Frontend VMs in one subnet must reach backend VMs on TCP 8443. The backend VMs are rebuilt frequently, so their private IP addresses change often. The administrator wants to avoid updating NSG rules every time the backend IPs change. What should be used in the NSG rule?

A service endpoint on the backend subnet.

Service endpoints are for securing access to supported PaaS services, not for grouping VMs in NSG rules.

A route table with a next hop of Virtual network gateway.

Route tables control forwarding, but they do not simplify security rules for changing VM IP addresses.

A private endpoint for each backend VM.

Private endpoints are used for private access to supported services, not for direct VM-to-VM tier grouping.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Application Security Groups for the frontend and backend tiers. — Application Security Groups are designed for this exact operational pattern. They let you group workloads logically and reference those groups in NSG rules, which means the allow rule follows the backend tier even if the VMs are recreated with different private IPs. This reduces administrative overhead and avoids brittle IP-based security rules, while still keeping the traffic control at the NSG layer. Why others are wrong: Service endpoints protect supported Azure PaaS services, not VM-to-VM traffic. Route tables determine next hop selection and cannot replace security group logic. Private endpoints create private access to Azure services, not reusable labels for multiple backend VMs inside your own network.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.