Practice SC-100 Design security for infrastructure questions with full explanations on every answer.
Start practicing
Design security for infrastructure — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is designing a hybrid network architecture using Azure ExpressRoute. They need to ensure that all traffic between on-premises and Azure is encrypted and authenticated. Which configuration should they implement?
2An organization uses Microsoft Defender for Cloud to secure their multi-cloud environment, including Azure and AWS. They want to ensure that all AWS EC2 instances are automatically onboarded to Defender for Cloud. What should they configure?
3A company plans to deploy Azure Virtual Desktop (AVD) in a secure environment. They require that all user connections be established over a reverse connect protocol to avoid inbound firewall rules. Which component enables this?
4A financial services company is deploying a three-tier application on Azure. They need to ensure that the web tier can only communicate with the application tier, and the application tier can only communicate with the data tier. All tiers should use private IP addresses. What is the most secure way to implement this?
5A company uses Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integration. They want to restrict developers to only be able to create and manage pods and services, but not modify cluster-level resources like nodes or namespaces. What should they configure?
6A company has a hybrid identity deployment using Azure AD Connect. They want to ensure that if a user's on-premises account is disabled, the corresponding Azure AD account is also disabled within 30 minutes. Which setting should they configure?
7A company is deploying Azure SQL Database with Azure Active Directory authentication for their application. They want to ensure that only specific Azure AD users can access the database, and that these users are authenticated at the database level. What should they do?
8A company uses Azure Policy to enforce compliance. They want to automatically remediate non-compliant resources by deploying a custom template. Which effect should they use in the policy definition?
9Which TWO of the following are true about Azure DDoS Protection?
10Which THREE of the following are best practices for securing Azure Kubernetes Service (AKS)?
11Which TWO of the following are valid methods to secure traffic between on-premises and Azure?
12Refer to the exhibit. An Azure policy is defined as shown. Which resources will be audited?
13Refer to the exhibit. A network policy is applied in the production namespace. What is the effect on the webapp pod's ability to reach external services?
14You are a cybersecurity architect for a multinational corporation that is migrating its on-premises workloads to Azure. The environment includes 500 virtual machines across multiple subscriptions, managed through Azure Policy and Azure Blueprints. The security team has reported that some VMs are not receiving the latest security updates despite being configured for automatic updates via the Azure Update Management solution. Additionally, you have noticed that some VMs are missing the Azure Monitor agent, which is required for security monitoring. The company uses Azure Security Center (now Defender for Cloud) with the standard tier enabled. You need to ensure that all VMs are compliant with the company's security baseline, which requires: (1) all VMs must have the Azure Monitor agent installed, (2) all VMs must be enrolled in the Update Management solution, and (3) all VMs must be protected by Microsoft Defender for Cloud. What should you do to enforce compliance and remediate non-compliant VMs?
15You are a security architect for a healthcare organization that is deploying a new application on Azure. The application consists of a web frontend (Azure App Service), an API layer (Azure Functions), and a database (Azure SQL Database). The organization requires that all data be encrypted at rest and in transit. Additionally, they need to ensure that only authenticated and authorized users can access the API, and that the database is accessible only from the API layer. The organization also wants to use managed identities to avoid storing credentials. You have deployed the resources. Now you need to configure the security settings. What should you do to meet the requirements?
16A company uses Azure Firewall to inspect outbound traffic from a hub virtual network. They need to ensure that traffic from a spoke virtual network to a specific SaaS application (api.contoso.com) bypasses the firewall for performance reasons. What is the most efficient way to achieve this?
17A company deploys Azure Bastion in a VNet. They want to allow a security engineer to connect to a Windows VM in a peered VNet using Azure Bastion. The engineer can see the VM in the portal but cannot connect. Which configuration is most likely missing?
18A company uses Azure Front Door to load balance traffic across two origin servers in different Azure regions. They notice that failover is not working when one origin becomes unhealthy. What is the most likely cause?
19A company is designing a secure hybrid network architecture. They have an on-premises network connected to Azure via ExpressRoute and a site-to-site VPN as backup. They want to ensure that traffic from Azure to on-premises always uses ExpressRoute when available, but automatically fails over to VPN if ExpressRoute goes down. Which configuration should they implement?
20A company deploys a three-tier application with web servers, application servers, and database servers in a VNet. They need to ensure that web servers can only communicate with application servers on port 443, and application servers can only communicate with database servers on port 1433. Web servers should not be able to communicate with database servers. What is the most secure and efficient way to implement this?
21A company uses Azure Policy to enforce that all storage accounts must have HTTPS traffic only. They assign a built-in policy to audit this setting. A developer creates a new storage account with HTTP enabled, and the policy reports it as non-compliant. What should the company do to automatically remediate this violation?
22Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster?
23Which THREE components are required to implement a secure hybrid network with Azure using a site-to-site VPN?
24A large enterprise is designing a secure infrastructure for a multi-region application deployment. They have a hub-spoke topology in two Azure regions (East US and West US) with VNet peering between the hubs. Each region has a shared services spoke containing Azure AD Domain Services (AAD DS) and management jump boxes. Application spokes in each region host VMs that need to authenticate to the local AAD DS. The company mandates that all traffic between regions must traverse a network virtual appliance (NVA) for inspection, except for Azure management traffic. They also require that all outbound internet traffic from application VMs goes through a single Azure Firewall in the East US hub. They have deployed ExpressRoute to on-premises. Currently, application VMs in West US cannot authenticate to the local AAD DS. What is the most likely cause?
25You are designing a security strategy for a hybrid identity infrastructure that uses Microsoft Entra ID. The company requires that all administrative access to on-premises servers be secured using least-privilege principles and just-in-time (JIT) access. You plan to implement Microsoft Entra Privileged Identity Management (PIM) for Azure resources, but on-premises servers are not Azure resources. Which solution should you use to provide JIT access to on-premises servers?
26You are designing a network security strategy for a multicloud environment that includes Azure and Amazon Web Services (AWS). The company requires that all traffic between the two clouds be encrypted and inspected for threats. You need to recommend a solution that meets the following requirements: - Minimize latency. - Use Microsoft-provided security services where possible. - Ensure traffic is inspected at Layers 3-7. Which TWO options should you include in your design?
27Refer to the exhibit. You are reviewing an Azure Policy definition that will be assigned to a subscription containing production virtual machines. The policy is intended to enforce security best practices for disk encryption. What is the effect of this policy?
28Your organization, Contoso Ltd., is migrating its on-premises workloads to Azure. The environment includes 200 virtual machines (VMs) running Windows Server and 50 VMs running Linux. You are responsible for designing the security infrastructure. The company has the following requirements: 1) All VMs must be protected against malware. 2) Security updates must be applied automatically to Windows VMs within 24 hours of release. 3) Linux VMs must receive critical security patches within 48 hours. 4) A central dashboard must provide visibility into the security posture of all VMs. 5) All VMs must be onboarded to Microsoft Defender for Cloud to enable advanced threat protection. 6) The solution must minimize administrative overhead. You have implemented the following: - All VMs are enrolled in Microsoft Defender for Cloud with the enhanced security features enabled. - Azure Update Manager is configured to schedule updates. - Microsoft Defender for Endpoint is installed on all Windows VMs. However, after a month, the security team reports that: - 50 Windows VMs did not receive security updates within 24 hours. - 10 Linux VMs have not received any patches. - The central dashboard shows that 30 VMs are not reporting their security status. - A malware outbreak occurred on 5 Windows VMs that were not protected by Defender for Endpoint. You need to identify the most likely root cause and recommend a corrective action.
29Order the steps to deploy Azure Firewall with forced tunneling in a hub virtual network.
30Order the steps to configure Azure Key Vault firewall and virtual network service endpoints.
31Match each Azure network security feature to its description.
32Match each security operations tool to its primary function.
The Design security for infrastructure domain covers the key concepts tested in this area of the SC-100 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-100 domains — no account required.
The Courseiva SC-100 question bank contains 32 questions in the Design security for infrastructure domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Design security for infrastructure domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included