Based on the exhibit, what should the administrator change to allow only the web tier to reach the app tier on TCP 8443?

Change the deny rule source from VirtualNetwork to Internet.

That would no longer block traffic from the web tier, but it would also weaken the intended protection by allowing broader VirtualNetwork access.

Associate the NSG with the virtual machine NIC instead of the subnet.

Changing the NSG association location does not fix rule precedence. The same deny rule would still block the traffic if it remains higher priority.

Replace the ASG destination with the subnet address range.

Using the subnet range would not solve the precedence problem and would make the rule less precise than the ASG-based design.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Move the allow rule for WebTier-ASG to a priority lower than 100. — Azure NSG rules are processed in priority order, where the lowest priority number wins. In the exhibit, the deny rule at priority 100 matches TCP 8443 from VirtualNetwork to AppTier-ASG, which includes the web subnet traffic. The allow rule for WebTier-ASG is lower priority, so it never gets evaluated. Moving the allow rule to a priority lower than 100 lets only the web tier match first, while other VirtualNetwork sources remain blocked. Why others are wrong: Changing the source to Internet would not preserve the intended internal-only design and could permit more than the web tier. Moving the NSG to the NIC changes the attachment point, but not the fact that the deny rule still wins by priority. Replacing the destination ASG with a subnet range reduces precision and still does not address the rule-order conflict.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.