AZ-104 · topic practice

NSG practice questions

Practise AZ-104 NSG practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security

What the exam tests

What to know about NSG

NSG questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common NSG exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

NSG questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Review the full subnetting walkthrough →

A subnet contains several application servers. You need to allow inbound TCP 3389 only from a management subnet named Subnet-Mgmt and deny RDP from all other sources. What should you do?

Question 2easymulti select
Read the full NSG explanation →

A subscription admin wants to investigate who changed a resource and also review the platform-generated events for that subscription. Which two types of logs can be sent to Log Analytics and queried later? Select two.

Question 3mediummultiple choice
Read the full NSG explanation →

A three-tier application uses separate web and app VMs that are scaled in and out regularly. The administrator must allow only the web tier to connect to the app tier on TCP 8080 without continually updating IP addresses. What should be configured in the NSG rule?

Question 4mediummultiple choice
Read the full NSG explanation →

A VM cannot connect to another VM on TCP 1433. You need to determine whether an NSG is blocking the flow and identify which rule applies. Which Network Watcher tool should you use?

Question 5mediummultiple choice
Review the full subnetting walkthrough →

An application subnet has an NSG outbound rule Deny-HTTPS at priority 200 for TCP 443 to Any. A second outbound rule Allow-HTTPS-API at priority 300 permits TCP 443 from ASG-Web to ASG-Api. Web servers can reach other ports but not the API. What change should the administrator make?

Question 6mediummultiple choice
Review the full subnetting walkthrough →

A subnet NSG contains a deny inbound rule for TCP 3389 from Any at priority 100 and an allow inbound rule for TCP 3389 from 10.4.1.0/24 at priority 200. Admin workstations in 10.4.1.0/24 cannot connect by RDP. What change should the administrator make?

Question 7easymultiple choice
Read the full NSG explanation →

Based on the exhibit, HTTPS traffic from the admin workstation is still being blocked. What change should the administrator make?

Exhibit

Inbound NSG rules on AppSubnet:
Priority 200  Deny-All-Inbound      Any      Any      Any      Any    Deny
Priority 250  Allow-HTTPS-Admin     TCP      203.0.113.20/32   Any   443    Allow
Priority 300  Allow-HTTPS-Internet  TCP      Internet          Any   443    Allow
Test source IP: 203.0.113.20
Observed result: TCP 443 denied
Question 8mediummultiple choice
Read the full NSG explanation →

Why is centralized logging valuable during security incident response?

Question 9mediummultiple choice
Read the full NAT/PAT explanation →

A team manages three backend servers in one subnet. The servers are replaced periodically, so their private IP addresses change. The NSG must allow inbound traffic from the web tier without updating individual IP addresses each time. Which destination object should be used in the NSG rule?

Question 10mediummultiple choice
Read the full NSG explanation →

A web tier and an app tier run on separate Azure VMs in the same region. Each VM's NIC is added to an application security group named WebASG or AppASG. The administrator must allow only the web tier to connect to the app tier on TCP 8443, and future VM scale-outs must be included automatically. Which NSG rule should be created?

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

You need to allow or deny traffic to and from resources in an Azure subnet based on source IP address, destination port, and protocol. Which Azure feature should you use?

Question 12hardmultiple choice
Read the full NSG explanation →

Users on the internet cannot access an HTTPS website hosted on VM-Web01. The VM has a public IP address, the web service is running, and the guest OS firewall allows TCP 443. What is the most likely Azure-side issue?

Question 13easymulti select
Read the full NSG explanation →

Which two Network Watcher tools can help you diagnose whether a VM can reach another address and whether a specific flow is allowed or denied? Select two.

Question 14mediummultiple choice
Read the full NSG explanation →

You want Azure to recommend ways to reduce cost, improve performance, and strengthen security across your subscriptions. Which service should you use?

Question 15mediummultiple choice
Read the full NSG explanation →

You want Azure to identify security improvements, underutilized resources, and cost-saving opportunities across your subscriptions. Which Azure service should you use?

Question 16mediummultiple choice
Review the full subnetting walkthrough →

A web application runs on three VMs in a backend subnet. The backend team wants the load balancer in the frontend tier to reach the VMs on TCP 8443, and they want the rule to keep working even if the backend VM IP addresses change. What should you use in the NSG rule?

Question 17mediummultiple choice
Read the full VPN explanation →

A shared resource group contains a VPN gateway and several virtual machines used by the finance department. Administrators must still be able to resize the VMs and update NSG rules, but no one should be able to delete the resource group or anything in it during the quarter-end freeze. Which lock should be applied?

Arrange the steps to create a virtual network in Azure with a subnet and deploy a VM.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 19mediummultiple choice
Review the full subnetting walkthrough →

Frontend VMs in one subnet must reach backend VMs on TCP 8443. The backend VMs are rebuilt frequently, so their private IP addresses change often. The administrator wants to avoid updating NSG rules every time the backend IPs change. What should be used in the NSG rule?

Question 20mediummultiple choice
Review the full subnetting walkthrough →

A backend VM must accept TCP 8443 only from the web tier. The subnet NSG already has a deny-all inbound rule at priority 200. The administrator adds an allow rule for the web tier at priority 300, but the connection still fails. What should be changed?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused NSG sessions

Start a NSG only practice session

Every question in these sessions is drawn from the NSG domain — nothing else.

Related practice questions

Related AZ-104 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the AZ-104 exam test about NSG?
NSG questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just NSG questions in a focused session?
Yes — the session launcher on this page draws every question from the NSG domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other AZ-104 topics?
Use the topic links above to move to related areas, or go back to the AZ-104 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the AZ-104 exam covers. They are not copied from any real exam or dump site.