Question 558 of 1,170
Implement and Manage Virtual NetworkingmediumMultiple ChoiceObjective-mapped

AZ-104 Implement and Manage Virtual Networking Practice Question

This AZ-104 practice question tests your understanding of implement and manage virtual networking. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A VM in a subnet has both a subnet-level NSG and a NIC-level NSG. The subnet NSG allows inbound TCP 22 from the VirtualNetwork service tag, but the NIC NSG denies inbound TCP 22 from the same source. An administrator says the subnet rule should be enough because it allows the traffic. What is the actual behavior?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The traffic is blocked because a deny in either NSG is effective.

When both a subnet-level NSG and a NIC-level NSG are applied to a virtual machine, network traffic is evaluated against both NSGs. The effective rule is the most restrictive: if either NSG contains a deny rule that matches the traffic, the traffic is blocked. In this scenario, the NIC-level NSG explicitly denies inbound TCP 22 from the VirtualNetwork service tag, so even though the subnet NSG allows it, the deny at the NIC level takes precedence and the traffic is blocked.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The allow rule wins because subnet NSGs always override NIC NSGs.

    Why it's wrong here

    Subnet NSGs do not automatically override NIC NSGs. Both scopes are evaluated, and a deny at either scope blocks the traffic.

    When this WOULD be correct

    This option would be correct in a scenario where the question states that subnet NSGs have higher priority than NIC NSGs, or that subnet NSG rules override NIC NSG rules. For example, if the question specified that subnet NSGs are applied after NIC NSGs and can override them, then an allow at the subnet level would win.

  • The traffic is blocked because a deny in either NSG is effective.

    Why this is correct

    Azure evaluates both NIC and subnet NSGs. If either one denies the packet, the connection is blocked even if the other NSG has an allow rule.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The traffic is allowed because service tags bypass NIC-level rules.

    Why it's wrong here

    Service tags simplify rule targeting, but they do not bypass evaluation or ignore a deny rule at another NSG scope.

    When this WOULD be correct

    If the question stated that the NIC NSG has no rule for TCP 22 and the subnet NSG allows it, then the traffic would be allowed because subnet NSG rules apply to all VMs in the subnet unless overridden by a NIC NSG rule.

  • The connection succeeds unless a route table sends the traffic elsewhere.

    Why it's wrong here

    Routing affects the path, not the security decision. NSG denies are enforced independently of route table configuration.

    When this WOULD be correct

    A VM in a subnet has a subnet NSG allowing inbound TCP 22 from the VirtualNetwork service tag, but a route table on the subnet redirects traffic to a network virtual appliance. In this case, the connection may fail if the appliance does not forward the traffic, even though the NSG allows it.

Option-by-option analysis

Why each answer is right or wrong

Understanding why wrong answers are wrong — and when they would be correct — is what separates a 750 score from a 900. The AZ-104 exam frequently reuses these exact scenarios with slightly different constraints.

The traffic is blocked because a deny in either NSG is effective.Correct answer

Why this is correct

Azure evaluates both NIC and subnet NSGs. If either one denies the packet, the connection is blocked even if the other NSG has an allow rule.

The allow rule wins because subnet NSGs always override NIC NSGs.Wrong answer — click to see why

Why this is wrong here

In Azure, NSG rules are evaluated in order of priority, and a deny rule in either the subnet or NIC NSG will block traffic, regardless of an allow rule in the other NSG. Subnet NSGs do not override NIC NSGs; both are evaluated, and the most restrictive rule applies.

★ When this WOULD be the correct answer

This option would be correct in a scenario where the question states that subnet NSGs have higher priority than NIC NSGs, or that subnet NSG rules override NIC NSG rules. For example, if the question specified that subnet NSGs are applied after NIC NSGs and can override them, then an allow at the subnet level would win.

Why candidates choose this

Candidates may think that subnet-level NSGs are applied after NIC-level NSGs and thus can override them, or they may confuse NSG evaluation with route table precedence where subnet routes override NIC routes.

The traffic is allowed because service tags bypass NIC-level rules.Wrong answer — click to see why

Why this is wrong here

Service tags do not bypass NSG rules; NSGs are evaluated in order of priority, and a deny rule in the NIC NSG will block traffic regardless of the subnet NSG allow rule.

★ When this WOULD be the correct answer

If the question stated that the NIC NSG has no rule for TCP 22 and the subnet NSG allows it, then the traffic would be allowed because subnet NSG rules apply to all VMs in the subnet unless overridden by a NIC NSG rule.

Why candidates choose this

Candidates may mistakenly believe that service tags have special privileges or that subnet-level rules take precedence over NIC-level rules, leading them to think the allow rule overrides the deny.

The connection succeeds unless a route table sends the traffic elsewhere.Wrong answer — click to see why

Why this is wrong here

In Azure, NSG rules are evaluated in order of priority, and a deny rule in either the subnet or NIC NSG will block traffic. Route tables do not affect NSG rule evaluation; they only influence traffic routing.

★ When this WOULD be the correct answer

A VM in a subnet has a subnet NSG allowing inbound TCP 22 from the VirtualNetwork service tag, but a route table on the subnet redirects traffic to a network virtual appliance. In this case, the connection may fail if the appliance does not forward the traffic, even though the NSG allows it.

Why candidates choose this

Candidates may confuse the role of NSGs and route tables, thinking that routing decisions can override NSG rules, or they may incorrectly assume that a route table can bypass NSG deny rules.

Analysis generated from the official AZ-104blueprint and verified against question context. The “when correct” sections are what AI assistants cite when candidates ask “what’s the difference between these options?”

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume subnet-level NSGs take precedence over NIC-level NSGs, but Azure actually applies both and the most restrictive rule (any deny) wins, making it critical to check both NSGs for conflicting rules.

Detailed technical explanation

How to think about this question

Azure NSGs are stateful and rules are evaluated in priority order (lowest number first) within each NSG. When both a subnet and NIC NSG are applied, the effective security rules are the union of both sets, with the most restrictive outcome applied. This behavior is documented in Azure's network security group evaluation logic, where traffic must pass both NSGs to be allowed. In practice, this means an administrator must carefully coordinate rules across both NSG levels to avoid unintended blocks.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

An e-commerce site experiences heavy traffic on Black Friday and near-zero traffic during off-peak weeks. Rather than provisioning permanent large VMs, the team uses auto-scaling groups that add capacity automatically under load and reduce it overnight. Questions like this test whether you understand elasticity, availability zones, and cloud compute scaling patterns.

Visual reference

192.168.1.0 /24 256 addresses (254 usable) 192.168.1.0 /25 Subnet A 128 addr (126 usable) 192.168.1.128 /25 Subnet B 128 addr (126 usable) Borrowing 1 bit from host portion creates 2 subnets (/25)

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related AZ-104 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free AZ-104 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this AZ-104 question test?

Implement and Manage Virtual Networking — This question tests Implement and Manage Virtual Networking — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The traffic is blocked because a deny in either NSG is effective. — When both a subnet-level NSG and a NIC-level NSG are applied to a virtual machine, network traffic is evaluated against both NSGs. The effective rule is the most restrictive: if either NSG contains a deny rule that matches the traffic, the traffic is blocked. In this scenario, the NIC-level NSG explicitly denies inbound TCP 22 from the VirtualNetwork service tag, so even though the subnet NSG allows it, the deny at the NIC level takes precedence and the traffic is blocked.

What should I do if I get this AZ-104 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More AZ-104 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This AZ-104 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-104 exam.