Certifications Tools Exam Guides Blog Pricing
Start for free
Home / Blog / AZ-104
AZ-104

AZ-104 Networking Feels Impossible? The Simple Mental Model That Fixes VNet, Subnet & NSG Confusion

CE
Certsqill Exam Coach
Certification Expert
January 25, 2025

Why do AZ-104 networking questions feel so confusing?

AZ-104 networking questions confuse candidates because they memorize VNet, subnet, and NSG components without building a visual mental model of how traffic flows. Once you understand the ‘Packet Journey’ framework — how a request travels through VNet → Subnet → NSG → destination — networking questions become logical puzzles instead of guessing games.

If AZ-104 networking questions make you freeze, you’re experiencing a common problem—but it’s not because Azure networking is impossibly complex. Most candidates fail networking scenarios because they memorize component names without building a visual mental model of how traffic actually flows. Once you see the “Packet Journey” framework, AZ-104 VNet questions become logical puzzles instead of guessing games.

Why AZ-104 Networking Feels Overwhelming

Azure networking throws a lot of components at you: Virtual Networks, subnets, Network Security Groups, route tables, VNet peering, VPN gateways, ExpressRoute, Azure Firewall, Application Gateway, Load Balancers, Private Endpoints, Service Endpoints…

The problem isn’t that these concepts are individually difficult. The problem is that the exam tests how they interact—and most study materials teach them in isolation.

A typical AZ-104 NSG exam question doesn’t ask “What is an NSG?” It asks: “A VM in Subnet A cannot reach a database in Subnet B. The NSG allows the traffic. What should you check?” Without a mental model of traffic flow, you’re guessing.

The Azure Network Stack in Plain English

Before diving into exam tactics, let’s build a mental picture using a city analogy that makes AZ-104 networking intuitive:

Virtual Network (VNet) = The City

A VNet is your private address space in Azure—think of it as a city with defined boundaries. Everything inside the city can potentially communicate. The city has a specific address range (CIDR block like 10.0.0.0/16).

  • VNets are isolated by default—cities don’t automatically connect
  • You can have multiple VNets in a subscription
  • VNets exist in one region (though they can peer globally)

Subnet = Districts Within the City

Subnets divide your VNet into smaller network segments—like districts in a city. Each district has its own address range (a subset of the VNet CIDR).

  • Resources (VMs, databases) live in subnets, not directly in VNets
  • Some Azure services require dedicated subnets (like AzureBastionSubnet)
  • Subnets within the same VNet can communicate by default

NSG = Security Gates Between Districts

Network Security Groups are stateful firewalls that filter traffic based on rules. Think of them as security checkpoints at district entrances.

  • NSGs can attach to subnets or individual NICs (network interfaces)
  • Rules are processed by priority (lowest number = highest priority)
  • Default rules allow VNet-to-VNet and outbound internet; deny inbound internet
  • NSGs are Layer 4—they see IPs and ports, not application content

Route Tables (UDRs) = Road Signs

User-Defined Routes tell traffic where to go—like road signs directing cars. By default, Azure creates system routes, but you can override them.

  • UDRs can send traffic to virtual appliances, VPN gateways, or the internet
  • Route tables associate with subnets
  • More specific routes (smaller CIDR) win over broader routes

Gateways & Peering = Highways to Other Cities

To connect VNets or reach on-premises networks, you need highways:

  • VNet Peering: Direct connection between VNets—fast, private, no encryption needed
  • VPN Gateway: Encrypted tunnel to on-premises or other clouds
  • ExpressRoute: Private dedicated connection to on-premises (not over public internet)

The “Packet Journey” Framework

Every Azure routing AZ-104 question can be solved by tracing the packet’s journey. Ask these questions in order:

Step 1: Where Does the Packet Start?

Identify the source: Which VM, subnet, and VNet? What IP address is it coming from?

Step 2: What’s the Destination?

Where is the packet trying to go? Same subnet? Different subnet? Different VNet? On-premises? Internet?

Step 3: Which Route Will Be Chosen?

Check effective routes on the source NIC. The most specific matching route wins. Is there a UDR? A system route? BGP-learned route?

Step 4: Does the Packet Pass NSGs?

Trace through NSGs in order:

  • Outbound: Source NIC NSG → Source Subnet NSG → (routing happens) → Destination Subnet NSG → Destination NIC NSG
  • Inbound: Destination Subnet NSG → Destination NIC NSG

Traffic must be allowed by ALL NSGs in the path.

Step 5: Are There Additional Layers?

Consider: Azure Firewall in the path? Service Endpoints or Private Endpoints? Application Gateway or Load Balancer?

By walking through these steps, you can systematically troubleshoot any AZ-104 VNet questions instead of guessing.

Common AZ-104 Networking Exam Traps

Knowing these traps will save you points:

Trap 1: Confusing NSG vs Azure Firewall

NSGs filter at Layer 4 (IP + port) and are free. Azure Firewall filters at Layer 7 (application, FQDN) and is a paid managed service. Questions about filtering by domain name or centralized logging = Firewall. Questions about port-based allow/deny per subnet = NSG.

Trap 2: Wrong Subnet Association

NSGs and route tables associate with subnets, not VNets. A common trap: “You applied an NSG to the VNet…” — that’s impossible. NSGs attach to subnets or NICs only. Read carefully.

Trap 3: Misunderstanding Peering vs VPN

VNet peering is Azure-to-Azure, uses Microsoft backbone, low latency. VPN Gateway is for hybrid connectivity (Azure to on-premises), uses encrypted tunnels. Questions mentioning “on-premises” usually need VPN or ExpressRoute, not peering.

Trap 4: Forgetting Effective Routes

What you configure isn’t always what applies. System routes, UDRs, and BGP routes combine. The effective routes on a NIC show the actual routing table. When troubleshooting, always check effective routes—not just what you configured.

Trap 5: Ignoring NSG Processing Order

NSG rules are processed by priority number (100 before 200). The first matching rule wins, and processing stops. If you have a Deny at priority 100 and an Allow at 200, traffic is denied. Order matters.

How to Study AZ-104 Networking the Smart Way

Reading about networking isn’t enough—you need to see it work.

Step 1: Build a Simple Lab (30 minutes)

In a free Azure subscription:

  1. Create a VNet with two subnets
  2. Deploy a VM in each subnet
  3. Create an NSG and apply it to one subnet
  4. Add rules that allow/deny specific traffic
  5. Test connectivity between VMs (ping, RDP, etc.)
  6. Check effective routes and effective security rules on each NIC

This hands-on exercise teaches more than hours of videos.

Step 2: Draw Before You Answer

For every networking practice question:

  • Sketch the VNets, subnets, and resources mentioned
  • Draw arrows showing traffic direction
  • Mark where NSGs and route tables are applied
  • Trace the packet journey step by step

Diagram-first learning makes abstract scenarios concrete.

Step 3: Practice Troubleshooting Scenarios

The exam loves “VM A cannot reach VM B” questions. Practice the systematic approach:

  1. Check if VMs are in the same VNet or peered VNets
  2. Check NSG rules on both source and destination
  3. Check effective routes for unexpected next hops
  4. Check if OS-level firewalls are blocking traffic

Turn Networking Confusion Into Your Advantage

AZ-104 networking questions are designed to test whether you understand traffic flow—not whether you memorized service definitions. The candidates who struggle are those who learn components in isolation. The candidates who pass are those who can trace a packet from source to destination through all the layers.

The “Packet Journey” framework gives you a repeatable method for any networking scenario. Where does traffic start? What route does it take? What security layers does it pass through? Answer these questions systematically, and networking questions become solvable puzzles.

At Certsqill, our AZ-104 simulations focus on traffic-decision logic, not memorization. Every networking question teaches you to trace packet paths and identify the layer causing issues—exactly what the exam expects.

Start practicing with traffic-flow scenarios today and transform networking from your weakness into your strength.

Frequently Asked Questions

What is the difference between NSG and Azure Firewall in AZ-104?

NSGs are stateful packet filters that work at Layer 4 (IP/port) and are free. Azure Firewall is a managed service with Layer 7 capabilities (application rules, FQDN filtering, threat intelligence). Use NSGs for basic subnet/NIC security; use Firewall for centralized, advanced traffic control.

How does VNet peering differ from VPN Gateway in AZ-104?

VNet peering connects VNets within Azure using Microsoft’s backbone network—low latency, high bandwidth, no encryption needed. VPN Gateway connects Azure to on-premises or other clouds over encrypted IPsec tunnels. Peering is for Azure-to-Azure; VPN is for hybrid/external connectivity.

What are effective routes and why do they matter for AZ-104?

Effective routes show the actual routing table applied to a NIC after combining system routes, UDRs, and BGP routes. AZ-104 tests this because what you configure isn’t always what applies—more specific routes win, and some routes override others. Always check effective routes when troubleshooting.

Can NSGs be applied to both subnets and NICs?

Yes. NSGs can be associated with subnets (affecting all resources in that subnet) or individual NICs (affecting only that VM). When both are applied, traffic must pass BOTH NSGs. Inbound traffic hits subnet NSG first, then NIC NSG. Outbound is reversed.