Question 880 of 1,170
Implement and Manage Virtual NetworkingmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is to change the allow rule to a higher priority than 200, such as 100. This is because Azure NSG rule priority order dictates that rules are evaluated from the lowest priority number to the highest, meaning a rule at priority 100 is processed before a rule at priority 200. Since the Deny-HTTPS rule at priority 200 blocks all outbound TCP 443 traffic, the Allow-HTTPS-API rule at priority 300 never gets a chance to match the traffic from ASG-Web to ASG-Api. On the AZ-104 exam, this scenario tests your understanding of how NSG rule precedence works, often appearing as a common trap where students assume a more specific rule overrides a general deny, forgetting that priority order is evaluated first. A reliable memory tip is to think of priority numbers like a race: the lowest number wins the evaluation, so a deny at 200 will always block a permit at 300, regardless of specificity.

AZ-104 Implement and Manage Virtual Networking Practice Question

This AZ-104 practice question tests your understanding of implement and manage virtual networking. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An application subnet has an NSG outbound rule Deny-HTTPS at priority 200 for TCP 443 to Any. A second outbound rule Allow-HTTPS-API at priority 300 permits TCP 443 from ASG-Web to ASG-Api. Web servers can reach other ports but not the API. What change should the administrator make?

Question 1mediummultiple choice
Review the full subnetting walkthrough →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Change the allow rule to a higher priority than 200, such as 100.

Option B is correct because NSG rules are evaluated in priority order, with lower numbers having higher precedence. The Deny-HTTPS rule at priority 200 blocks all outbound TCP 443 traffic, including traffic from ASG-Web to ASG-Api. To allow the specific traffic, the Allow-HTTPS-API rule must have a lower priority number (e.g., 100) so it is evaluated before the deny rule, permitting the desired traffic while the deny rule still blocks other outbound HTTPS traffic.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Delete the deny rule so the allow rule can be evaluated.

    Why it's wrong here

    Removing the deny rule is unnecessary if the allow rule is given a higher priority.

  • Change the allow rule to a higher priority than 200, such as 100.

    Why this is correct

    NSGs process the lowest priority number first. Moving the allow rule above the deny rule permits the traffic.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Change the destination from ASG-Api to the entire subnet address range.

    Why it's wrong here

    The destination address form is not the issue; the deny rule still wins because of priority.

  • Change the protocol from TCP to Any so the rule matches more traffic.

    Why it's wrong here

    The rule already matches TCP 443 traffic; protocol widening does not resolve a higher-priority deny.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume more specific rules (like those using application security groups) are evaluated before general deny rules, but in Azure NSGs, priority numbers alone determine evaluation order, not specificity.

Detailed technical explanation

How to think about this question

Azure Network Security Groups (NSGs) process rules in ascending order of priority (lower number = higher priority), and once a rule matches, no further rules are evaluated. This means a deny rule with priority 200 will always block traffic before an allow rule with priority 300 can be considered, regardless of the rule's specificity. In real-world scenarios, this priority-based evaluation is critical for implementing 'deny all, allow specific' patterns, where high-priority deny rules must be carefully placed above lower-priority allow rules to avoid unintended blocking.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Implement and Manage Virtual Networking — This question tests Implement and Manage Virtual Networking — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Change the allow rule to a higher priority than 200, such as 100. — Option B is correct because NSG rules are evaluated in priority order, with lower numbers having higher precedence. The Deny-HTTPS rule at priority 200 blocks all outbound TCP 443 traffic, including traffic from ASG-Web to ASG-Api. To allow the specific traffic, the Allow-HTTPS-API rule must have a lower priority number (e.g., 100) so it is evaluated before the deny rule, permitting the desired traffic while the deny rule still blocks other outbound HTTPS traffic.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

5 more ways this is tested on AZ-104

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A web tier and an app tier run in separate subnets. Each VM NIC is placed in an application security group named WebASG or AppASG. The administrator must allow only the web tier to reach the app tier on TCP port 8443 and block all other inbound traffic to the app tier. Which NSG rule should be created on the app subnet?

medium
  • A.Allow TCP 8443 from WebASG to AppASG with a priority lower number than the deny rule.
  • B.Allow TCP 8443 from the entire virtual network to the app subnet with a lower priority than the deny rule.
  • C.Allow UDP 8443 from WebASG to AppASG with any priority below 65000.
  • D.Allow TCP 8443 from WebASG to AppASG with a priority higher number than the deny rule.

Why A: Option A is correct because NSG rules are evaluated in priority order, with lower numbers having higher priority. By placing an Allow rule for TCP 8443 from WebASG to AppASG with a lower priority number than a subsequent Deny-All rule, only traffic from the web tier is permitted, and all other inbound traffic to the app subnet is blocked. This leverages application security groups (ASGs) to define fine-grained, role-based network security policies without relying on IP addresses.

Variation 2. An application subnet has a network security group with these inbound rules: Allow-Web-From-Internet at priority 200, Allow-App-From-Web at priority 300, and Deny-All-Inbound at priority 250. The web tier must reach the app tier on TCP 8080, but traffic is being denied. The administrator confirms the source and destination IPs are correct. What is the best fix?

medium
  • A.Delete the Deny-All-Inbound rule because default NSG rules will allow the traffic.
  • B.Change the Allow-App-From-Web rule to a lower priority number than 250.
  • C.Add a route table entry for TCP 8080 traffic to bypass the NSG.
  • D.Move the Allow-Web-From-Internet rule to priority 400.

Why B: The Deny-All-Inbound rule at priority 250 is evaluated before the Allow-App-From-Web rule at priority 300 because lower priority numbers are processed first. To allow web-to-app traffic on TCP 8080, the Allow-App-From-Web rule must have a lower priority number (e.g., 240) than the Deny-All-Inbound rule so it is evaluated and applied first, permitting the traffic before the deny rule blocks it.

Variation 3. Based on the exhibit, a help desk engineer cannot RDP from an approved admin subnet to a VM in Azure. What change should the administrator make so the connection is allowed?

medium
  • A.Change the deny rule to use UDP instead of TCP.
  • B.Move Allow-RDP-Admin to a priority lower than 100.
  • C.Add the VM NIC to an application security group and leave the rules unchanged.
  • D.Delete the default AllowVNetInBound rule.

Why B: The exhibit shows a deny rule with priority 100 that blocks all inbound traffic from the approved admin subnet, and an allow rule for RDP with a priority lower than 100 (e.g., 200). Since Azure Network Security Group (NSG) rules are evaluated in priority order (lowest number first), the deny rule at priority 100 is evaluated before the allow rule at a lower priority, thus blocking the RDP connection. To allow the RDP traffic, the administrator must move the Allow-RDP-Admin rule to a priority lower than 100 (e.g., 90) so it is evaluated before the deny rule.

Variation 4. An NSG is associated with a subnet. It contains these inbound rules: - Priority 100: Deny TCP 443 from Internet to Any - Priority 200: Allow TCP 443 from 203.0.113.0/24 to Any A tester at 203.0.113.10 browses to the VM's HTTPS endpoint in that subnet. What happens?

medium
  • A.The request is allowed because the more specific source range matches first.
  • B.The request is denied because the priority 100 deny rule matches before the allow rule.
  • C.The request is denied only if the VM has no public IP address.
  • D.The request is allowed because default NSG rules always override custom rules.

Why B: The correct answer is B. Network Security Group (NSG) rules are evaluated in priority order, from lowest to highest numeric value. The priority 100 rule explicitly denies TCP 443 from the Internet (which includes the 203.0.113.0/24 range), and it is evaluated before the priority 200 allow rule. Since the deny rule matches first, the traffic is blocked regardless of the more specific source IP in the allow rule.

Variation 5. An NSG attached to a subnet contains these inbound rules: Deny-All-Inbound at priority 200, Allow-HTTPS-Admin at priority 250 from 203.0.113.20/32, and Allow-HTTPS-Internet at priority 300. A VM in the subnet cannot receive HTTPS from the admin workstation even though the source IP is correct. What should the administrator change?

medium
  • A.Change the protocol from TCP to Any on the allow rule.
  • B.Move the Allow-HTTPS-Admin rule to a priority number lower than 200.
  • C.Associate a NAT gateway with the subnet.
  • D.Enable service endpoint policies on the subnet.

Why B: The Deny-All-Inbound rule at priority 200 blocks all traffic, including HTTPS from the admin workstation, because NSG rules are evaluated in priority order (lowest number first). The Allow-HTTPS-Admin rule at priority 250 is never reached since the deny rule with a higher priority (lower number) matches first. To allow the admin traffic, the allow rule must have a priority lower than 200 (e.g., 150) so it is evaluated before the deny rule.

Keep practising

More AZ-104 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.