are evaluated starting with the lowest priority number.
  • B.An NSG can be linked only to a subnet, not to a network interface card.
  • C.A deny rule with a lower number can block traffic even if an allow rule exists later.
  • D.Azure ignores NSG rules whenever a route table is attached to the subnet.
  • E.Security rules are processed alphabetically by name.

Why A: Option A is correct because NSG rules are processed in order of increasing priority number, meaning the rule with the lowest priority number (e.g., 100) is evaluated first. This ensures that more specific or critical rules can be applied before broader rules with higher priority numbers.

Keep practising

More AZ-104 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.