AZ-104, Timed Set 3, Question 10.

[Margulan Aubakirov]

TDNSG1 associated with TD2 NIC. Should be NO.
Because – Subnet association alone blocks traffic to 10.0.2.0/24. NIC association unnecessary & statement false.

Azure NSG processing order (critical fact):

1. Inbound to VM: Subnet NSG evaluated first. If subnet denies → traffic blocked before reaching NIC NSG.

2. Outbound from VM: NIC NSG evaluated first. If NIC denies → traffic blocked before reaching subnet NSG.​

In this scenario:

text
TD1 (10.0.1.0/24) ──TCP:443──► TD2 (10.0.2.0/24) [Unreachable] 

• Rule 310: Source: Any → Destination: 10.0.2.0/24 TCP Any → DENY (Priority 310)

• TDNSG1 on TD2’s SUBNET (10.0.2.0/24) catches this first and denies → Connection Troubleshoot shows “Unreachable”

• TD2’s NIC NSG (if any) is never reached because subnet NSG already blocked it​

Key exam point: The question shows subnet association blocks TD1→TD2 traffic perfectly. NIC association is NOT required and the statement claiming it is associated with TD2’s NIC is false.

[Irene-TutorialsDojo]

Hello Margulan Aubakirov,

Thank you for your question!

You’re absolutely correct. In this scenario, traffic is blocked at the subnet level by TDNSG1’s rules (priority 310), and NIC association is not required. Since the subnet NSG processes first, it denies traffic to TD2 before it even reaches the NIC.

Regarding the statement about TDNSG1 being associated with TD2’s NIC, it’s not needed for this traffic flow to be blocked. The traffic is already restricted at the subnet level, making NIC association unnecessary in this case.

Please let me know if you have any further questions or need more clarification!

Best regards,

Irene @ Tutorials Dojo