Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-100TopicsDesign security for infrastructure
Free · No Signup RequiredMicrosoft · SC-100

SC-100 Design security for infrastructure Practice Questions

20+ practice questions focused on Design security for infrastructure — one of the most tested topics on the Microsoft Cybersecurity Architect exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Design security for infrastructure Practice

Exam Domains

Design solutions that align with security best practices and prioritiesDesign security operations, identity, and compliance capabilitiesDesign security solutions for infrastructureDesign a Zero Trust strategy and architectureDesign security solutions for applications and dataEvaluate GRC and security operations strategiesDesign security for infrastructureAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Design security for infrastructure Questions

Practice all 20+ →
1.

A company is designing a hybrid network architecture using Azure ExpressRoute. They need to ensure that all traffic between on-premises and Azure is encrypted and authenticated. Which configuration should they implement?

A.Use VPN Gateway over ExpressRoute
B.Use ExpressRoute Direct with BGP
C.Use ExpressRoute with MACsec
D.Use Azure Firewall to inspect ExpressRoute traffic

Explanation: Option C is correct because MACsec (IEEE 802.1AE) provides Layer 2 encryption and authentication for traffic traversing ExpressRoute Direct ports, ensuring that all data between on-premises and Azure is encrypted at the physical link level. This meets the requirement for both encryption and authentication without relying on higher-layer protocols like IPsec, which would add overhead and complexity.

2.

An organization uses Microsoft Defender for Cloud to secure their multi-cloud environment, including Azure and AWS. They want to ensure that all AWS EC2 instances are automatically onboarded to Defender for Cloud. What should they configure?

A.Deploy Azure Arc on each EC2 instance
B.Use AWS Systems Manager to push Defender workload
C.Set up the AWS connector in Defender for Cloud
D.Configure AWS Config rules to report to Defender

Explanation: Option C is correct because the AWS connector in Microsoft Defender for Cloud is the native integration that enables automatic discovery and onboarding of AWS resources, including EC2 instances, into Defender for Cloud. Once configured, the connector uses AWS IAM roles and APIs to continuously sync EC2 inventory and apply Defender plans (e.g., Defender for Servers) without requiring manual agent installation on each instance.

3.

A company plans to deploy Azure Virtual Desktop (AVD) in a secure environment. They require that all user connections be established over a reverse connect protocol to avoid inbound firewall rules. Which component enables this?

A.Azure Bastion
B.Azure AD Application Proxy
C.AVD Gateway service
D.Session host configuration

Explanation: The AVD Gateway service is the correct component because it establishes a reverse connect transport, where the session host initiates an outbound connection to the gateway over HTTPS (port 443). This eliminates the need for any inbound firewall rules to the session hosts, as user connections are relayed through the gateway without directly exposing the session hosts to the internet.

4.

A financial services company is deploying a three-tier application on Azure. They need to ensure that the web tier can only communicate with the application tier, and the application tier can only communicate with the data tier. All tiers should use private IP addresses. What is the most secure way to implement this?

A.Deploy Azure Firewall and use application rules
B.Use Network Security Groups (NSGs) on each subnet
C.Use VNet peering with route tables
D.Use Azure Web Application Firewall (WAF)

Explanation: Azure Firewall with application rules (FQDN-based) provides the most secure and granular control for east-west traffic between tiers. It can inspect and filter traffic at Layer 7 (application layer) using TLS inspection, ensuring only allowed application protocols (e.g., HTTPS) and specific FQDNs are permitted, while blocking all other traffic. This meets the requirement for private IP communication and enforces a zero-trust model between tiers.

5.

A company uses Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integration. They want to restrict developers to only be able to create and manage pods and services, but not modify cluster-level resources like nodes or namespaces. What should they configure?

A.Assign the cluster-admin ClusterRole to the developers
B.Create a custom ClusterRole with rules for pods and services, then bind it to the developer group with a ClusterRoleBinding
C.Create a RoleBinding in each namespace for developers
D.Use Azure RBAC to grant Contributor role on the AKS cluster

Explanation: Option B is correct because Kubernetes RBAC allows fine-grained authorization. A custom ClusterRole can define rules for pods and services (core API group resources), and a ClusterRoleBinding binds it to the developer group across all namespaces. This grants the required permissions without allowing modifications to cluster-level resources like nodes or namespaces, which are not included in the custom role's rules.

+15 more Design security for infrastructure questions available

Practice all Design security for infrastructure questions

How to master Design security for infrastructure for SC-100

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Design security for infrastructure. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Design security for infrastructure questions on the SC-100 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many SC-100 Design security for infrastructure questions are on the real exam?

The exact number varies per candidate. Design security for infrastructure is tested as part of the Microsoft Cybersecurity Architect blueprint. Practicing with targeted Design security for infrastructure questions ensures you can handle any format or difficulty that appears.

Are these SC-100 Design security for infrastructure practice questions free?

Yes. Courseiva provides free SC-100 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Design security for infrastructure one of the harder SC-100 topics?

Difficulty is subjective, but Design security for infrastructure is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Design security for infrastructure practice session with instant scoring and detailed explanations.

Start Design security for infrastructure Practice →

Topic Info

Topic

Design security for infrastructure

Exam

SC-100

Questions available

20+