SC-100 · topic practice

Design security for infrastructure practice questions

Practise Microsoft Cybersecurity Architect Design security for infrastructure practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Design security for infrastructure

What the exam tests

What to know about Design security for infrastructure

Design security for infrastructure questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Design security for infrastructure exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Design security for infrastructure questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Review the full routing breakdown →

A company is designing a hybrid network architecture using Azure ExpressRoute. They need to ensure that all traffic between on-premises and Azure is encrypted and authenticated. Which configuration should they implement?

An organization uses Microsoft Defender for Cloud to secure their multi-cloud environment, including Azure and AWS. They want to ensure that all AWS EC2 instances are automatically onboarded to Defender for Cloud. What should they configure?

A company plans to deploy Azure Virtual Desktop (AVD) in a secure environment. They require that all user connections be established over a reverse connect protocol to avoid inbound firewall rules. Which component enables this?

A financial services company is deploying a three-tier application on Azure. They need to ensure that the web tier can only communicate with the application tier, and the application tier can only communicate with the data tier. All tiers should use private IP addresses. What is the most secure way to implement this?

A company uses Azure Kubernetes Service (AKS) with Azure Active Directory (Azure AD) integration. They want to restrict developers to only be able to create and manage pods and services, but not modify cluster-level resources like nodes or namespaces. What should they configure?

A company has a hybrid identity deployment using Azure AD Connect. They want to ensure that if a user's on-premises account is disabled, the corresponding Azure AD account is also disabled within 30 minutes. Which setting should they configure?

A company is deploying Azure SQL Database with Azure Active Directory authentication for their application. They want to ensure that only specific Azure AD users can access the database, and that these users are authenticated at the database level. What should they do?

A company uses Azure Policy to enforce compliance. They want to automatically remediate non-compliant resources by deploying a custom template. Which effect should they use in the policy definition?

Which TWO of the following are true about Azure DDoS Protection?

Which THREE of the following are best practices for securing Azure Kubernetes Service (AKS)?

Which TWO of the following are valid methods to secure traffic between on-premises and Azure?

Refer to the exhibit. An Azure policy is defined as shown. Which resources will be audited?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk",
            "exists": "true"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.storageAccountType",
                "notEquals": "Premium_LRS"
              },
              {
                "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.diskSizeGB",
                "greater": 1023
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "audit"
      }
    }
  }
}
```

Refer to the exhibit. A network policy is applied in the production namespace. What is the effect on the webapp pod's ability to reach external services?

Exhibit

Refer to the exhibit.

```
$ kubectl get pods -n production
NAME                     READY   STATUS    RESTARTS   AGE
webapp-7d5b6c8b9-abc     1/1     Running   0          2d
webapp-7d5b6c8b9-def     1/1     Running   0          2d
$ kubectl get networkpolicy -n production
NAME                     POD-SELECTOR   AGE
allow-egress-dns         {}             1d
$ kubectl describe networkpolicy allow-egress-dns -n production
...
Spec:
  PodSelector: <none>
  Egress:
    To:
      - NamespaceSelector: {}
        PodSelector:
          MatchLabels:
            k8s-app: kube-dns
    Ports:
      - Port: 53
        Protocol: UDP
  PolicyTypes:
    - Egress
```
Question 14hardmultiple choice
Read the full NAT/PAT explanation →

You are a cybersecurity architect for a multinational corporation that is migrating its on-premises workloads to Azure. The environment includes 500 virtual machines across multiple subscriptions, managed through Azure Policy and Azure Blueprints. The security team has reported that some VMs are not receiving the latest security updates despite being configured for automatic updates via the Azure Update Management solution. Additionally, you have noticed that some VMs are missing the Azure Monitor agent, which is required for security monitoring. The company uses Azure Security Center (now Defender for Cloud) with the standard tier enabled. You need to ensure that all VMs are compliant with the company's security baseline, which requires: (1) all VMs must have the Azure Monitor agent installed, (2) all VMs must be enrolled in the Update Management solution, and (3) all VMs must be protected by Microsoft Defender for Cloud. What should you do to enforce compliance and remediate non-compliant VMs?

You are a security architect for a healthcare organization that is deploying a new application on Azure. The application consists of a web frontend (Azure App Service), an API layer (Azure Functions), and a database (Azure SQL Database). The organization requires that all data be encrypted at rest and in transit. Additionally, they need to ensure that only authenticated and authorized users can access the API, and that the database is accessible only from the API layer. The organization also wants to use managed identities to avoid storing credentials. You have deployed the resources. Now you need to configure the security settings. What should you do to meet the requirements?

A company uses Azure Firewall to inspect outbound traffic from a hub virtual network. They need to ensure that traffic from a spoke virtual network to a specific SaaS application (api.contoso.com) bypasses the firewall for performance reasons. What is the most efficient way to achieve this?

A company deploys Azure Bastion in a VNet. They want to allow a security engineer to connect to a Windows VM in a peered VNet using Azure Bastion. The engineer can see the VM in the portal but cannot connect. Which configuration is most likely missing?

A company uses Azure Front Door to load balance traffic across two origin servers in different Azure regions. They notice that failover is not working when one origin becomes unhealthy. What is the most likely cause?

Question 19hardmultiple choice
Read the full VPN explanation →

A company is designing a secure hybrid network architecture. They have an on-premises network connected to Azure via ExpressRoute and a site-to-site VPN as backup. They want to ensure that traffic from Azure to on-premises always uses ExpressRoute when available, but automatically fails over to VPN if ExpressRoute goes down. Which configuration should they implement?

A company deploys a three-tier application with web servers, application servers, and database servers in a VNet. They need to ensure that web servers can only communicate with application servers on port 443, and application servers can only communicate with database servers on port 1433. Web servers should not be able to communicate with database servers. What is the most secure and efficient way to implement this?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Design security for infrastructure sessions

Start a Design security for infrastructure only practice session

Every question in these sessions is drawn from the Design security for infrastructure domain — nothing else.

Related practice questions

Related SC-100 topic practice pages

Move into related areas when this topic feels solid.

Design solutions that align with security best practices and priorities practice questions

Practise SC-100 questions linked to Design solutions that align with security best practices and priorities.

Design security operations, identity, and compliance capabilities practice questions

Practise SC-100 questions linked to Design security operations, identity, and compliance capabilities.

Design security solutions for infrastructure practice questions

Practise SC-100 questions linked to Design security solutions for infrastructure.

Design a Zero Trust strategy and architecture practice questions

Practise SC-100 questions linked to Design a Zero Trust strategy and architecture.

Design security solutions for applications and data practice questions

Practise SC-100 questions linked to Design security solutions for applications and data.

Evaluate GRC and security operations strategies practice questions

Practise SC-100 questions linked to Evaluate GRC and security operations strategies.

Design security for infrastructure practice questions

Practise SC-100 questions linked to Design security for infrastructure.

Design a strategy for data and applications practice questions

Practise SC-100 questions linked to Design a strategy for data and applications.

Recommend security best practices and priorities practice questions

Practise SC-100 questions linked to Recommend security best practices and priorities.

SC-100 fundamentals practice questions

Practise SC-100 questions linked to SC-100 fundamentals.

SC-100 scenario practice questions

Practise SC-100 questions linked to SC-100 scenario.

SC-100 troubleshooting practice questions

Practise SC-100 questions linked to SC-100 troubleshooting.

Frequently asked questions

What does the SC-100 exam test about Design security for infrastructure?
Design security for infrastructure questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Design security for infrastructure questions in a focused session?
Yes — the session launcher on this page draws every question from the Design security for infrastructure domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-100 topics?
Use the topic links above to move to related areas, or go back to the SC-100 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-100 exam covers. They are not copied from any real exam or dump site.