SY0-701 · topic practice

Security Architecture practice questions

Security Architecture is the domain of the SY0-701 exam that focuses on how to design and implement secure networks, systems, and applications. Think of it as the blueprint for an organization's security posture—deciding where to place firewalls, how to segment a network, what encryption to use, and how to manage access controls. In plain English, it's about making sure that the right people have the right access to the right resources, while keeping bad actors out. For example, a security architect might design a multi-tier web application where the database server is isolated in a separate subnet, accessible only from the application server, and all communication is encrypted with TLS. This domain covers both the theory and practical implementation of such designs. Why is this important for real-world IT and cloud work? Because every company, from startups to global enterprises, relies on secure architectures to protect sensitive data and maintain operations. A misconfigured cloud environment can lead to data breaches costing millions, as seen in incidents like the Capital One breach where a misconfigured web application firewall allowed access to S3 buckets. Understanding Security Architecture helps you prevent such disasters by applying principles like defense in depth, least privilege, and secure segmentation. In cloud environments (AWS, Azure, GCP), you need to know how to set up virtual private clouds, security groups, identity and access management (IAM) roles, and encryption keys. This domain is critical for roles like security analyst, network administrator, cloud engineer, and of course, security architect. On the SY0-701 exam, Security Architecture tests your ability to apply security principles to design and implement secure systems. You'll be asked about secure network architectures (e.g., DMZ, VLANs, VPNs), secure system design (e.g., trusted computing base, hardware security modules), and secure application development (e.g., secure coding practices, application firewalls). The exam also covers cloud and virtualization security, including shared responsibility models, hypervisor security, and container security. You'll need to know how to select and configure security controls like firewalls, intrusion prevention systems, and data loss prevention solutions. Expect scenario-based questions where you must choose the best architecture to meet security requirements—for instance, which network segmentation strategy prevents lateral movement in case of a breach. To study effectively, start by understanding the core principles: defense in depth, least privilege, separation of duties, and secure defaults. Then, map these to concrete technologies: VLANs for segmentation, VPNs for remote access, TLS for encryption, and IAM for access control. Use diagrams to visualize network architectures—draw a typical enterprise network with a DMZ, internal network, and management network. Practice with labs: set up a simple AWS VPC with public and private subnets, configure security groups, and test connectivity. Review common exam traps like confusing encryption in transit vs. at rest, or thinking that a firewall alone provides sufficient security. Focus on the CompTIA Security+ objectives for this domain, and use practice questions to identify weak areas. Remember, the exam is about applying concepts, not just memorizing definitions. Good luck!

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Architecture

What the exam tests

What to know about Security Architecture

Security Architecture on the SY0-701 exam covers how to design and implement secure networks, systems, and applications using principles like defense in depth, segmentation, and least privilege.

Secure network architecture design (e.g., DMZ, VLANs, VPNs)

Secure system design (e.g., trusted platform module, secure boot)

Cloud and virtualization security (e.g., shared responsibility, hypervisor security)

Secure application development (e.g., input validation, secure coding)

Selection and configuration of security controls (e.g., firewalls, IDS/IPS, DLP)

Identity and access management architecture (e.g., SSO, MFA, federation)

Watch out for

Common Security Architecture exam traps

  • Confusing encryption in transit (TLS) with encryption at rest (AES-256)
  • Thinking a firewall is sufficient to protect a network; forgetting defense in depth
  • Assuming cloud security is entirely the provider's responsibility (shared responsibility model)
  • Mixing up secure network segmentation (VLANs) with physical separation (air gaps)

Practice set

Security Architecture questions

20 questions · select your answer, then reveal the explanation

A company is redesigning its network to host a public-facing web application that accesses a confidential database. The security team needs to minimize the risk of a direct attack against the database server while still allowing the web server to retrieve and update data. Which network architecture best achieves this objective?

A security architect is designing a new data center network that will host public-facing web servers and internal application servers handling confidential employee data. The architect places the web servers in a DMZ and the internal application servers on a separate internal network segment. A stateful firewall is configured to allow inbound HTTP/HTTPS traffic from the internet to the web servers only. The firewall also permits only the web servers to initiate outbound connections to the internal application servers on a specific TCP port, and all such traffic is encrypted using TLS. Which security architecture principle is this design primarily intended to enforce?

Question 3mediummultiple choice
Read the full VPN explanation →

A company's current remote access solution uses a traditional VPN that grants users full network-layer access to the internal LAN once authenticated. The security architect wants to adopt a zero trust architecture to reduce the risk of lateral movement by compromised endpoints. Which of the following implementations best aligns with zero trust principles?

Question 4mediummultiple choice
Study the full virtualization explanation →

A security architect is designing a solution to process highly sensitive financial transactions in a shared cloud environment. The architect needs to ensure that the processor and memory used to handle transaction data are isolated from the host operating system and other virtual machines, even if the hypervisor is compromised. Which technology is specifically designed to provide this level of isolation for code and data during runtime?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

A security architect is redesigning remote administration for a set of critical Linux servers in a private cloud. Currently, system administrators connect directly from their corporate laptops to the servers over the internet using SSH. The architect's primary goal is to eliminate direct inbound SSH connections from the internet while still allowing authorized administrators to perform maintenance tasks. Which of the following architectural changes would best achieve this objective?

A security architect is designing the network security for a web application hosted in a public cloud environment such as AWS. The application uses an Application Load Balancer (ALB) that distributes traffic to a fleet of web servers. The web servers must only accept traffic from the ALB, and all other inbound traffic must be blocked. The ALB itself needs to accept HTTP/HTTPS traffic from anywhere on the internet. Which of the following cloud security controls should the architect configure on the web servers' network interface to best meet this requirement, assuming the cloud provider offers both stateful and stateless network filtering options?

A security architect at a retail company is deploying a new e-commerce platform that processes credit card payments. The architect needs to minimize the scope of the PCI DSS assessment. The platform consists of a web server, an application server, and a database server. The cardholder data (credit card numbers) will be processed and stored only on the database server. Which of the following network architecture designs would best reduce the PCI DSS scope?

A security architect is designing a solution to securely store sensitive customer data in a cloud object storage service. The architect's primary concern is that if the storage bucket is accidentally configured as publicly accessible, the data should still be protected from unauthorized viewing. Which of the following architectural designs provides the strongest defense in depth to meet this concern?

A security architect is redesigning the network for a payment card processing environment. The goal is to create a cardholder data environment (CDE) that is isolated from the rest of the corporate network to reduce PCI DSS scope. The CDE will contain only the payment application servers and the database storing credit card numbers. The architect must allow authorized administrators in the corporate network to perform updates and monitoring on the CDE servers. Which of the following network architecture designs provides the strongest isolation while still meeting the requirement for authorized administrative access?

Question 10mediummultiple choice
Read the full wireless explanation →

A security architect is designing the wireless network for a new branch office. The branch will have two types of users: employees who need access to internal corporate resources, and guests who need internet-only access. The architect plans to use WPA3-Enterprise for the employee SSID and WPA3-SAE for the guest SSID. Which of the following additional configurations is MOST critical to prevent guests from accessing internal corporate resources?

A security operations center (SOC) analyst is overwhelmed by the volume of alerts. The management wants to implement a solution that can automatically respond to common threats, such as blocking an IP address or isolating a compromised endpoint, without requiring human intervention. Which of the following technologies best meets this requirement?

Question 12mediummultiple choice
Read the full wireless explanation →

A company is implementing network segmentation to isolate the guest wireless network from the internal corporate network. Which of the following technologies is most appropriate to enforce this separation at Layer 2?

Question 13mediummultiple choice
Study the full AAA explanation →

Based on the exhibit, which change best reduces the blast radius if a user workstation is compromised?

Exhibit

VLAN and ACL summary:
- VLAN 10 User PCs: access to file and print services
- VLAN 30 Backup network: access to BackupSrv only
- Current rule added last week: permit ip VLAN10 any -> VLAN30 any
- BackupSrv -> VLAN10 tcp/445 allowed for restore jobs
Concern: ransomware on a user PC could now reach backup repositories.

Based on the exhibit, which change should be made first to secure remote administration of the network device?

Exhibit

Device management config:
line vty 0 4
 transport input telnet ssh
 login local
SNMP community: public RO
Management IP: 198.51.100.14/32 reachable from WAN
Requirement: administrators must manage the device remotely without exposing credentials in transit.

Administrators need to manage internal switches from home. Management traffic must be encrypted, MFA must be used, and no switch management interface should be exposed directly to the internet. Which design is best?

Field staff use company-owned tablets that also run approved personal apps. Security needs business data isolated from personal data, the ability to wipe only corporate content, and enforcement of screen lock and encryption. Which two controls best fit? Select two.

Question 17mediummultiple choice
Read the full network assurance explanation →

A manufacturing company is redesigning its plant network. PLCs must communicate with a SCADA server for telemetry, but neither the PLCs nor the SCADA server should be reachable from employee laptops or the internet. Which architecture best meets the requirement?

A supplier portal is browser-based and used by external partner companies. Each partner already has its own identity provider. The portal must trust assertions from those IdPs and avoid creating separate local passwords for each partner. Which integration is best?

Question 19mediummultiple choice
Study the full virtualization explanation →

A team hosts a confidential document repository on an IaaS virtual machine. The provider secures the datacenter, hardware, and hypervisor. The organization wants to control who can decrypt the files and be able to revoke that access without changing providers. Which control is best?

An online retailer is redesigning its public web application so the web server can receive internet traffic, the application server can only be reached by the web tier, and the database server can only be reached by the application tier. Which placement best supports this design?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Architecture sessions

Start a Security Architecture only practice session

Every question in these sessions is drawn from the Security Architecture domain — nothing else.

Related practice questions

Related SY0-701 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SY0-701 exam test about Security Architecture?
Security Architecture on the SY0-701 exam covers how to design and implement secure networks, systems, and applications using principles like defense in depth, segmentation, and least privilege.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Architecture questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Architecture domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SY0-701 topics?
Use the topic links above to move to related areas, or go back to the SY0-701 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SY0-701 exam covers. They are not copied from any real exam or dump site.