20+ practice questions focused on Design security for infrastructure — one of the most tested topics on the Microsoft Cybersecurity Architect exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Design security for infrastructure PracticeA company is designing a hybrid network architecture using Azure ExpressRoute. They need to ensure that all traffic between on-premises and Azure is encrypted and authenticated. Which configuration should they implement?
Explanation: Option C is correct because MACsec (IEEE 802.1AE) provides Layer 2 encryption and authentication for traffic traversing ExpressRoute Direct ports, ensuring that all data between on-premises and Azure is encrypted at the physical link level. This meets the requirement for both encryption and authentication without relying on higher-layer protocols like IPsec, which would add overhead and complexity.
An organization uses Microsoft Defender for Cloud to secure their multi-cloud environment, including Azure and AWS. They want to ensure that all AWS EC2 instances are automatically onboarded to Defender for Cloud. What should they configure?
Explanation: Option C is correct because the AWS connector in Microsoft Defender for Cloud is the native integration that enables automatic discovery and onboarding of AWS resources, including EC2 instances, into Defender for Cloud. Once configured, the connector uses AWS IAM roles and APIs to continuously sync EC2 inventory and apply Defender plans (e.g., Defender for Servers) without requiring manual agent installation on each instance.
A company plans to deploy Azure Virtual Desktop (AVD) in a secure environment. They require that all user connections be established over a reverse connect protocol to avoid inbound firewall rules. Which component enables this?
Explanation: The AVD Gateway service is the correct component because it establishes a reverse connect transport, where the session host initiates an outbound connection to the gateway over HTTPS (port 443). This eliminates the need for any inbound firewall rules to the session hosts, as user connections are relayed through the gateway without directly exposing the session hosts to the internet.
A financial services company is deploying a three-tier application on Azure. They need to ensure that the web tier can only communicate with the application tier, and the application tier can only communicate with the data tier. All tiers should use private IP addresses. What is the most secure way to implement this?
Explanation: Azure Firewall with application rules (FQDN-based) provides the most secure and granular control for east-west traffic between tiers. It can inspect and filter traffic at Layer 7 (application layer) using TLS inspection, ensuring only allowed application protocols (e.g., HTTPS) and specific FQDNs are permitted, while blocking all other traffic. This meets the requirement for private IP communication and enforces a zero-trust model between tiers.
A company uses Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integration. They want to restrict developers to only be able to create and manage pods and services, but not modify cluster-level resources like nodes or namespaces. What should they configure?
Explanation: Option B is correct because Kubernetes RBAC allows fine-grained authorization. A custom ClusterRole can define rules for pods and services (core API group resources), and a ClusterRoleBinding binds it to the developer group across all namespaces. This grants the required permissions without allowing modifications to cluster-level resources like nodes or namespaces, which are not included in the custom role's rules.
+15 more Design security for infrastructure questions available
Practice all Design security for infrastructure questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Design security for infrastructure. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Design security for infrastructure questions on the SC-100 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Design security for infrastructure is tested as part of the Microsoft Cybersecurity Architect blueprint. Practicing with targeted Design security for infrastructure questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free SC-100 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Design security for infrastructure is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Design security for infrastructure practice session with instant scoring and detailed explanations.
Start Design security for infrastructure Practice →