- A
Place all three servers on the same private subnet and control access only with strong passwords.
Why wrong: A shared subnet does not enforce tier separation. Strong passwords protect accounts, but they do not prevent a compromised web server from directly reaching the database server on the same network.
- B
Put the web server in a public zone, the application server in a private zone, and the database server in an isolated internal zone.
This tiered placement supports a classic defense-in-depth design. The web server is internet-facing, the application tier is not directly exposed, and the database is placed in the most restricted zone. Network rules then allow only the necessary north-south and east-west traffic between tiers.
- C
Put the database in the public zone so the web tier can query it directly from the internet.
Why wrong: Databases should not be internet-facing in this architecture. Exposing the database directly would greatly increase risk and bypass the intended layered protection between the tiers.
- D
Use a single reverse proxy for all three servers and disable network segmentation to simplify management.
Why wrong: A reverse proxy can help front-end traffic, but it does not replace network segmentation. Disabling segmentation removes the protective boundaries that prevent unnecessary lateral movement between tiers.
Quick Answer
The correct placement is the web server in a public zone, the application server in a private zone, and the database server in an isolated internal zone, because this directly implements a classic three-tier architecture with network segmentation. By isolating each tier with firewalls or security groups, the design enforces the principle of least privilege: the web tier accepts internet traffic in a DMZ, the application tier processes logic in a private zone without direct internet exposure, and the database tier stores data in an isolated internal zone accessible only by the application server. On the Security+ SY0-701 exam, this scenario tests your understanding of how network segmentation reduces the attack surface by controlling east-west traffic between tiers. A common trap is placing the database in the same private zone as the application server, which violates isolation. Remember the memory tip: “Web in the DMZ, app in the middle, DB in the vault”—this reinforces that each tier should only talk to its immediate neighbor.
SY0-701 Security Architecture Practice Question
This SY0-701 practice question tests your understanding of security architecture. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
An online retailer is redesigning its public web application so the web server can receive internet traffic, the application server can only be reached by the web tier, and the database server can only be reached by the application tier. Which placement best supports this design?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue:
"best"Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Put the web server in a public zone, the application server in a private zone, and the database server in an isolated internal zone.
Option B is correct because it implements a classic three-tier architecture with network segmentation. The web server in a public zone (DMZ) accepts internet traffic, the application server in a private zone is isolated from direct internet access and only reachable by the web tier, and the database server in an isolated internal zone is only reachable by the application tier. This design enforces the principle of least privilege and minimizes the attack surface by using firewalls or security groups to restrict traffic between tiers.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Place all three servers on the same private subnet and control access only with strong passwords.
Why it's wrong here
A shared subnet does not enforce tier separation. Strong passwords protect accounts, but they do not prevent a compromised web server from directly reaching the database server on the same network.
- ✓
Put the web server in a public zone, the application server in a private zone, and the database server in an isolated internal zone.
Why this is correct
This tiered placement supports a classic defense-in-depth design. The web server is internet-facing, the application tier is not directly exposed, and the database is placed in the most restricted zone. Network rules then allow only the necessary north-south and east-west traffic between tiers.
Clue confirmation
The clue word "best" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Put the database in the public zone so the web tier can query it directly from the internet.
Why it's wrong here
Databases should not be internet-facing in this architecture. Exposing the database directly would greatly increase risk and bypass the intended layered protection between the tiers.
- ✗
Use a single reverse proxy for all three servers and disable network segmentation to simplify management.
Why it's wrong here
A reverse proxy can help front-end traffic, but it does not replace network segmentation. Disabling segmentation removes the protective boundaries that prevent unnecessary lateral movement between tiers.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse 'private subnet' with 'security' and fail to recognize that without network segmentation, a single compromised server can lead to full lateral access, or they mistakenly think placing the database in a public zone is acceptable for direct queries.
Detailed technical explanation
How to think about this question
In a three-tier architecture, network segmentation is typically enforced using firewalls with stateful inspection or security groups in cloud environments (e.g., AWS security groups). The web tier often runs on ports 80/443, the application tier on a non-standard port (e.g., 8080), and the database on port 3306 (MySQL) or 1433 (MSSQL). Proper implementation uses Access Control Lists (ACLs) to allow only specific source IPs and ports, preventing lateral movement even if one tier is breached.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A security analyst at a medium-sized enterprise encounters this scenario during an investigation or architecture review. The correct answer reflects best practice for the specific threat or control described. Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option. Security exam questions test whether you can match controls to threats in context — not just recall definitions.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Security Architecture — study guide chapter
Learn the concepts, then practise the questions
- →
Security Architecture practice questions
Targeted practice on this topic area only
- →
All SY0-701 questions
1,152 questions across all exam domains
- →
Security+ SY0-701 study guide
Full concept coverage aligned to exam objectives
- →
SY0-701 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SY0-701 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
General Security Concepts practice questions
Practise SY0-701 questions linked to General Security Concepts.
Threats, Vulnerabilities, and Mitigations practice questions
Practise SY0-701 questions linked to Threats, Vulnerabilities, and Mitigations.
Security Architecture practice questions
Practise SY0-701 questions linked to Security Architecture.
Security Operations practice questions
Practise SY0-701 questions linked to Security Operations.
Security Program Management and Oversight practice questions
Practise SY0-701 questions linked to Security Program Management and Oversight.
Security+ social engineering questions
Practise SY0-701 questions linked to Security+ social engineering questions.
Security+ cryptography practice questions
Practise SY0-701 questions linked to Security+ cryptography.
Security+ IAM questions
Practise SY0-701 questions linked to Security+ IAM questions.
Security+ risk management questions
Practise SY0-701 questions linked to Security+ risk management questions.
Security+ incident response questions
Practise SY0-701 questions linked to Security+ incident response questions.
Security+ malware questions
Practise SY0-701 questions linked to Security+ malware questions.
Security+ vulnerability management questions
Practise SY0-701 questions linked to Security+ vulnerability management questions.
Practice this exam
Start a free SY0-701 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SY0-701 question test?
Security Architecture — This question tests Security Architecture — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Put the web server in a public zone, the application server in a private zone, and the database server in an isolated internal zone. — Option B is correct because it implements a classic three-tier architecture with network segmentation. The web server in a public zone (DMZ) accepts internet traffic, the application server in a private zone is isolated from direct internet access and only reachable by the web tier, and the database server in an isolated internal zone is only reachable by the application tier. This design enforces the principle of least privilege and minimizes the attack surface by using firewalls or security groups to restrict traffic between tiers.
What should I do if I get this SY0-701 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Same concept, more angles
1 more ways this is tested on SY0-701
These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.
Variation 1. A web application must be reachable from the internet, but its database should be isolated from direct internet access. Which two placements or controls are most appropriate? Select two.
easy- ✓ A.Place the web server in a DMZ.
- ✓ B.Keep the database on an internal network segment and restrict access to the web server only.
- C.Place both the web server and the database on the same internet-facing subnet.
- D.Expose the database port to the internet so administrators can connect faster.
- E.Use the guest wireless VLAN for both systems.
Why A: Placing the web server in a DMZ (Option A) allows it to be reachable from the internet while the internal firewall restricts inbound traffic to only necessary ports (e.g., TCP 80/443). Keeping the database on an internal network segment (Option B) and configuring firewall rules to allow traffic only from the web server’s IP address ensures the database is isolated from direct internet access, preventing external attacks on the database service.
Last reviewed: Jun 11, 2026
This SY0-701 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SY0-701 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.