Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›SY0-701›Objectives›Security Architecture
Objective 3.018% of exam

Security Architecture

SY0-701 Practice Questions

Security Architecture is the domain of the SY0-701 exam that focuses on how to design and implement secure networks, systems, and applications. Think of it as the blueprint for an organization's security posture—deciding where to place firewalls, how to segment a network, what encryption to use, and how to manage access controls. In plain English, it's about making sure that the right people have the right access to the right resources, while keeping bad actors out. For example, a security architect might design a multi-tier web application where the database server is isolated in a separate subnet, accessible only from the application server, and all communication is encrypted with TLS. This domain covers both the theory and practical implementation of such designs. Why is this important for real-world IT and cloud work? Because every company, from startups to global enterprises, relies on secure architectures to protect sensitive data and maintain operations. A misconfigured cloud environment can lead to data breaches costing millions, as seen in incidents like the Capital One breach where a misconfigured web application firewall allowed access to S3 buckets. Understanding Security Architecture helps you prevent such disasters by applying principles like defense in depth, least privilege, and secure segmentation. In cloud environments (AWS, Azure, GCP), you need to know how to set up virtual private clouds, security groups, identity and access management (IAM) roles, and encryption keys. This domain is critical for roles like security analyst, network administrator, cloud engineer, and of course, security architect. On the SY0-701 exam, Security Architecture tests your ability to apply security principles to design and implement secure systems. You'll be asked about secure network architectures (e.g., DMZ, VLANs, VPNs), secure system design (e.g., trusted computing base, hardware security modules), and secure application development (e.g., secure coding practices, application firewalls). The exam also covers cloud and virtualization security, including shared responsibility models, hypervisor security, and container security. You'll need to know how to select and configure security controls like firewalls, intrusion prevention systems, and data loss prevention solutions. Expect scenario-based questions where you must choose the best architecture to meet security requirements—for instance, which network segmentation strategy prevents lateral movement in case of a breach. To study effectively, start by understanding the core principles: defense in depth, least privilege, separation of duties, and secure defaults. Then, map these to concrete technologies: VLANs for segmentation, VPNs for remote access, TLS for encryption, and IAM for access control. Use diagrams to visualize network architectures—draw a typical enterprise network with a DMZ, internal network, and management network. Practice with labs: set up a simple AWS VPC with public and private subnets, configure security groups, and test connectivity. Review common exam traps like confusing encryption in transit vs. at rest, or thinking that a firewall alone provides sufficient security. Focus on the CompTIA Security+ objectives for this domain, and use practice questions to identify weak areas. Remember, the exam is about applying concepts, not just memorizing definitions. Good luck!

Full Practice Test →All Objectives

What this objective tests

SY0-701 Security Architecture — Key Topics

Security Architecture on the SY0-701 exam covers how to design and implement secure networks, systems, and applications using principles like defense in depth, segmentation, and least privilege.

  • Secure network architecture design (e.g., DMZ, VLANs, VPNs)
  • Secure system design (e.g., trusted platform module, secure boot)
  • Cloud and virtualization security (e.g., shared responsibility, hypervisor security)
  • Secure application development (e.g., input validation, secure coding)
  • Selection and configuration of security controls (e.g., firewalls, IDS/IPS, DLP)
  • Identity and access management architecture (e.g., SSO, MFA, federation)

Common exam traps

Where candidates lose marks on Security Architecture

  • ⚠Confusing encryption in transit (TLS) with encryption at rest (AES-256)
  • ⚠Thinking a firewall is sufficient to protect a network; forgetting defense in depth
  • ⚠Assuming cloud security is entirely the provider's responsibility (shared responsibility model)
  • ⚠Mixing up secure network segmentation (VLANs) with physical separation (air gaps)

SY0-701 Security Architecture — Practice Questions

30 questions from this objective · 18% of your SY0-701 exam

Question 2mediummultiple choice
Full question →

A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?

Question 3mediummultiple choice
Full question →

A security architect is designing a new data center network that will host public-facing web servers and internal application servers handling confidential employee data. The architect places the web servers in a DMZ and the internal application servers on a separate internal network segment. A stateful firewall is configured to allow inbound HTTP/HTTPS traffic from the internet to the web servers only. The firewall also permits only the web servers to initiate outbound connections to the internal application servers on a specific TCP port, and all such traffic is encrypted using TLS. Which security architecture principle is this design primarily intended to enforce?

Question 4mediummultiple choice
Read the full VPN explanation →

A company's current remote access solution uses a traditional VPN that grants users full network-layer access to the internal LAN once authenticated. The security architect wants to adopt a zero trust architecture to reduce the risk of lateral movement by compromised endpoints. Which of the following implementations best aligns with zero trust principles?

Question 5mediummultiple choice
Study the full virtualization explanation →

A security architect is designing a solution to process highly sensitive financial transactions in a shared cloud environment. The architect needs to ensure that the processor and memory used to handle transaction data are isolated from the host operating system and other virtual machines, even if the hypervisor is compromised. Which technology is specifically designed to provide this level of isolation for code and data during runtime?

Question 6mediummultiple choice
Read the full NAT/PAT explanation →

A security architect is redesigning remote administration for a set of critical Linux servers in a private cloud. Currently, system administrators connect directly from their corporate laptops to the servers over the internet using SSH. The architect's primary goal is to eliminate direct inbound SSH connections from the internet while still allowing authorized administrators to perform maintenance tasks. Which of the following architectural changes would best achieve this objective?

Question 7mediummultiple choice
Full question →

A security architect is designing the network security for a web application hosted in a public cloud environment such as AWS. The application uses an Application Load Balancer (ALB) that distributes traffic to a fleet of web servers. The web servers must only accept traffic from the ALB, and all other inbound traffic must be blocked. The ALB itself needs to accept HTTP/HTTPS traffic from anywhere on the internet. Which of the following cloud security controls should the architect configure on the web servers' network interface to best meet this requirement, assuming the cloud provider offers both stateful and stateless network filtering options?

Question 8mediummultiple choice
Full question →

A security architect at a retail company is deploying a new e-commerce platform that processes credit card payments. The architect needs to minimize the scope of the PCI DSS assessment. The platform consists of a web server, an application server, and a database server. The cardholder data (credit card numbers) will be processed and stored only on the database server. Which of the following network architecture designs would best reduce the PCI DSS scope?

Question 9mediummultiple choice
Full question →

A security architect is designing a solution to securely store sensitive customer data in a cloud object storage service. The architect's primary concern is that if the storage bucket is accidentally configured as publicly accessible, the data should still be protected from unauthorized viewing. Which of the following architectural designs provides the strongest defense in depth to meet this concern?

Question 10mediummultiple choice
Full question →

A security architect is redesigning the network for a payment card processing environment. The goal is to create a cardholder data environment (CDE) that is isolated from the rest of the corporate network to reduce PCI DSS scope. The CDE will contain only the payment application servers and the database storing credit card numbers. The architect must allow authorized administrators in the corporate network to perform updates and monitoring on the CDE servers. Which of the following network architecture designs provides the strongest isolation while still meeting the requirement for authorized administrative access?

Question 11mediummultiple choice
Read the full wireless explanation →

A security architect is designing the wireless network for a new branch office. The branch will have two types of users: employees who need access to internal corporate resources, and guests who need internet-only access. The architect plans to use WPA3-Enterprise for the employee SSID and WPA3-SAE for the guest SSID. Which of the following additional configurations is MOST critical to prevent guests from accessing internal corporate resources?

Question 12mediummultiple choice
Full question →

A security operations center (SOC) analyst is overwhelmed by the volume of alerts. The management wants to implement a solution that can automatically respond to common threats, such as blocking an IP address or isolating a compromised endpoint, without requiring human intervention. Which of the following technologies best meets this requirement?

Question 13mediummultiple choice
Read the full wireless explanation →

A company is implementing network segmentation to isolate the guest wireless network from the internal corporate network. Which of the following technologies is most appropriate to enforce this separation at Layer 2?

Question 14mediummultiple choice
Study the full AAA explanation →

Based on the exhibit, which change best reduces the blast radius if a user workstation is compromised?

Exhibit

VLAN and ACL summary:
- VLAN 10 User PCs: access to file and print services
- VLAN 30 Backup network: access to BackupSrv only
- Current rule added last week: permit ip VLAN10 any -> VLAN30 any
- BackupSrv -> VLAN10 tcp/445 allowed for restore jobs
Concern: ransomware on a user PC could now reach backup repositories.
Question 15mediummultiple choice
Full question →

Based on the exhibit, which change should be made first to secure remote administration of the network device?

Exhibit

Device management config:
line vty 0 4
 transport input telnet ssh
 login local
SNMP community: public RO
Management IP: 198.51.100.14/32 reachable from WAN
Requirement: administrators must manage the device remotely without exposing credentials in transit.
Question 16mediummultiple choice
Full question →

Administrators need to manage internal switches from home. Management traffic must be encrypted, MFA must be used, and no switch management interface should be exposed directly to the internet. Which design is best?

Question 17mediummulti select
Full question →

Field staff use company-owned tablets that also run approved personal apps. Security needs business data isolated from personal data, the ability to wipe only corporate content, and enforcement of screen lock and encryption. Which two controls best fit? Select two.

Question 18mediummultiple choice
Read the full network assurance explanation →

A manufacturing company is redesigning its plant network. PLCs must communicate with a SCADA server for telemetry, but neither the PLCs nor the SCADA server should be reachable from employee laptops or the internet. Which architecture best meets the requirement?

Question 19hardmultiple choice
Full question →

A supplier portal is browser-based and used by external partner companies. Each partner already has its own identity provider. The portal must trust assertions from those IdPs and avoid creating separate local passwords for each partner. Which integration is best?

Question 20mediummultiple choice
Study the full virtualization explanation →

A team hosts a confidential document repository on an IaaS virtual machine. The provider secures the datacenter, hardware, and hypervisor. The organization wants to control who can decrypt the files and be able to revoke that access without changing providers. Which control is best?

Question 21mediummultiple choice
Full question →

An online retailer is redesigning its public web application so the web server can receive internet traffic, the application server can only be reached by the web tier, and the database server can only be reached by the application tier. Which placement best supports this design?

Question 22mediummultiple choice
Full question →

A manufacturer wants partner-company users to access a procurement portal using their own company identities. The manufacturer does not want to create local accounts for each partner user, but it still needs to control what those users can do in the portal. Which approach should be used?

Question 23mediummultiple choice
Full question →

A customer portal runs on a single application server behind a database cluster. Leadership wants the portal to keep working if that application server fails, but the budget is tight and the team wants the simplest design that can automatically fail over. What should they add?

Question 24easymulti select
Full question →

A company is building a public web app with three tiers. Internet users should reach only the web tier, and the app tier should never be reachable from the internet. Which two network design choices support this goal? Select two.

Question 25mediummultiple choice
Full question →

A web application needs to be internet-facing. The web tier must accept public traffic, the application tier should be reachable only from the web tier, and the database must be reachable only from the application tier. Which design best supports this?

Question 26easymultiple choice
Full question →

A customer portal must continue operating if one application server fails. The business wants a simple, cost-conscious design that improves availability. What is the best approach?

Question 27mediummultiple choice
Full question →

A company uses four cloud applications and wants employees to sign in once with corporate credentials. The applications should trust the company’s identity platform, and disabling a user in the directory should remove access everywhere without separate password resets. Which architecture should the team implement?

Question 28easymulti select
Full question →

A web application must keep running if one application server fails. Management wants the simplest design that automatically switches traffic to a healthy server. Which two choices support that goal? Select two.

Question 29easymulti select
Full question →

A company uses a SaaS email platform. The provider manages the servers and application code. Which two tasks remain the company's responsibility? Select two.

Question 30mediummultiple choice
Full question →

Based on the exhibit, what is the best security change to address the exposed management access on the cloud VM?

Exhibit

Cloud deployment summary:
- Public API runs on an IaaS virtual machine
- Database runs on a managed PaaS service
- Object storage holds user uploads
- Provider responsibility: datacenter, hardware, hypervisor, managed DB platform
- Customer responsibility: guest OS, IAM, network rules, application code
Finding: TCP/22 on the API VM is reachable from 0.0.0.0/0.
Question 31hardmultiple choice
Full question →

An order-entry application must survive a single server failure and continue serving users if the primary site becomes unavailable. Management wants automatic failover, but does not want to pay for fully active production capacity in two regions. Which design is best?

More Security Architecture questions available in the full practice test.

Continue Practising →
←

Previous objective

Threats, Vulnerabilities, and Mitigations

Next objective

Security Operations

→

All SY0-701 Objectives

  • 1.General Security Concepts12%
  • 2.Threats, Vulnerabilities, and Mitigations22%
  • 3.Security Architecture18%
  • 4.Security Operations28%
  • 5.Security Program Management and Oversight