You’re staring at your AZ-104 score report. 658. Passing is 700. You studied the documentation. You watched the videos. You took practice tests and got 82% correct. But you still missed the networking section — specifically the VNet, subnet, and NSG questions. You’re not alone. This is the exact failure pattern that repeats across hundreds of retake candidates every month.
The problem isn’t that you don’t understand what a VNet is. You probably do. The problem is that the exam doesn’t test what you think it tests. It doesn’t ask “What is a subnet?” It asks scenario-based questions where you have to connect four different networking concepts in sequence under time pressure. Most candidates study each piece separately and freeze when they see the real exam format.
This guide fixes that specific gap.
Why Subnet NSG Master Trips Everyone Up
You learn VNets in isolation. You learn subnets in isolation. You learn NSGs in isolation. Then the exam throws a scenario at you with all three working together, plus routing rules, and asks you to identify what’s blocking traffic between two virtual machines.
Here’s what happens: You read the question. It mentions a VNet called “prod-vnet” with a subnet called “app-subnet” and two NSGs — one attached to the subnet, one attached to the NIC. The scenario describes traffic from a client, port numbers, protocols, and three blocked connection attempts. You have 90 seconds to identify which rule is causing the block.
You panic because you’re trying to remember all the NSG rule priority numbers, which subnets are in which VNets, and whether subnet-level NSGs are evaluated before NIC-level NSGs.
The real issue: You never practiced this integration under exam conditions.
Most practice materials teach each concept separately. You study “How to create an NSG” then “How to configure subnets.” But the exam tests your ability to trace traffic through a multi-layered network architecture in real time. That’s a completely different skill.
The Specific Pattern That Causes This
Every networking scenario question follows this hidden structure:
Layer 1: The VNet and subnet topology
You’re given a VNet (or multiple VNets) with specific subnets and address spaces. Example: “You have prod-vnet (10.0.0.0/16) with app-subnet (10.0.1.0/24) and data-subnet (10.0.2.0/24).”
Layer 2: NSG attachment points
NSGs are attached at the subnet level or the NIC level (or both). The exam will mention one or both. Most candidates miss that there can be two NSGs filtering the same traffic.
Layer 3: The traffic scenario
A specific connection attempt: “VM1 in app-subnet (10.0.1.10) tries to connect to VM2 in data-subnet (10.0.2.10) on port 443 using HTTPS. The connection times out.”
Layer 4: Multiple rule conflicts
The NSG has an Allow rule for port 443 but a Deny rule for all outbound traffic. Or the subnet NSG allows it but the NIC NSG blocks it. The question asks which rule prevents the connection.
Layer 5: The trick
Most candidates identify a single rule and stop. But NSGs evaluate rules in priority order (lower numbers first), and the first matching rule wins. If a Deny rule with priority 100 matches before an Allow rule with priority 200, traffic is blocked — even though an Allow rule exists further down the list.
This is the pattern that appears in roughly 35-40% of networking questions on AZ-104. Once you see it, the rest becomes mechanical.
How The Exam Actually Tests This
The exam uses three distinct question formats for networking:
Format 1: Identify the blocking rule
”Traffic between two VMs fails. Here are the NSG rules. Why?”
You must trace the traffic path and identify which rule matches first.
Example (real scenario structure):
- VM1: 10.0.1.5 (app-subnet)
- VM2: 10.0.2.5 (data-subnet)
- Subnet NSG rule 100: Allow all inbound on port 443
- Subnet NSG rule 200: Deny all inbound
- NIC NSG rule 50: Deny all traffic
- Question: “Why does the connection fail?”
- Answer: NIC NSG rule 50 is evaluated first (lower priority number), blocks all traffic before the subnet NSG rules are even checked.
Format 2: Choose the correct configuration
”You need to allow SSH from a specific subnet to a VM. Which NSG rule configuration works?”
You must understand rule direction (inbound vs. outbound), protocol, port, and source/destination ranges.
Format 3: Predict the outcome of a change
”You modify an NSG rule from priority 150 to priority 50. What happens?”
You must understand rule evaluation order and predict consequences.
The test doesn’t ask “What is an NSG?” It assumes you know that. It asks you to debug a broken network and fix it in 90 seconds.
How To Recognize It Instantly
When you see a networking scenario question on your AZ-104 exam:
Read for these keywords immediately:
- “Connection times out” or “connection refused” → something is blocking traffic
- Multiple NSG mentions → trace both attachment points
- Priority numbers → rule evaluation order matters
- Port and protocol specifics → match these exactly to the rule
- Subnet and NIC NSG mentioned together → both are evaluated (subnet first for inbound, NIC first for outbound in practical terms, but both can block)
Draw a quick diagram: Don’t waste time. Draw three boxes: Source → NSGs → Destination. Write rule priorities under each NSG. Mark which rules match the traffic. This takes 20 seconds and prevents 90% of mistakes.
Check rule direction: Inbound rules block incoming traffic. Outbound rules block outgoing traffic. A VM trying to connect outbound needs an outbound Allow rule or will be blocked by a Deny outbound rule — even if the destination has an inbound Allow rule.
Practice This Before Your Exam
Stop reviewing NSG documentation. Start practicing scenario drills.
Take 10 minutes right now. Go to Microsoft Learn and find the NSG lab. Work through one complete scenario from start to finish without checking the answer key until you’re done. Do this three times.
Then find your practice test platform (Whizlabs, MeasureUp, or your course provider). Filter for “networking” questions only. Set a 90-second timer per question. Take 15 questions in one sitting. Score yourself.
You need 13+ correct to be ready for the exam. If you’re below that, you’re not ready yet. That’s not failure — that’s data telling you exactly what to work on.
The difference between a 658 and a 710 is usually 4-5 networking questions. Each one follows the same pattern once you see it. Master the pattern. Stop studying theory.
Do this now: Take one practice test on networking only. Don’t read explanations yet. Just score yourself. Reply to yourself with your score. That’s your baseline. Everything after that is improvement.