Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Design security for infrastructure practice sets

SC-100 Design security for infrastructure • Complete Question Bank

SC-100 Design security for infrastructure — All Questions With Answers

Complete SC-100 Design security for infrastructure question bank — all 0 questions with answers and detailed explanations.

32
Questions
Free
No signup
Certifications/SC-100/Practice Test/Design security for infrastructure/All Questions
Question 1mediummultiple choice
Review the full routing breakdown →

A company is designing a hybrid network architecture using Azure ExpressRoute. They need to ensure that all traffic between on-premises and Azure is encrypted and authenticated. Which configuration should they implement?

Question 2hardmultiple choice
Read the full Design security for infrastructure explanation →

An organization uses Microsoft Defender for Cloud to secure their multi-cloud environment, including Azure and AWS. They want to ensure that all AWS EC2 instances are automatically onboarded to Defender for Cloud. What should they configure?

Question 3easymultiple choice
Read the full Design security for infrastructure explanation →

A company plans to deploy Azure Virtual Desktop (AVD) in a secure environment. They require that all user connections be established over a reverse connect protocol to avoid inbound firewall rules. Which component enables this?

Question 4mediummultiple choice
Read the full Design security for infrastructure explanation →

A financial services company is deploying a three-tier application on Azure. They need to ensure that the web tier can only communicate with the application tier, and the application tier can only communicate with the data tier. All tiers should use private IP addresses. What is the most secure way to implement this?

Question 5hardmultiple choice
Read the full Design security for infrastructure explanation →

A company uses Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integration. They want to restrict developers to only be able to create and manage pods and services, but not modify cluster-level resources like nodes or namespaces. What should they configure?

Question 6easymultiple choice
Read the full Design security for infrastructure explanation →

A company has a hybrid identity deployment using Azure AD Connect. They want to ensure that if a user's on-premises account is disabled, the corresponding Azure AD account is also disabled within 30 minutes. Which setting should they configure?

Question 7mediummultiple choice
Read the full Design security for infrastructure explanation →

A company is deploying Azure SQL Database with Azure Active Directory authentication for their application. They want to ensure that only specific Azure AD users can access the database, and that these users are authenticated at the database level. What should they do?

Question 8hardmultiple choice
Read the full Design security for infrastructure explanation →

A company uses Azure Policy to enforce compliance. They want to automatically remediate non-compliant resources by deploying a custom template. Which effect should they use in the policy definition?

Question 9mediummulti select
Read the full Design security for infrastructure explanation →

Which TWO of the following are true about Azure DDoS Protection?

Question 10hardmulti select
Read the full Design security for infrastructure explanation →

Which THREE of the following are best practices for securing Azure Kubernetes Service (AKS)?

Question 11easymulti select
Read the full Design security for infrastructure explanation →

Which TWO of the following are valid methods to secure traffic between on-premises and Azure?

Question 12hardmultiple choice
Read the full Design security for infrastructure explanation →

Refer to the exhibit. An Azure policy is defined as shown. Which resources will be audited?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk",
            "exists": "true"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.storageAccountType",
                "notEquals": "Premium_LRS"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.diskSizeGB",
                "greater": 1023
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }
  }
}
```
Question 13mediummultiple choice
Read the full Design security for infrastructure explanation →

Refer to the exhibit. A network policy is applied in the production namespace. What is the effect on the webapp pod's ability to reach external services?

Exhibit

Refer to the exhibit.

```
$ kubectl get pods -n production
NAME                     READY   STATUS    RESTARTS   AGE
webapp-7d5b6c8b9-abc     1/1     Running   0          2d
webapp-7d5b6c8b9-def     1/1     Running   0          2d
$ kubectl get networkpolicy -n production
NAME                     POD-SELECTOR   AGE
allow-egress-dns         {}             1d
$ kubectl describe networkpolicy allow-egress-dns -n production
...
Spec:
  PodSelector: <none>
  Egress:
    To:
      - NamespaceSelector: {}
        PodSelector:
          MatchLabels:
            k8s-app: kube-dns
    Ports:
      - Port: 53
        Protocol: UDP
  PolicyTypes:
    - Egress
```
Question 14hardmultiple choice
Read the full NAT/PAT explanation →

You are a cybersecurity architect for a multinational corporation that is migrating its on-premises workloads to Azure. The environment includes 500 virtual machines across multiple subscriptions, managed through Azure Policy and Azure Blueprints. The security team has reported that some VMs are not receiving the latest security updates despite being configured for automatic updates via the Azure Update Management solution. Additionally, you have noticed that some VMs are missing the Azure Monitor agent, which is required for security monitoring. The company uses Azure Security Center (now Defender for Cloud) with the standard tier enabled. You need to ensure that all VMs are compliant with the company's security baseline, which requires: (1) all VMs must have the Azure Monitor agent installed, (2) all VMs must be enrolled in the Update Management solution, and (3) all VMs must be protected by Microsoft Defender for Cloud. What should you do to enforce compliance and remediate non-compliant VMs?

Question 15mediummultiple choice
Read the full Design security for infrastructure explanation →

You are a security architect for a healthcare organization that is deploying a new application on Azure. The application consists of a web frontend (Azure App Service), an API layer (Azure Functions), and a database (Azure SQL Database). The organization requires that all data be encrypted at rest and in transit. Additionally, they need to ensure that only authenticated and authorized users can access the API, and that the database is accessible only from the API layer. The organization also wants to use managed identities to avoid storing credentials. You have deployed the resources. Now you need to configure the security settings. What should you do to meet the requirements?

Question 16mediummultiple choice
Read the full Design security for infrastructure explanation →

A company uses Azure Firewall to inspect outbound traffic from a hub virtual network. They need to ensure that traffic from a spoke virtual network to a specific SaaS application (api.contoso.com) bypasses the firewall for performance reasons. What is the most efficient way to achieve this?

Question 17hardmultiple choice
Read the full Design security for infrastructure explanation →

A company deploys Azure Bastion in a VNet. They want to allow a security engineer to connect to a Windows VM in a peered VNet using Azure Bastion. The engineer can see the VM in the portal but cannot connect. Which configuration is most likely missing?

Question 18easymultiple choice
Read the full Design security for infrastructure explanation →

A company uses Azure Front Door to load balance traffic across two origin servers in different Azure regions. They notice that failover is not working when one origin becomes unhealthy. What is the most likely cause?

Question 19hardmultiple choice
Read the full VPN explanation →

A company is designing a secure hybrid network architecture. They have an on-premises network connected to Azure via ExpressRoute and a site-to-site VPN as backup. They want to ensure that traffic from Azure to on-premises always uses ExpressRoute when available, but automatically fails over to VPN if ExpressRoute goes down. Which configuration should they implement?

Question 20mediummultiple choice
Read the full Design security for infrastructure explanation →

A company deploys a three-tier application with web servers, application servers, and database servers in a VNet. They need to ensure that web servers can only communicate with application servers on port 443, and application servers can only communicate with database servers on port 1433. Web servers should not be able to communicate with database servers. What is the most secure and efficient way to implement this?

Question 21easymultiple choice
Read the full Design security for infrastructure explanation →

A company uses Azure Policy to enforce that all storage accounts must have HTTPS traffic only. They assign a built-in policy to audit this setting. A developer creates a new storage account with HTTP enabled, and the policy reports it as non-compliant. What should the company do to automatically remediate this violation?

Question 22mediummulti select
Read the full Design security for infrastructure explanation →

Which TWO actions should you take to secure an Azure Kubernetes Service (AKS) cluster?

Question 23hardmulti select
Read the full VPN explanation →

Which THREE components are required to implement a secure hybrid network with Azure using a site-to-site VPN?

Question 24hardmultiple choice
Review the full routing breakdown →

A large enterprise is designing a secure infrastructure for a multi-region application deployment. They have a hub-spoke topology in two Azure regions (East US and West US) with VNet peering between the hubs. Each region has a shared services spoke containing Azure AD Domain Services (AAD DS) and management jump boxes. Application spokes in each region host VMs that need to authenticate to the local AAD DS. The company mandates that all traffic between regions must traverse a network virtual appliance (NVA) for inspection, except for Azure management traffic. They also require that all outbound internet traffic from application VMs goes through a single Azure Firewall in the East US hub. They have deployed ExpressRoute to on-premises. Currently, application VMs in West US cannot authenticate to the local AAD DS. What is the most likely cause?

Question 25mediummultiple choice
Study the full multicast explanation →

You are designing a security strategy for a hybrid identity infrastructure that uses Microsoft Entra ID. The company requires that all administrative access to on-premises servers be secured using least-privilege principles and just-in-time (JIT) access. You plan to implement Microsoft Entra Privileged Identity Management (PIM) for Azure resources, but on-premises servers are not Azure resources. Which solution should you use to provide JIT access to on-premises servers?

Question 26hardmulti select
Read the full Design security for infrastructure explanation →

You are designing a network security strategy for a multicloud environment that includes Azure and Amazon Web Services (AWS). The company requires that all traffic between the two clouds be encrypted and inspected for threats. You need to recommend a solution that meets the following requirements: - Minimize latency. - Use Microsoft-provided security services where possible. - Ensure traffic is inspected at Layers 3-7. Which TWO options should you include in your design?

Question 27easymultiple choice
Read the full Design security for infrastructure explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition that will be assigned to a subscription containing production virtual machines. The policy is intended to enforce security best practices for disk encryption. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.storageAccountType",
            "in": [
              "Standard_LRS",
              "StandardSSD_LRS"
            ]
          }
        ]
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
Question 28hardmultiple choice
Read the full NAT/PAT explanation →

Your organization, Contoso Ltd., is migrating its on-premises workloads to Azure. The environment includes 200 virtual machines (VMs) running Windows Server and 50 VMs running Linux. You are responsible for designing the security infrastructure. The company has the following requirements: 1) All VMs must be protected against malware. 2) Security updates must be applied automatically to Windows VMs within 24 hours of release. 3) Linux VMs must receive critical security patches within 48 hours. 4) A central dashboard must provide visibility into the security posture of all VMs. 5) All VMs must be onboarded to Microsoft Defender for Cloud to enable advanced threat protection. 6) The solution must minimize administrative overhead. You have implemented the following: - All VMs are enrolled in Microsoft Defender for Cloud with the enhanced security features enabled. - Azure Update Manager is configured to schedule updates. - Microsoft Defender for Endpoint is installed on all Windows VMs. However, after a month, the security team reports that: - 50 Windows VMs did not receive security updates within 24 hours. - 10 Linux VMs have not received any patches. - The central dashboard shows that 30 VMs are not reporting their security status. - A malware outbreak occurred on 5 Windows VMs that were not protected by Defender for Endpoint. You need to identify the most likely root cause and recommend a corrective action.

Question 29mediumdrag order
Read the full Design security for infrastructure explanation →

Order the steps to deploy Azure Firewall with forced tunneling in a hub virtual network.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 30mediumdrag order
Read the full Design security for infrastructure explanation →

Order the steps to configure Azure Key Vault firewall and virtual network service endpoints.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 31mediummatching
Read the full Design security for infrastructure explanation →

Match each Azure network security feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stateful packet filtering at subnet or NIC

Managed, cloud-native firewall with threat intelligence

Protects web apps from common exploits

Always-on traffic monitoring and mitigation

Access PaaS services over private endpoint

Question 32mediummatching
Read the full Design security for infrastructure explanation →

Match each security operations tool to its primary function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Security information and event management

Extended detection and response (XDR)

Cloud security posture management

Identity risk detection and remediation

Data governance and compliance

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SC-100 Practice Test 1 — 10 Questions→SC-100 Practice Test 2 — 10 Questions→SC-100 Practice Test 3 — 10 Questions→SC-100 Practice Test 4 — 10 Questions→SC-100 Practice Test 5 — 10 Questions→SC-100 Practice Exam 1 — 20 Questions→SC-100 Practice Exam 2 — 20 Questions→SC-100 Practice Exam 3 — 20 Questions→SC-100 Practice Exam 4 — 20 Questions→Free SC-100 Practice Test 1 — 30 Questions→Free SC-100 Practice Test 2 — 30 Questions→Free SC-100 Practice Test 3 — 30 Questions→SC-100 Practice Questions 1 — 50 Questions→SC-100 Practice Questions 2 — 50 Questions→SC-100 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign security for infrastructureDesign a strategy for data and applicationsRecommend security best practices and priorities

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Design security for infrastructure setsAll Design security for infrastructure questionsSC-100 Practice Hub