Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSY0-701TopicsSecurity Architecture
Free · No Signup RequiredCompTIA · SY0-701

SY0-701 Security Architecture Practice Questions

20+ practice questions focused on Security Architecture — one of the most tested topics on the Security+ SY0-701 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Security Architecture Practice

Exam Domains

General Security ConceptsThreats, Vulnerabilities, and MitigationsSecurity ArchitectureSecurity OperationsSecurity Program Management and OversightAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Security Architecture Questions

Practice all 20+ →
1.

A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?

A.Place both the web server and the database server in the same DMZ segment and rely on host-based firewalls for protection.
B.Place the web server in the DMZ and the database server on the internal network. Configure the firewall to allow inbound traffic from the web server to the database server on the required port only.
C.Connect both servers to a single internal VLAN and use a reverse proxy to forward external traffic to the web server.
D.Use a site-to-site VPN to connect the web server and database server, and place both behind a single NAT gateway.

Explanation: Option B is correct because it implements a tiered network architecture where the web server resides in the DMZ (a semi-trusted zone) and the database server is placed on the internal network, isolated from direct internet access. The firewall is configured with a stateful rule that permits only the web server's IP and the specific database port (e.g., TCP 3306 for MySQL or 1433 for MSSQL), preventing any direct inbound connections from the internet to the database. This minimizes the attack surface by ensuring that even if the web server is compromised, the database is not directly reachable from external hosts.

2.

A security architect is designing a new data center network that will host public-facing web servers and internal application servers handling confidential employee data. The architect places the web servers in a DMZ and the internal application servers on a separate internal network segment. A stateful firewall is configured to allow inbound HTTP/HTTPS traffic from the internet to the web servers only. The firewall also permits only the web servers to initiate outbound connections to the internal application servers on a specific TCP port, and all such traffic is encrypted using TLS. Which security architecture principle is this design primarily intended to enforce?

A.Least privilege
B.Defense in depth
C.Separation of duties
D.Zero trust

Explanation: The design enforces defense in depth by layering multiple security controls: a DMZ isolates public-facing web servers from internal networks, a stateful firewall restricts inbound traffic to HTTP/HTTPS only, and outbound connections from web servers to internal application servers are limited to a specific TCP port with TLS encryption. This layered approach ensures that even if one control fails (e.g., a web server is compromised), the attacker still faces additional barriers to reach sensitive internal systems.

3.

A company's current remote access solution uses a traditional VPN that grants users full network-layer access to the internal LAN once authenticated. The security architect wants to adopt a zero trust architecture to reduce the risk of lateral movement by compromised endpoints. Which of the following implementations best aligns with zero trust principles?

A.Implement a next-generation firewall and require all remote traffic to pass through it with strict rules.
B.Deploy a secure web gateway and require all remote users to browse through a proxy.
C.Use a software-defined perimeter that authenticates each user and device before granting access only to specific applications.
D.Enable multi-factor authentication for VPN and implement a VPN concentrator with split tunneling.

Explanation: Option C is correct because a software-defined perimeter (SDP) implements zero trust by authenticating both the user and device before granting access to specific applications, not the entire network. This prevents lateral movement by ensuring that even after authentication, the endpoint can only reach the allowed application, not the full LAN. This aligns with the zero trust principle of 'never trust, always verify' and micro-segmentation.

4.

A security architect is designing a solution to process highly sensitive financial transactions in a shared cloud environment. The architect needs to ensure that the processor and memory used to handle transaction data are isolated from the host operating system and other virtual machines, even if the hypervisor is compromised. Which technology is specifically designed to provide this level of isolation for code and data during runtime?

A.Trusted Platform Module (TPM)
B.Hardware Security Module (HSM)
C.Secure enclave (e.g., Intel SGX)
D.UEFI Secure Boot

Explanation: Secure enclave technology, such as Intel SGX, provides hardware-enforced isolation by creating trusted execution environments (TEEs) within the CPU. Code and data inside an enclave are encrypted in memory and decrypted only within the processor, ensuring that even a compromised hypervisor or host OS cannot access the transaction data during runtime. This meets the requirement for processor and memory isolation in a shared cloud environment.

5.

A security architect is redesigning remote administration for a set of critical Linux servers in a private cloud. Currently, system administrators connect directly from their corporate laptops to the servers over the internet using SSH. The architect's primary goal is to eliminate direct inbound SSH connections from the internet while still allowing authorized administrators to perform maintenance tasks. Which of the following architectural changes would best achieve this objective?

A.Deploy a VPN concentrator and require all administrators to connect to the VPN before initiating SSH sessions directly to the servers.
B.Deploy a jump server (bastion host) in a management subnet and require all administrative SSH connections to originate from the jump server, with the jump server accessible only via the corporate VPN.
C.Replace SSH with a web-based console proxy that uses HTTPS and multi-factor authentication, and allow direct internet access to the console proxy on port 443.
D.Configure each Linux server with a public IP address but restrict inbound SSH to the known public IP addresses of the administrators' corporate laptops.

Explanation: Option B is correct because it eliminates direct inbound SSH from the internet by placing a jump server (bastion host) in a management subnet that is only accessible via the corporate VPN. Administrators must first connect to the VPN, then SSH to the jump server, and from there initiate SSH sessions to the target Linux servers. This architecture ensures no SSH port is exposed to the public internet, meeting the primary security goal.

+15 more Security Architecture questions available

Practice all Security Architecture questions

How to master Security Architecture for SY0-701

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Security Architecture. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Security Architecture questions on the SY0-701 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many SY0-701 Security Architecture questions are on the real exam?

The exact number varies per candidate. Security Architecture is tested as part of the Security+ SY0-701 blueprint. Practicing with targeted Security Architecture questions ensures you can handle any format or difficulty that appears.

Are these SY0-701 Security Architecture practice questions free?

Yes. Courseiva provides free SY0-701 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Security Architecture one of the harder SY0-701 topics?

Difficulty is subjective, but Security Architecture is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Security Architecture practice session with instant scoring and detailed explanations.

Start Security Architecture Practice →

Topic Info

Topic

Security Architecture

Exam

SY0-701

Questions available

20+