The answer is the network rule collection with priority 100, which denies all traffic, because Azure Firewall rule evaluation order processes network rules before application rules. Since the network rule at priority 100 explicitly denies all traffic, the application rule at priority 200 that allows *.google.com is never reached, causing the HTTPS traffic from 10.0.0.0/8 to www.google.com to be blocked. This scenario directly tests your understanding of Azure Firewall’s rule prioritization and evaluation hierarchy, a common topic on the Microsoft Azure Security Engineer Associate AZ-500 exam. A frequent trap is assuming application rules override network rules or that higher priority numbers are evaluated first, but in reality, lower priority numbers are evaluated sooner, and network rules always take precedence over application rules regardless of priority values. Remember the memory tip: “Networks first, then apps; lower numbers win the race.”
AZ-500 Secure networking Practice Question
This AZ-500 practice question tests your understanding of secure networking. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Refer to the exhibit. You have an Azure Firewall policy with the shown rules. Traffic from 10.0.0.0/8 to www.google.com on HTTPS (443) is being blocked. What is the most likely reason?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The network rule collection with priority 100 denies all traffic, and it is evaluated before the application rule collection.
Option A is correct because network rules are evaluated before application rules, and the network rule collection with priority 100 denies all traffic. The application rule collection with priority 200 is never evaluated because the network rule denies first. Option B is wrong because the application rule allows *.google.com, but it is not reached. Option C is wrong because the rule action is Allow, not Deny. Option D is wrong because the source address includes 10.0.0.0/8.
Key principle: ACLs process entries top to bottom and stop at the first match. Entry order and interface direction matter as much as the permit or deny statement.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✓
The network rule collection with priority 100 denies all traffic, and it is evaluated before the application rule collection.
Why this is correct
Network rules have higher priority than application rules when the action is Deny.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Standard ACLs match source addresses.
✗
The application rule collection has an action of Deny.
Why it's wrong here
The action is Allow.
✗
The source address 10.0.0.0/8 is not included in the application rule.
Why it's wrong here
The source address matches 10.0.0.0/8.
✗
The application rule collection does not allow *.google.com.
Why it's wrong here
The application rule does allow *.google.com.
Common exam traps
Common exam trap: ACLs stop at the first match
ACLs are processed top to bottom. The first matching entry wins, and an implicit deny usually exists at the end.
Detailed technical explanation
How to think about this question
ACL questions test precision: source, destination, protocol, port and direction. A generally correct ACL can still fail if it is applied on the wrong interface or in the wrong direction.
KKey Concepts to Remember
Standard ACLs match source addresses.
Extended ACLs can match source, destination, protocol and ports.
The first matching ACL entry is used.
There is usually an implicit deny at the end.
TExam Day Tips
→Check inbound versus outbound direction.
→Read the ACL from top to bottom.
→Look for a broader permit or deny above the intended line.
Key takeaway
ACLs process entries top to bottom and stop at the first match. Entry order and interface direction matter as much as the permit or deny statement.
Real-world example
How this comes up in practice
A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.
Related glossary terms
Concepts from this question explained
These glossary pages explain the core terms tested in this AZ-500 question in full detail.
Review ACL processing order, placement rules (standard near destination, extended near source), and inbound vs outbound direction. Study wildcard masks and implicit deny. Then practise related AZ-500 ACL questions on filtering logic and placement.
Secure networking — This question tests Secure networking — Standard ACLs match source addresses..
What is the correct answer to this question?
The correct answer is: The network rule collection with priority 100 denies all traffic, and it is evaluated before the application rule collection. — Option A is correct because network rules are evaluated before application rules, and the network rule collection with priority 100 denies all traffic. The application rule collection with priority 200 is never evaluated because the network rule denies first. Option B is wrong because the application rule allows *.google.com, but it is not reached. Option C is wrong because the rule action is Allow, not Deny. Option D is wrong because the source address includes 10.0.0.0/8.
What should I do if I get this AZ-500 question wrong?
Review ACL processing order, placement rules (standard near destination, extended near source), and inbound vs outbound direction. Study wildcard masks and implicit deny. Then practise related AZ-500 ACL questions on filtering logic and placement.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Standard ACLs match source addresses.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. Refer to the exhibit. You are reviewing an Azure Firewall policy rule. The rule is intended to allow traffic from the 10.0.0.0/16 network to *.contoso.com on HTTPS. However, the rule is not working as expected. What is the most likely issue?
medium
A.The source address range is too broad and should be more specific.
B.The protocol should be Http, not Https.
✓ C.Application rules cannot have both targetFqdns and destinationAddresses; destinationAddresses should be removed.
D.The rule should be a network rule, not an application rule.
Why C: In Azure Firewall application rules, the destinationAddresses field is typically used for network rules; for application rules, the destination is specified by FQDN. However, specifying both targetFqdns and destinationAddresses in an application rule is invalid because application rules use FQDNs, not IP addresses. The presence of destinationAddresses may cause the rule to be misconfigured or ignored.
Variation 2. Refer to the exhibit. An Azure Firewall Policy snippet is shown. A security administrator deploys this policy to the Azure Firewall. However, they receive reports that some VMs can still access the internet. What is the most likely reason?
medium
A.The destination "Internet" is not a valid service tag; it should be "*" for all destinations.
B.The action type "Deny" is misspelled; it should be "Deny".
C.The sourceAddresses field uses "*" which is not supported for outbound rules.
✓ D.There is another rule collection with a higher priority that allows traffic.
Why D: Option C is correct. In Azure Firewall Policy, rules within a rule collection are evaluated in priority order, but a rule collection group contains multiple rule collections. If there is another rule collection with a higher priority (lower number) that allows traffic, that rule will be evaluated first and the traffic will be allowed, bypassing the deny rule. Additionally, the rule collection group itself must be assigned to the firewall policy. Option A is wrong because the source address "*" covers all VMs. Option B is wrong because the destination "Internet" is a valid service tag. Option D is wrong because the rule explicitly uses the Deny action.
Last reviewed: Jun 20, 2026
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This AZ-500 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the AZ-500 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.