nerdexam
ExamsAZ-500Questions#610
MicrosoftMicrosoft

AZ-500 · Question #610

AZ-500 Question #610: Real Exam Question with Answer & Explanation

Security Admin rules in Azure Virtual Network Manager operate at a higher priority level than NSG rules - they are evaluated first and cannot be overridden by NSG changes. SARule1 (from AVNM1, scoped to MG1) and SARule2 (from AVNM2, scoped to Sub1) both deny all inbound traffic t

Submitted by luis.pe· Mar 6, 2026Configure and manage virtual networks - specifically understanding the layered enforcement model of Azure Virtual Network Manager Security Admin Rules versus NSG rules, including rule priority, scope hierarchy (Management Group vs Subscription), and the interaction between multiple AVNM instances targeting the same resource.

Question

Hotspot Question You have a management group named MG1 that contains an Azure subscription named Sub1. Sub1 contains the resources shown in the following table. You create an Azure Virtual Network Manager instance named AVNM1 that has the following configurations: Management scope: MG1 Network groups: - Name: Group1 -- Group members: VNet1 Security admin configuration: - Name: SA1 - Rule collections: -- Name: SACollection1 -- Target network groups: Group1 -- Security admin rules: --- Name: SARule1 --- Priority: 500 --- Action: Deny --- Direction: Inbound --- Source type: Any --- Source port: * SA1 is deployed to all Azure regions. You create a Virtual Network Manager instance named AVNM2 that has the following configurations: Management scope: Sub1 Network groups: - Name: Group2 -- Group members: VNet1 Security admin configuration: - Name: SA2 - Rule collections: -- Name: SACollection2 -- Target network groups: Group2 -- Security admin rules: --- Name: SARule2 --- Priority: 500 --- Action: Always allow --- Direction: Inbound --- Source type: Any --- Source port: * SA2 is deployed to all Azure regions. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:

Explanation

Security Admin rules in Azure Virtual Network Manager operate at a higher priority level than NSG rules - they are evaluated first and cannot be overridden by NSG changes. SARule1 (from AVNM1, scoped to MG1) and SARule2 (from AVNM2, scoped to Sub1) both deny all inbound traffic to VNet1/Group1/Group2 at priority 500, meaning internet traffic to VM1's public IP is blocked regardless of NSG rules. Changing NSGRule1's priority to 100 does NOT cause NSGs to be processed before Security Admin rules - Security Admin rules always take precedence in the evaluation order, making that statement false. If SARule1's Action is changed to Allow, this does not automatically enable internet traffic because SA2 (SARule2) from AVNM2 still has a Deny rule in place - both security admin configurations must permit the traffic for it to flow, so traffic remains blocked.

Topics

#Azure Virtual Network Manager#Security Admin Rules#Network Security Groups#Traffic Evaluation Order

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full AZ-500 PracticeBrowse All AZ-500 Questions