Based on the exhibit, what should the administrator change so the web tier can reach the database tier on TCP 443 without opening the subnet more broadly?

Delete the deny rule because default rules already block unwanted traffic.

Deleting the rule would expose more traffic than intended and is not the least-privilege fix.

Change the deny rule source from VirtualNetwork to Internet.

That would stop blocking internal traffic, but it would also weaken the intended restriction model.

Change the default inbound rule to AllowVnetInBound.

Default rules cannot be edited this way, and changing defaults would not solve the priority conflict.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Move the allow rule for WebTierASG to a priority lower than 100. — Network security groups are processed in priority order, where the lowest number wins. In the exhibit, priority 100 denies TCP 443 from VirtualNetwork to any destination, so the later allow rule at priority 110 never gets a chance to match. Moving the specific allow rule above the deny rule lets only the intended ASG-to-ASG traffic pass, while keeping the broader deny in place for everything else. Why others are wrong: Deleting the deny rule would broaden access beyond the requirement. Changing the source of the deny rule alters the scope, but it does not preserve the intended layered control. Default NSG rules are not the right mechanism to override a custom rule priority problem, so the practical fix is to place the specific allow rule ahead of the broader deny.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.