Backend virtual machines are rebuilt frequently and often receive different private IP addresses. An administrator must allow the frontend tier to reach the backend tier on TCP 8443 without editing NSG rules every time the backend IP changes. What should the administrator use in the NSG rule?

A static private IP address for each backend VM.

Static IPs can reduce change, but they do not scale well and are not the best way to target a workload tier in an NSG.

A user-defined route pointing frontend traffic to the backend subnet.

A route changes packet forwarding, but it does not create an authorization rule or replace NSG targeting.

A private endpoint for the backend tier.

Private endpoints are for PaaS services, not for grouping Azure VMs inside a subnet for NSG rules.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: An Application Security Group that contains the backend VMs. — Application Security Groups are designed for this exact scenario. Instead of writing NSG rules against changing backend IP addresses, the administrator assigns the backend VMs to an ASG and references that ASG in the allow rule. The NSG then follows the workload identity rather than the IP assignment. This makes the rule durable even when the backend tier is rebuilt, resized, or readdressed. Why others are wrong: Static IPs do not solve the broader management problem and still require IP-specific rule maintenance. User-defined routes control path selection, not access control, so they cannot replace an NSG rule. Private endpoints are for accessing supported platform services privately and are not used to group customer VMs for intra-VNet filtering. The correct abstraction here is an ASG.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.