A web application needs to be internet-facing. The web tier must accept public traffic, the application tier should be reachable only from the web tier, and the database must be reachable only from the application tier. Which design best supports this?

Put all three tiers on one private subnet and rely on host firewalls.

Host firewalls can help, but a flat design weakens segmentation and makes policy harder to enforce consistently.

Place the database in the DMZ so the web tier has lower latency.

Databases should not be exposed in the DMZ because that would unnecessarily increase exposure to public traffic.

Use NAT for the database server and allow inbound access from the internet.

NAT does not secure the database, and direct inbound internet access violates the stated access boundary.

What does this SY0-701 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Use a three-tier layout with a DMZ, an application zone, and a database zone separated by firewalls. — A three-tier architecture with a DMZ, application zone, and database zone is the best fit because it enforces layered segmentation. The web tier can face the internet while the application and database tiers remain progressively more restricted behind internal firewalls. This reduces the blast radius if the public web server is compromised and supports least privilege between tiers. It is a classic security architecture pattern for reducing exposure without breaking application flow. Why others are wrong: A flat private subnet makes policy enforcement weaker and easier to bypass. Putting the database in the DMZ exposes sensitive data services where they do not belong. NAT changes addressing but does not create a meaningful security boundary or satisfy the requirement that only specific tiers communicate with each other.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.