A security architect is redesigning remote administration for a set of critical Linux servers in a private cloud. Currently, system administrators connect directly from their corporate laptops to the servers over the internet using SSH. The architect's primary goal is to eliminate direct inbound SSH connections from the internet while still allowing authorized administrators to perform maintenance tasks. Which of the following architectural changes would best achieve this objective?

Deploy a VPN concentrator and require all administrators to connect to the VPN before initiating SSH sessions directly to the servers.

This still allows direct SSH connections from the VPN network to the servers. While the VPN adds an authentication layer, it does not eliminate direct inbound SSH to the server; an attacker who compromises a VPN-connected laptop could reach the servers directly.

Replace SSH with a web-based console proxy that uses HTTPS and multi-factor authentication, and allow direct internet access to the console proxy on port 443.

While the console proxy removes SSH, it still exposes a service directly to the internet on port 443. Unless the proxy is placed behind the VPN, it remains an internet-facing attack surface. Moreover, a console proxy may not provide the same level of isolation as a managed jump server.

Configure each Linux server with a public IP address but restrict inbound SSH to the known public IP addresses of the administrators' corporate laptops.

This still exposes SSH directly to the internet, though restricted by IP. IP-based restrictions can be bypassed via IP spoofing, compromised laptops, or IP address changes. It does not eliminate direct inbound SSH and is considered a weaker security control.

What does this SY0-701 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Deploy a jump server (bastion host) in a management subnet and require all administrative SSH connections to originate from the jump server, with the jump server accessible only via the corporate VPN. — The goal is to remove direct internet-facing SSH access to critical servers. A jump server (bastion host) placed in a management subnet, accessible only through a corporate VPN, provides a centralized, audited gateway. Administrators must first authenticate to the VPN, then connect to the jump server via SSH, and finally initiate SSH sessions from the jump server to the target servers. This architecture ensures no direct external SSH connection reaches the critical servers, and all administrative activity is logged on the jump server. Option A (VPN + direct SSH) still allows direct SSH from the VPN network to the servers, which does not eliminate direct inbound SSH; it only adds a VPN layer. Option C (web-based console proxy) reduces the attack surface but still exposes a service directly to the internet unless the proxy itself is protected by VPN or other access controls; the description allows public HTTPS access, which is not as secure as a jump server behind VPN. Option D (public IP with IP allow-listing) is a poor practice because it still exposes SSH to the internet and is vulnerable to source IP spoofing or compromised laptops.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.