Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-100DomainsDesign security for infrastructure
SC-100Free — No Signup

Design security for infrastructure

Practice SC-100 Design security for infrastructure questions with full explanations on every answer.

32questions

Start practicing

Design security for infrastructure — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SC-100 Domains

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign security for infrastructureDesign a strategy for data and applicationsRecommend security best practices and priorities

Practice Design security for infrastructure questions

10Q20Q30Q50Q

All SC-100 Design security for infrastructure questions (32)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is designing a hybrid network architecture using Azure ExpressRoute. They need to ensure that all traffic between on-premises and Azure is encrypted and authenticated. Which configuration should they implement?

2

An organization uses Microsoft Defender for Cloud to secure their multi-cloud environment, including Azure and AWS. They want to ensure that all AWS EC2 instances are automatically onboarded to Defender for Cloud. What should they configure?

3

A company plans to deploy Azure Virtual Desktop (AVD) in a secure environment. They require that all user connections be established over a reverse connect protocol to avoid inbound firewall rules. Which component enables this?

4

A financial services company is deploying a three-tier application on Azure. They need to ensure that the web tier can only communicate with the application tier, and the application tier can only communicate with the data tier. All tiers should use private IP addresses. What is the most secure way to implement this?

5

A company uses Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integration. They want to restrict developers to only be able to create and manage pods and services, but not modify cluster-level resources like nodes or namespaces. What should they configure?

6

A company has a hybrid identity deployment using Azure AD Connect. They want to ensure that if a user's on-premises account is disabled, the corresponding Azure AD account is also disabled within 30 minutes. Which setting should they configure?

7

A company is deploying Azure SQL Database with Azure Active Directory authentication for their application. They want to ensure that only specific Azure AD users can access the database, and that these users are authenticated at the database level. What should they do?

8

A company uses Azure Policy to enforce compliance. They want to automatically remediate non-compliant resources by deploying a custom template. Which effect should they use in the policy definition?

9

Which TWO of the following are true about Azure DDoS Protection?

10

Which THREE of the following are best practices for securing Azure Kubernetes Service (AKS)?

11

Which TWO of the following are valid methods to secure traffic between on-premises and Azure?

12

Refer to the exhibit. An Azure policy is defined as shown. Which resources will be audited?

13

Refer to the exhibit. A network policy is applied in the production namespace. What is the effect on the webapp pod's ability to reach external services?

14

You are a cybersecurity architect for a multinational corporation that is migrating its on-premises workloads to Azure. The environment includes 500 virtual machines across multiple subscriptions, managed through Azure Policy and Azure Blueprints. The security team has reported that some VMs are not receiving the latest security updates despite being configured for automatic updates via the Azure Update Management solution. Additionally, you have noticed that some VMs are missing the Azure Monitor agent, which is required for security monitoring. The company uses Azure Security Center (now Defender for Cloud) with the standard tier enabled. You need to ensure that all VMs are compliant with the company's security baseline, which requires: (1) all VMs must have the Azure Monitor agent installed, (2) all VMs must be enrolled in the Update Management solution, and (3) all VMs must be protected by Microsoft Defender for Cloud. What should you do to enforce compliance and remediate non-compliant VMs?

15

You are a security architect for a healthcare organization that is deploying a new application on Azure. The application consists of a web frontend (Azure App Service), an API layer (Azure Functions), and a database (Azure SQL Database). The organization requires that all data be encrypted at rest and in transit. Additionally, they need to ensure that only authenticated and authorized users can access the API, and that the database is accessible only from the API layer. The organization also wants to use managed identities to avoid storing credentials. You have deployed the resources. Now you need to configure the security settings. What should you do to meet the requirements?

16

A company uses Azure Firewall to inspect outbound traffic from a hub virtual network. They need to ensure that traffic from a spoke virtual network to a specific SaaS application (api.contoso.com) bypasses the firewall for performance reasons. What is the most efficient way to achieve this?

17

A company deploys Azure Bastion in a VNet. They want to allow a security engineer to connect to a Windows VM in a peered VNet using Azure Bastion. The engineer can see the VM in the portal but cannot connect. Which configuration is most likely missing?

18

A company uses Azure Front Door to load balance traffic across two origin servers in different Azure regions. They notice that failover is not working when one origin becomes unhealthy. What is the most likely cause?

19

A company is designing a secure hybrid network architecture. They have an on-premises network connected to Azure via ExpressRoute and a site-to-site VPN as backup. They want to ensure that traffic from Azure to on-premises always uses ExpressRoute when available, but automatically fails over to VPN if ExpressRoute goes down. Which configuration should they implement?

20

A company deploys a three-tier application with web servers, application servers, and database servers in a VNet. They need to ensure that web servers can only communicate with application servers on port 443, and application servers can only communicate with database servers on port 1433. Web servers should not be able to communicate with database servers. What is the most secure and efficient way to implement this?

21

A company uses Azure Policy to enforce that all storage accounts must have HTTPS traffic only. They assign a built-in policy to audit this setting. A developer creates a new storage account with HTTP enabled, and the policy reports it as non-compliant. What should the company do to automatically remediate this violation?

22

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster?

23

Which THREE components are required to implement a secure hybrid network with Azure using a site-to-site VPN?

24

A large enterprise is designing a secure infrastructure for a multi-region application deployment. They have a hub-spoke topology in two Azure regions (East US and West US) with VNet peering between the hubs. Each region has a shared services spoke containing Azure AD Domain Services (AAD DS) and management jump boxes. Application spokes in each region host VMs that need to authenticate to the local AAD DS. The company mandates that all traffic between regions must traverse a network virtual appliance (NVA) for inspection, except for Azure management traffic. They also require that all outbound internet traffic from application VMs goes through a single Azure Firewall in the East US hub. They have deployed ExpressRoute to on-premises. Currently, application VMs in West US cannot authenticate to the local AAD DS. What is the most likely cause?

25

You are designing a security strategy for a hybrid identity infrastructure that uses Microsoft Entra ID. The company requires that all administrative access to on-premises servers be secured using least-privilege principles and just-in-time (JIT) access. You plan to implement Microsoft Entra Privileged Identity Management (PIM) for Azure resources, but on-premises servers are not Azure resources. Which solution should you use to provide JIT access to on-premises servers?

26

You are designing a network security strategy for a multicloud environment that includes Azure and Amazon Web Services (AWS). The company requires that all traffic between the two clouds be encrypted and inspected for threats. You need to recommend a solution that meets the following requirements: - Minimize latency. - Use Microsoft-provided security services where possible. - Ensure traffic is inspected at Layers 3-7. Which TWO options should you include in your design?

27

Refer to the exhibit. You are reviewing an Azure Policy definition that will be assigned to a subscription containing production virtual machines. The policy is intended to enforce security best practices for disk encryption. What is the effect of this policy?

28

Your organization, Contoso Ltd., is migrating its on-premises workloads to Azure. The environment includes 200 virtual machines (VMs) running Windows Server and 50 VMs running Linux. You are responsible for designing the security infrastructure. The company has the following requirements: 1) All VMs must be protected against malware. 2) Security updates must be applied automatically to Windows VMs within 24 hours of release. 3) Linux VMs must receive critical security patches within 48 hours. 4) A central dashboard must provide visibility into the security posture of all VMs. 5) All VMs must be onboarded to Microsoft Defender for Cloud to enable advanced threat protection. 6) The solution must minimize administrative overhead. You have implemented the following: - All VMs are enrolled in Microsoft Defender for Cloud with the enhanced security features enabled. - Azure Update Manager is configured to schedule updates. - Microsoft Defender for Endpoint is installed on all Windows VMs. However, after a month, the security team reports that: - 50 Windows VMs did not receive security updates within 24 hours. - 10 Linux VMs have not received any patches. - The central dashboard shows that 30 VMs are not reporting their security status. - A malware outbreak occurred on 5 Windows VMs that were not protected by Defender for Endpoint. You need to identify the most likely root cause and recommend a corrective action.

29

Order the steps to deploy Azure Firewall with forced tunneling in a hub virtual network.

30

Order the steps to configure Azure Key Vault firewall and virtual network service endpoints.

31

Match each Azure network security feature to its description.

32

Match each security operations tool to its primary function.

Practice all 32 Design security for infrastructure questions

Other SC-100 exam domains

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign a strategy for data and applicationsRecommend security best practices and priorities

Frequently asked questions

What does the Design security for infrastructure domain cover on the SC-100 exam?

The Design security for infrastructure domain covers the key concepts tested in this area of the SC-100 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-100 domains — no account required.

How many Design security for infrastructure questions are in the SC-100 question bank?

The Courseiva SC-100 question bank contains 32 questions in the Design security for infrastructure domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Design security for infrastructure for SC-100?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Design security for infrastructure questions for SC-100?

Yes — the session launcher on this page draws questions exclusively from the Design security for infrastructure domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SC-100 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide