The correct answer is to add an inbound allow rule for TCP 8443 from ASG-Web to ASG-App with a priority lower than 100. This is because Azure NSG rule priority order is evaluated from lowest number to highest, so a deny-all rule at priority 200 will block all traffic that hasn’t been explicitly allowed by a rule with a lower number. The existing allow rule at priority 100 permits traffic from the web tier, but it does not specifically cover TCP 8443, leaving that port subject to the subsequent deny-all rule. On the AZ-104 exam, this scenario tests your understanding of how NSG rule priority order determines whether an allow or deny rule takes effect—a common trap is assuming a general allow rule covers all ports, when in fact a lower-priority deny rule can override it if the specific port isn’t explicitly allowed. To fix this, you must insert a new allow rule for TCP 8443 with a priority between 100 and 200, ensuring it is evaluated before the deny-all rule. Memory tip: think of NSG priority like a bouncer checking IDs—lower numbers get in first, and a “deny all” at the back of the line only stops those without a specific pass.
AZ-104 Implement and Manage Virtual Networking Practice Question
This AZ-104 practice question tests your understanding of implement and manage virtual networking. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
Inbound NSG rules on the app subnet:
Priority 100 Deny TCP 8443 Source: VirtualNetwork Destination: Any
Priority 110 Allow TCP 8443 Source: AzureLoadBalancer Destination: Any
Priority 200 Deny Any Source: Any Destination: Any
The web tier and app tier are in the same virtual network. The app tier uses application security group ASG-App. The web tier uses application security group ASG-Web.
Based on the exhibit, why is TCP 8443 traffic from the web tier still denied to the app tier, and what should you do to allow only the web tier?
Inbound NSG rules on the app subnet:
Priority 100 Deny TCP 8443 Source: VirtualNetwork Destination: Any
Priority 110 Allow TCP 8443 Source: AzureLoadBalancer Destination: Any
Priority 200 Deny Any Source: Any Destination: Any
The web tier and app tier are in the same virtual network. The app tier uses application security group ASG-App. The web tier uses application security group ASG-Web.
A
Change the deny-all rule at priority 200 to allow TCP 8443 from ASG-Web.
Why wrong: That rule is lower priority and never gets evaluated for this traffic because an earlier deny already matches.
B
Add an inbound allow rule for TCP 8443 from ASG-Web to ASG-App with a priority lower than 100.
An allow rule must be evaluated before the existing deny rule, and using ASGs limits access to the web tier.
C
Add a route table entry for 8443 traffic from the web tier to the app tier.
Why wrong: Routes determine next hop selection, not whether NSG rules allow or deny a port.
D
Remove the AzureLoadBalancer rule because it is overriding the web tier traffic.
Why wrong: The AzureLoadBalancer rule only affects probe traffic and does not block web tier connections.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
Add an inbound allow rule for TCP 8443 from ASG-Web to ASG-App with a priority lower than 100.
Option B is correct because in Azure Network Security Groups (NSGs), rules are evaluated in priority order, with lower numbers evaluated first. The existing rule at priority 100 allows traffic from the web tier, but a subsequent deny-all rule at priority 200 blocks all traffic, including TCP 8443. To allow only the web tier, you must add an inbound allow rule for TCP 8443 from ASG-Web with a priority lower than 200 (e.g., 150) so it is evaluated before the deny-all rule, effectively permitting the desired traffic while still blocking other sources.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
Change the deny-all rule at priority 200 to allow TCP 8443 from ASG-Web.
Why it's wrong here
That rule is lower priority and never gets evaluated for this traffic because an earlier deny already matches.
✓
Add an inbound allow rule for TCP 8443 from ASG-Web to ASG-App with a priority lower than 100.
Why this is correct
An allow rule must be evaluated before the existing deny rule, and using ASGs limits access to the web tier.
Related concept
Read the scenario before looking for a memorised answer.
✗
Add a route table entry for 8443 traffic from the web tier to the app tier.
Why it's wrong here
Routes determine next hop selection, not whether NSG rules allow or deny a port.
✗
Remove the AzureLoadBalancer rule because it is overriding the web tier traffic.
Why it's wrong here
The AzureLoadBalancer rule only affects probe traffic and does not block web tier connections.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often assume changing the deny-all rule is the simplest fix, but they overlook that it would open the port to all sources, not just the web tier, failing the specific requirement.
Detailed technical explanation
How to think about this question
Azure NSGs process rules in ascending priority order, and once a rule matches, no further rules are evaluated. This means a lower-priority allow rule (e.g., priority 150) for TCP 8443 from ASG-Web will be processed before the higher-priority deny-all rule (priority 200), effectively permitting the traffic. In real-world scenarios, this pattern is used to implement a 'default deny' posture while selectively allowing specific traffic, ensuring security by explicitly permitting only trusted sources.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this AZ-104 question in full detail.
Implement and Manage Virtual Networking — This question tests Implement and Manage Virtual Networking — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Add an inbound allow rule for TCP 8443 from ASG-Web to ASG-App with a priority lower than 100. — Option B is correct because in Azure Network Security Groups (NSGs), rules are evaluated in priority order, with lower numbers evaluated first. The existing rule at priority 100 allows traffic from the web tier, but a subsequent deny-all rule at priority 200 blocks all traffic, including TCP 8443. To allow only the web tier, you must add an inbound allow rule for TCP 8443 from ASG-Web with a priority lower than 200 (e.g., 150) so it is evaluated before the deny-all rule, effectively permitting the desired traffic while still blocking other sources.
What should I do if I get this AZ-104 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A subnet NSG contains these inbound rules: Priority 100 denies TCP 8443 from VirtualNetwork to any destination, Priority 110 allows TCP 8443 from AzureLoadBalancer to any destination, and Priority 200 allows TCP 8443 from ASG-Web to ASG-App. The app VM NIC has no additional inbound rules. Web servers are members of ASG-Web and the app VM is a member of ASG-App. The web tier still cannot connect to TCP 8443. What should the administrator change?
hard
✓ A.Move the allow rule for ASG-Web to ASG-App to a priority lower than 100.
B.Replace ASG-Web with the VirtualNetwork service tag in the allow rule.
C.Add a route table that sends TCP 8443 traffic to the app subnet.
D.Create a second NSG on the app NIC with an allow rule at priority 50.
Why A: The correct answer is A because NSG rules are evaluated in priority order, from lowest to highest number. The deny rule at priority 100 explicitly blocks TCP 8443 from VirtualNetwork, which includes traffic from ASG-Web (since ASG-Web members are within the virtual network). The allow rule at priority 110 only permits traffic from AzureLoadBalancer, not from ASG-Web. The allow rule at priority 200 is never evaluated because the deny rule at priority 100 matches first. By moving the allow rule for ASG-Web to ASG-App to a priority lower than 100 (e.g., 90), it will be evaluated before the deny rule, allowing the web servers to connect.
Variation 2. A web tier and API tier run in different subnets. The API subnet NSG currently has Deny-8443 from Any at priority 200 and Allow-8443-WebToApi from ASG-Web to ASG-Api at priority 300. Web requests on TCP 8443 are failing. Which two changes should the administrator make? Select two.
medium
A.Move the allow rule to a higher priority number than 200.
✓ B.Move the allow rule to a lower priority number than 200.
✓ C.Ensure the web NICs are added to ASG-Web and the API NICs are added to ASG-Api.
D.Change the rule protocol from TCP to Any.
E.Attach a route table to the API subnet to override the deny behavior.
Why B: B is correct because NSG rules are evaluated in priority order, with lower numbers having higher priority. The Deny-8443 rule at priority 200 is evaluated before the Allow-8443-WebToApi rule at priority 300, so the deny rule blocks the traffic. Moving the allow rule to a lower priority number (e.g., 100) ensures it is evaluated first, allowing the traffic. C is correct because the allow rule uses application security groups (ASGs); if the web and API NICs are not assigned to the respective ASGs, the rule will not match any traffic, effectively making it a no-op.
Variation 3. A Linux VM in a subnet must accept SSH only from the corporate admin subnet 10.8.4.0/24. The subnet NSG currently has an Allow-SSH rule for Any at priority 300 and a Deny-SSH rule for Any at priority 200. Administrators from 10.8.4.0/24 still cannot connect. What change should the administrator make?
medium
A.Change the deny rule protocol from TCP to Any so the allow rule is evaluated first.
✓ B.Add an Allow-SSH rule for 10.8.4.0/24 with a priority lower than 200.
C.Move the existing Allow-SSH rule to priority 400 so it applies later.
D.Add a route table to the subnet so the SSH packets follow a different path.
Why B: The subnet NSG has a Deny-SSH rule for Any at priority 200, which blocks all SSH traffic regardless of source. To allow SSH only from 10.8.4.0/24, an Allow-SSH rule for that specific subnet must be added with a priority lower (higher number) than 200, such as 210, so it is evaluated after the deny rule. Since NSG rules are processed in priority order (lowest number first), the deny at 200 will block traffic before the allow rule is reached unless the allow rule has a lower priority number, which is not possible here; instead, the allow rule must have a higher priority number (e.g., 210) to be evaluated after the deny, but the correct approach is to add an allow rule with a priority lower than 200 (i.e., a smaller number) to override the deny. However, the correct answer states 'priority lower than 200' meaning a numerically smaller value (e.g., 100), which would be evaluated before the deny rule, allowing traffic from 10.8.4.0/24 before the deny rule blocks it. This is the standard NSG rule evaluation behavior: the highest priority (lowest number) rule wins.
Variation 4. A VM in subnet S1 must accept RDP only from the administrator workstation at 203.0.113.25. The subnet NSG has a custom inbound deny-all rule at priority 200 and a custom allow-RDP rule at priority 300 for source 203.0.113.25, destination Any, TCP 3389. RDP is still blocked from the workstation. What should the administrator change?
medium
✓ A.Move the allow-RDP rule to a lower priority number than 200.
B.Change the allow rule from inbound to outbound traffic.
C.Change the protocol from TCP to Any on the deny-all rule.
D.Attach a user-defined route so the workstation can reach the VM directly.
Why A: Network Security Group (NSG) rules are evaluated in priority order, with lower numbers having higher precedence. The deny-all rule at priority 200 is evaluated before the allow-RDP rule at priority 300, so the deny rule blocks the RDP traffic before the allow rule can be applied. To allow RDP from the workstation, the allow-RDP rule must have a lower priority number (e.g., 100) than the deny-all rule, ensuring it is evaluated first.
Variation 5. A VM in Azure cannot accept RDP connections from your office public IP. The subnet NSG already has an inbound deny-all rule at priority 200, and you added an allow rule for TCP 3389 from 198.51.100.25/32 at priority 300. What should you do to allow the connection?
medium
A.Change the source to Internet so the allow rule matches more traffic.
✓ B.Create or move the allow rule to priority 100 so it is evaluated before the deny rule.
C.Change the protocol from TCP to Any to bypass the deny rule.
D.Assign a public IP directly to the VM to override the subnet NSG behavior.
Why B: Network Security Group (NSG) rules are evaluated in priority order, with lower numbers having higher precedence. Since the deny-all rule at priority 200 is evaluated before the allow rule at priority 300, the deny rule blocks the RDP traffic. To allow the connection, the allow rule must be created or moved to a priority lower than 200 (e.g., 100) so it is evaluated first, permitting traffic from 198.51.100.25/32 on TCP 3389 before the deny rule is reached.
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.