This question highlights a limitation related to the scope of application for Network Security

Groups (NSGs). NSGs are designed for granular traffic filtering and are associated with network

interfaces (vNICs) or subnets within a virtual network. This granular application is a limitation

when compared to centralized network security services like Azure Firewall, which operates at the

virtual network level to enforce policy across all resources. While the option is imprecise because

NSGs can also be applied to subnets, it correctly points to the limitation that NSGs are not a

VNet-wide appliance and are instead bound to more specific components like vNICs.

A: This is incorrect. NSGs are stateful and process rules for both inbound and outbound traffic, a

fundamental feature of the service.

C: This statement is factually inverted. NSGs operate at Layer 3 (Network) and Layer 4

(Transport). A key limitation is their lack of application layer (Layer 7) awareness.

D: This is incorrect. An NSG can be associated directly with the network interface (vNIC) of a

single virtual machine, providing granular control for that specific VM.

1. Azure Network Security Groups Documentation: "You can associate a network security group

to, or disassociate a network security group from a network interface or a subnet." This confirms

that NSGs are applied at the NIC and subnet level, not centrally at the VNet level, and also shows

that option B is imprecise.

Source: Microsoft Azure Documentation, "Network security groups".

(https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview)

2. Azure Firewall vs. Network Security Groups Comparison: "Azure Firewall complements

network security group functionality. Together, they provide better 'defense-in-depth' network

security... A network security group (NSG) is used to filter network traffic to and from Azure

resources in an Azure virtual network." This documentation implicitly defines the NSG's role as

resource-level filtering, contrasting with the Firewall's role as a centralized VNet service.

Source: Microsoft Azure Documentation, "What is Azure Firewall?". (https://docs.microsoft.com/e

n-us/azure/firewall/overview#azure-firewall-vs-network-security-group)

3. NSG Rule Processing: "For inbound traffic, Azure processes the rules in an NSG associated

with a subnet first, if there is one, and then the rules in an NSG associated with the network

interface." This detail from the official documentation confirms that the ultimate enforcement point

involves the network interface, which lends some credence to the flawed premise of option B.

Source: Microsoft Azure Documentation, "How network security groups filter network traffic".

(https://docs.microsoft.com/en-us/azure/virtual-network/network-security-group-how-it-works)