DRAG DROP
You have a virtual network and virtual machines that use the Resource Manager deployment model.
You plan to create a Network Security Group (NSG). You must apply rules to both inbound and outbound traffic.
You need to create the NSG.
In which order will the rules be applied to the virtual network? To answer, drag the appropriate option to the
correct location. Each option may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.
Select and Place:
Answer: 
Explanation:
https://azure.microsoft.com/en-gb/documentation/articles/virtual-networks-nsg/
You can associate different NSGs to a VM (or NIC, depending on the deployment model) and the subnet that a NIC or VM is connected to. Security rules are applied to the traffic, by priority, in each NSG, in the following order:
Inbound traffic
NSG applied to subnet: If a subnet NSG has a matching rule to deny traffic, the packet is dropped.
NSG applied to NIC (Resource Manager) or VM (classic): If VM\NIC NSG has a matching rule that denies traffic, packets are dropped at the VM\NIC, even if a subnet NSG has a matching rule that allows traffic.
Outbound traffic
NSG applied to NIC (Resource Manager) or VM (classic): If a VM\NIC NSG has a matching rule that denies traffic, packets are dropped.
NSG applied to subnet: If a subnet NSG has a matching rule that denies traffic, packets are dropped, even if a VM\NIC NSG has a matching rule that allows traffic.