An NSG on a subnet has these inbound rules: Deny-All-Inbound at priority 100 and Allow-RDP-from-AdminSubnet at priority 200. Administrators on AdminSubnet still cannot RDP to a VM in the subnet. What should the network administrator change?
NSG rules are processed in priority order, and the lowest number wins. The allow rule must be evaluated before the deny rule.
Why this answer
The NSG rules are evaluated in priority order, with lower numbers having higher precedence. The Deny-All-Inbound rule at priority 100 blocks all traffic, including RDP from AdminSubnet, before the Allow-RDP-from-AdminSubnet rule at priority 200 is evaluated. To allow RDP traffic, the allow rule must have a lower priority number (e.g., 90) than the deny rule (100), ensuring it is evaluated first and permits the traffic before the deny rule blocks it.
Exam trap
The trap here is that candidates assume allow rules override deny rules regardless of priority, but Azure NSGs use priority-based evaluation where the first matching rule (lowest priority number) wins, so a higher-priority deny rule will block traffic even if a lower-priority allow rule exists.
How to eliminate wrong answers
Option A is wrong because deleting the deny rule would remove all inbound traffic blocking, exposing the subnet to unrestricted inbound access, which is a security risk and not a targeted fix for the RDP issue. Option C is wrong because changing the VM to a different availability zone does not affect NSG rule evaluation or priority; availability zones are for fault tolerance, not network security rule processing. Option D is wrong because a private endpoint is used for secure access to Azure PaaS services (e.g., Storage, SQL) over a private IP, not for enabling RDP to a VM; it does not alter NSG rule priority or allow RDP traffic.