A company is redesigning a three-tier customer portal. Internet users must reach only the web tier, the application tier must never be directly reachable from the internet, database traffic must flow only from the app tier, and administrators need a protected path to manage servers. Which two design choices best meet these requirements? Select two.

Put all three tiers on the same VLAN and depend on host-based firewalls to separate them.

Keeping all tiers on one VLAN increases the attack surface and makes lateral movement easier if one server is compromised. Host firewalls can help, but they do not provide the same architectural boundary as a DMZ and layered network controls. The requirement calls for stronger segmentation than a flat trust zone.

Allow administrators to SSH or RDP from the standard employee VLAN for faster troubleshooting.

Permitting management traffic from the general employee VLAN weakens segmentation and makes it harder to control who can reach privileged services. If an employee workstation is compromised, the attacker gains a direct path to management interfaces. Convenience is not a sufficient reason to relax the required separation.

Expose the database listener to the internet and require strong passwords for application connections.

Database services should almost never be exposed directly to the internet in a three-tier design. Strong passwords do not compensate for unnecessary public exposure, brute-force risk, or protocol misuse. The database should remain internal and reachable only from the application tier through tightly controlled rules.

What does this SY0-701 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Place the public web tier in a DMZ behind a reverse proxy or WAF so the internet never reaches application or database hosts directly. — The best choices are the DMZ-based web tier and the bastion host on a separate management network. Together, they preserve the required tier separation: the internet reaches only the front end, internal tiers remain hidden, and administrators use a hardened, monitored path for privileged access. This combination reduces attack surface, limits lateral movement, and aligns with secure network architecture principles. Why others are wrong: Placing all tiers on one VLAN depends too much on host controls and removes a key segmentation boundary. Allowing admin access from the employee VLAN expands the management attack path and undermines least privilege. Exposing the database to the internet is far beyond what the scenario requires and creates unacceptable risk, even if strong passwords are used.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.