Question 1mediummultiple choice
Full question →AZ-104 · topic practice
NSG practice questions
Use this page to practise AZ-104 NSG practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about NSG
NSG questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Practice set
NSG questions
20 questions · select your answer, then reveal the explanation
Question 2easymulti select
Full question →Which two statements about Azure route tables and user-defined routes are correct? Select two.
Question 3mediummultiple choice
Full question →A company has frontend and backend VMs in the same subnet. Security rules must allow the frontend tier to reach only the backend tier on TCP 443, without assigning rules to individual VM IP addresses. What should the administrator use in the NSG rule?
Question 4mediummultiple choice
Full question →A backend VM must accept TCP 8443 only from the web tier. The subnet NSG already has a deny-all inbound rule at priority 200. The administrator adds an allow rule for the web tier at priority 300, but the connection still fails. What should be changed?
Question 5mediummultiple choice
Full question →A backend tier runs on three Azure VMs. The VMs are rebuilt frequently and receive new private IP addresses during redeployment. The administrator must allow inbound TCP 1433 from the app tier without rewriting the NSG rule each time the backend VMs change. What should be used?
Question 6mediummultiple choice
Full question →A company needs to peer VNet-Prod, which uses 10.30.0.0/16, with VNet-Shared, which uses 10.30.64.0/18. The peering creation fails with an address-space overlap error. The team can renumber the shared environment, but they do not want to change any addresses in VNet-Prod. What should the administrator do before retrying the peering?
Question 7mediummultiple choice
Full question →A company has a hub virtual network that contains a custom DNS server at 10.20.0.4. A new spoke virtual network is peered to the hub. VMs in the spoke can reach other resources in Azure, but they cannot resolve internal names such as app01.corp.local. What should the administrator configure to fix name resolution for the spoke VMs?
Question 8mediummultiple choice
Full question →A company created a new spoke virtual network with the address space 10.40.1.0/24. The existing hub virtual network already uses 10.40.0.0/16. The administrator must peer the two VNets so resources can communicate normally. What must be changed before peering can succeed?
Question 9mediummultiple choice
Full question →A company has a hub VNet and two peered spoke VNets, AppSpoke and DataSpoke. Both spokes can reach on-premises networks through the hub gateway. The app VM in AppSpoke must connect privately to the data VM in DataSpoke without using the internet or sending traffic on-premises first. What should the administrator do?
Question 10mediummultiple choice
Full question →A company has a virtual machine in a subnet that must access an Azure Storage account. The storage account should remain reachable through its public endpoint, but access must be limited to that subnet, and the traffic should stay on the Azure backbone rather than the internet. Which feature should the administrator configure on the subnet?
Question 11easymultiple choice
Full question →A developer wants to give one Azure VM access to Azure Storage now, and that identity should be removed automatically if the VM is deleted. Which identity type should the administrator assign?
Question 12mediummultiple choice
Full question →A hub-and-spoke environment uses a DNS server VM in the hub VNet at 10.8.0.4 to resolve internal names such as app01.corp.local. The spoke VNet can reach hub VMs by IP after peering, but name resolution still fails from the spoke. What should the administrator configure so VMs in the spoke use the hub DNS server?
Question 13hardmultiple choice
Full question →A storage account has public network access disabled. A VM in VNet-Prod must reach Blob storage by using the storage account name, but nslookup from the VM still returns the public endpoint address. What should the administrator do?
Question 14mediummultiple choice
Full question →A storage account must be reachable only from resources in a single VNet. The team wants the storage service to use a private IP address inside that VNet and wants to disable public network access. Which feature should be configured?
Question 15hardmultiple choice
Full question →A subnet contains two NSGs: one associated with the subnet and one associated with the NIC of VM-App03. You need to determine whether inbound TCP 3389 from the internet is allowed. What is the correct interpretation?
Question 16easymultiple choice
Full question →A security admin wants Key Vault audit logs and metrics sent to a Log Analytics workspace for later search. Which Azure setting should be configured on the vault?
Question 17hardmultiple choice
Full question →A storage account must be accessible only from one Azure subnet. The security team does not want a private endpoint or private DNS zone, and they are fine with the storage account continuing to use its public FQDN. Which configuration should you use?
Question 18mediummultiple choice
Full question →A subnet has a NAT gateway attached, but outbound internet traffic from the VMs is still leaving through a network virtual appliance. The subnet's route table includes a user-defined route for 0.0.0.0/0 with the next hop set to Virtual appliance. The business wants internet traffic to use the NAT gateway while keeping any required specific routes to on-premises networks. What should the administrator do?
Question 19mediummultiple choice
Full question →A subnet NSG contains a deny inbound rule for TCP 3389 from Any at priority 100 and an allow inbound rule for TCP 3389 from 10.4.1.0/24 at priority 200. Admin workstations in 10.4.1.0/24 cannot connect by RDP. What change should the administrator make?
Question 20easymultiple choice
Full question →A subnet has an NSG with a custom inbound deny-all rule at priority 200. You need to allow HTTPS traffic to a VM in that subnet from any source. Which action should you take?
Watch out for
Common NSG exam traps
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused NSG sessions
Start a NSG only practice session
Every question in these sessions is drawn from the NSG domain — nothing else.
Related practice questions
Related AZ-104 topic practice pages
Move into related areas when this topic feels solid.
AZ-104 Azure RBAC practice questions
Practise AZ-104 questions linked to AZ-104 Azure RBAC.
AZ-104 storage account practice questions
Practise AZ-104 questions linked to AZ-104 storage account.
AZ-104 virtual network practice questions
Practise AZ-104 questions linked to AZ-104 virtual network.
AZ-104 NSG practice questions
Practise AZ-104 questions linked to AZ-104 NSG.
AZ-104 Azure Monitor practice questions
Practise AZ-104 questions linked to AZ-104 Azure Monitor.
AZ-104 backup practice questions
Practise AZ-104 questions linked to AZ-104 backup.
AZ-104 managed identity practice questions
Practise AZ-104 questions linked to AZ-104 managed identity.
AZ-104 load balancer practice questions
Practise AZ-104 questions linked to AZ-104 load balancer.
AZ-104 Azure Policy practice questions
Practise AZ-104 questions linked to AZ-104 Azure Policy.
AZ-104 virtual machine practice questions
Practise AZ-104 questions linked to AZ-104 virtual machine.
Frequently asked questions
- What does the AZ-104 exam test about NSG?
- NSG questions test whether you can apply the concept in context, not just recognise a definition.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just NSG questions in a focused session?
- Yes — the session launcher on this page draws every question from the NSG domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other AZ-104 topics?
- Use the topic links above to move to related areas, or go back to the AZ-104 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the AZ-104 exam covers. They are not copied from any real exam or dump site.
Track your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeExam traps to avoid
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.