An administrator is troubleshooting inbound HTTPS to a VM. The subnet NSG has these custom rules: Deny-Internet-Inbound at priority 150, Allow-HTTPS-Admin at priority 200, and the default deny rules remain in place. The administrator’s client is on the internet and should be able to reach the VM on TCP 443. What change will fix the problem?

Change the allow rule source from Internet to Any and keep the same priority.

Broadening the source may still not help if the deny rule is evaluated first; priority is the real issue here.

Create a route table to the VM subnet so traffic reaches the VM faster.

Routing does not override an NSG deny decision. The packet is stopped by the security rule evaluation.

Associate an application security group with the VM and leave the rules unchanged.

Application security groups simplify targeting, but they do not change rule precedence or allow a lower-priority deny to be bypassed.

What does this AZ-104 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Move the allow rule to a lower priority number than the deny rule. — The problem is the NSG priority order. Azure evaluates security rules from the lowest number to the highest number, and the first matching rule decides the outcome. Since the deny rule is priority 150 and the allow rule is 200, the deny takes effect before the allow can match. Raising the allow rule to a lower number than 150 resolves the issue cleanly. Why others are wrong: Changing the source to Any may make the rule broader, but it still loses to the earlier deny rule. Route tables only control next hop selection and cannot override NSG filtering. Application security groups are useful for organizing sources and destinations, but they do not change the fact that the deny rule is evaluated first.

What should I do if I get this AZ-104 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.