An online retailer is redesigning a network for a public web app. Customers must reach only the web tier from the internet. The web tier must reach the application tier, and the application tier must reach the database tier. Which two design changes best support this zoning model? Select two.

Place all three server tiers on the same flat VLAN and rely on host firewalls.

This reduces administrative effort, but it does not create strong network separation between tiers.

Give the database server a public IP address so the web tier can connect faster.

This directly exposes the database to the internet and defeats the purpose of tier isolation.

Use a single NAT device for all servers and disable interserver filtering.

NAT hides addresses but does not provide the segmentation needed to protect application tiers.

What does this SY0-701 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Put the internet-facing web tier in a DMZ with tightly filtered inbound rules. — B and D are the best choices because they create layered network zones with explicit filtering between each tier. The DMZ isolates the internet-facing web servers, while separate internal zones prevent the application and database servers from becoming broadly reachable. Together, these controls reduce attack surface, limit lateral movement, and make it easier to enforce least-privilege traffic paths between tiers. Why others are wrong: A and E are too weak because they keep systems effectively flat or rely on address translation instead of true segmentation. C is the most dangerous option because it exposes the database directly to the internet, which is almost never appropriate for a production web application.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.