https://www.certificationsprep.com/1Z0-1072-21-exam-questions.

html

Question 51

QUESTION 1

You have a AI/ML application running on Oracle Cloud Infrastructure. You identified that the
application needs GPU and at least 20Gbps Network throughput.

The application is currently using a VM.Standard2.1 compute without any block storage
attached to it.

Which two options allow you to get your required performance for your application?

Terminate the compute instance preserving the boot volume. Create a new compute instanceA.
using the BM.GPU2.2 shape using the boot volume preserved and attach a new block volume to
host your application.

Terminate the compute instance preserving the boot volume. Create a new compute instanceB.
using the BM.HPC2.36 shape using the boot volume preserved and use the NVMe devices to
host your application.

Terminate the compute instance preserving the boot volume. Create a new compute instanceC.
using the BM.GPU2.2 shape using the boot volume preserved, but no block volume attached.

Terminate the compute instance preserving the boot volume. Create a new compute instanceD.
using the VM.Standard2.2 shape using the boot volume preserved, but no block volume
attached.

Terminate the compute instance preserving the boot volume. Create a new compute instanceE.
using the VM.GPU3.4 shape using the boot volume preserved and use the NVMe devices to
host your application
AE

Most appropriate answers are:

Terminate the compute instance preserving the boot volume. Create a new compute instance
using the VM.GPU3.4 shape using the boot volume preserved and use the NVMe devices to
host your application.

Terminate the compute instance preserving the boot volume. Create a new compute instance
using the BM.GPU2.2 shape using the boot volume preserved and attach a new block volume
to host your application.

Both options provide the required GPU capability and the necessary network throughput for
your AI/ML application. VM.GPU3.4 offers a higher performance with 8 NVIDIA V100 GPUs and
100 Gbps network bandwidth, BM.GPU2.2 while provides a more cost-effective solution with 2
NVIDIA P100 GPUs and 25 Gbps network bandwidth.

Terminate the compute instance preserving the boot volume. Create a new compute instance
using the VM.GPU3.4 shape using the boot volume preserved and use the NVMe devices to
host your application. This option is highly recommended as it provides the best performance
for your AI/ML application. The VM.GPU3.4 shape offers 8 NVIDIA V100 GPUs for superior GPU
processing power and 100 Gbps network bandwidth to handle the high data transfer demands
of your application. Additionally, the NVMe devices provide fast and reliable storage for your
application data.

Terminate the compute instance preserving the boot volume. Create a new compute instance
using the BM.GPU2.2 shape using the boot volume preserved and attach a new block volume
to host your application. This option is a viable alternative to Option C, providing a balance
between performance and cost-effectiveness. The BM.GPU2.2 shape offers 2 NVIDIA P100 GPUs
for adequate GPU processing power and 25 Gbps network bandwidth, meeting your minimum
requirements. Additionally, attaching a new block volume provides additional storage for your
application data.

In conclusion, These are two most appropriate choices for providing the required GPU capability
and network throughput for your AI/ML application. Option C offers superior performance with
8 NVIDIA V100 GPUs and 100 Gbps network bandwidth, while Option E provides a more cost-
effective solution with 2 NVIDIA P100 GPUs and 25 Gbps network bandwidth. The choice
between the two options depends on your specific performance and budget requirements.
Question 52

You created a virtual cloud network (VCN) with three private subnets. Two of the subnets
contain application servers and the third subnet contains a DB System. The application requires
a shared file system, therefore you have provisioned one using the file storage service (FSS).
You have also created the corresponding mount target in one of the application subnets. The
VCN security lists are properly configured so that the application servers can access FSS. The
security team changed the settings for the DB System to have read-only access to the file
system. However, when they test it, they are unable to access FSS.
How would you allow access to FSS?

 A. Create an NFS export option that allows READ_ONLY access where the source is the
CIDR range of the DB System subnet.

 B. Modify the security list associated with the subnet where the mount target resides.
Change the ingress rules corresponding to the DB System subnet to be stateless.

 C. Create an instance principal for the DB System. Write an Identity and Access
Management (IAM) policy that allows the instance principal read-only access to the file
storage service.

 D. Modify the security list associated with the subnet where the mount target resides.
Change the ingress rules corresponding to the DB System subnet to be stateful.
D

Question 53

You want to create a policy to allow the NetworkAdmins group to manage VCN in Compartment
C. You want to attach this policy to the tenancy. The compartment hierarchy is shown as below:

Which policy statement can be used to accomplish this task?

Allow group NetworkAdmins to manage virtual-network-family in compartment A:B:C

Allow group NetworkAdmins to manage virtual-network-family in tenancy

Allow group NetworkAdmins to manage virtual-network-family in compartment B:C

Allow group NetworkAdmins to manage virtual-network-family in compartment C

A

Question 54

What happens after you successfully run the following command on your Oracle Cloud
Infrastructure Container Engine for Kubernetes (OKE) using the YAML file defined below?

kubectl create -f definition.ym

YAML file – definition.yml

apiVersion: v1

kind: Pod

metadata:

name: myapp

labels:

app: myapp

spec:

containers:

- name: nginx-image

image: nginx

- name: mysql-image

image: mysql

A single Pod with a single container is created.

Two Pods with a container each are created.

A single Pod with two containers is created.

No Pod gets created

C

Question 55

BeforeExam

Which of the below options is true regarding Oracle Cloud Infrastructure's load balancing
service?

The Load Balancing service enables you to create only public load balancer within your VCN.

You can dynamically change load balancer shape to handle more incoming traffic.

When you create a private load balancer, the service requires only one subnet to host both
the primary and standby load balancers.

A public load balancer is Availability Domain specific in scope.

C

Overall explanation

When you create a private load balancer, the service requires only one subnet to host both the
primary and standby load balancers. The load balancer can be regional or AD-specific,
depending on the scope of the host subnet. The load balancer is accessible only from within the
VCN that contains the host subnet, or as further restricted by your security rules.

Question 56

Which of the following is NOT a good use case for the volume backup feature of the Oracle
Cloud Infrastructure Block Volume service?

Retain a copy of data in a volume, so that you can duplicate an environment later or preserve
the data for future use.

Meet compliance and regulatory requirements for data to remain unchanged over time, so
that it can be retrieved for audit purpose.

Support business continuity requirements of reducing the risk of outages.

Rapidly duplicate an environment in seconds to test configuration changes without impacting

your production environment.
D

Overall explanation

Retain a backup of the data in a volume, so that you can duplicate an environment later or
preserve the data for future use. Meet compliance and regulatory requirements, because the
data in a backup remains unchanged over time. Support business continuity requirements.
Reduce the risk of outages or data mutation over time.

Question 57

BeforeExam

You are an administrator with an application running on OCI. The company has a fleet of OCI
compute virtual instances behind an OCI Load Balancer. The OCI Load Balancer Backend Set
health check API is providing a 'Critical' level warning. You have confirmed that your
application is running healthy on the backend servers. What is the possible reason for this
'Critical' warning?

A user does not have correct IAM credentials on the Backend Servers

The Backend Server VCN's Security List does not include the IP range for the source of the
health check requests

OCI Load Balancer Listener is not configured correctly

The Backend Server VCN's Route Table does not include the route for OCI LB
B

Question 57

BeforeExam

A multinational corporation is experiencing inconsistent network performance across its

global offices. They suspect that the issue lies in the network path between their OCI
instances and on-premises data centers.

Which advanced feature of Network Path Analyzer should they use to diagnose the issue?

Basic path tracing

Multi-hop analysis with latency and packet loss metrics

Simple ping tests

Static route configuration

B

Overall explanation

The correct answer is: B) Multi-hop analysis with latency and packet loss metrics

Explanation:

1. Why B is Correct:

 The Network Path Analyzer in OCI provides advanced diagnostic capabilities to

identify issues along the network path.

 Multi-hop analysis with latency and packet loss metrics is a specific feature of
the Network Path Analyzer that examines the entire route between two
endpoints, such as an OCI instance and an on-premises data center.

 It provides detailed insights into each hop in the network path, measuring
latency, packet loss, and other key metrics. This information is essential for
diagnosing inconsistent performance, as it helps pinpoint the segment of the
network causing the issue.

2. Why Other Options are Incorrect:

 A) Basic path tracing: While basic path tracing might show the route, it lacks
advanced diagnostic metrics like latency and packet loss, making it insufficient for
resolving complex performance issues.

 C) Simple ping tests: Ping tests only check connectivity and round-trip time
between two endpoints. They do not provide detailed insights into intermediate
hops, which is crucial for diagnosing issues in a multi-hop network path.

 D) Static route configuration: Static routes are used to define fixed paths for
network traffic but are unrelated to diagnosing performance issues. Configuring
static routes won’t help identify or resolve inconsistencies in the existing network
path.

Supporting Information:

 The Network Path Analyzer uses tools like traceroute and combines them with advanced
diagnostics for a comprehensive view of the network path.

 Detailed metrics like latency and packet loss enable network engineers to identify and
address specific problems, such as congested routers or misconfigured network devices.
Question 58

You deployed a compute instance (VM.Standard2.16) to run a SQL database. After a few
weeks, you need to increase disk performance by using NVMe disks; the number of CPUs will
not change. As a first step you terminate the instance and preserve the boot volume. What is
the next step?

Create a new instance using a VM.Standard1.16 using the preserved boot volume and move
the SQL Database data to NVMe disks.

Create a new instance using a VM.DenseIO2.16 using the preserved boot volume and move
the SQL Database data to block volume.

Create a new instance using a VM.DenseIO2.8 using the preserved boot volume and move the
SQL Database data to NVMe disks.

Create a new instance using a VM.DenseIO2.16 using the preserved boot volume and move
the SQL Database data to NVMe disks.
D

Overall explanation

Instance Life Cycle •

 Start – Restarts a stopped instance. After the instance is restarted, the Stop action is
enabled

 Stop – Shuts down the instance. After the instance is powered off, the Start action is
enabled • Reboot – Shuts down the instance, and then restarts it

 Terminate – Permanently delete instances that you no longer need.

 Instance's public and private IP addresses are released and become available for other
instances

 By default, the instance's boot volume is deleted, however you can preserve the boot
volume and attach it to a different instance as a data volume, or use it to launch a new
instance
Question 59

BeforeExam

You have an application server running in a public subnet on a compute instance in US West
(us-phoenix-1) region of Oracle Cloud Infrastructure (OCI). The data sitting on this instance
needs to be copied to OCI Object storage bucket available in the same region without
traversing over the internet. To enable the connectivity between the instance and Object
Storage, you created a service gateway with service CIDR of all Object Storage in us-phoenix-1
enabled. You also modified the security rules to allow the desired traffic. However, when you
tried sending the data to the Object Storage bucket, you notice that the data is going over the
internet and not via the service gateway. What could be the possible reason for this behavior?

entity and Access Management (IAM) policies restrict the access to the object storage bucket.

The service gateway created in the VCN resides in a different availability domain.

The security list associated with the subnet has an egress rule that allows all traffic to be
forwarded to a destination CIDR 0.0.0.0/0.

The route table associated with the subnet has no route rule where the destination is object
storage service.
D

Overall explanation

The correct answer is:

The route table associated with the subnet has no route rule where the destination is the
Object Storage service.

Explanation:

Even though you've configured the Service Gateway and security rules correctly, the traffic still
goes over the internet because the default route for the subnet is pointing to the internet
gateway. This means that the traffic is not being routed through the Service Gateway as
intended.

To resolve this issue, you need to create a route rule in the route table associated with the
subnet. This route rule should:

 Destination: The Service CIDR of the Object Storage service in the us-phoenix-1 region.

 Target: The Service Gateway.

By adding this route rule, you ensure that the traffic destined for Object Storage is routed
through the Service Gateway, bypassing the internet and maintaining a private connection.

Remember to ensure that the security lists associated with the subnet allow traffic to the
Service Gateway.
Question 60

You are asked to create a user that will access programmatic endpoints in Oracle Cloud
Infrastructure. The user must not be allowed to authenticate by username and password.

Which two authentication options can you use?

PEM Certificate file

Auth tokens

API signing key

Windows password

SSH key pair

Overall explanation

Correct Answer :

1. API Keys

2. Auth Tokens

Both of these methods provide secure and efficient ways to authenticate API requests
without relying on traditional username and password credentials.

API Signing Keys: API Signing Keys are another method for authenticating requests to OCI
services. They involve generating a private key and a public key pair. The private key is used to
sign requests, while the public key is used to verify the signature.

By using API Signing Keys, you can create users that can access programmatic endpoints
without requiring username and password-based authentication, enhancing security and
streamlining access management.

Auth Tokens are a secure and efficient way to authenticate API requests without requiring
traditional username and password credentials. 1 They provide a temporary token that can be
used to access OCI resources.

Reference :

https://docs.oracle.com/en-us/iaas/Content/Identity/access/working-with-auth-tokens.htm

https://docs.oracle.com/apisignining

BC
Question 61

A new employee has just started working for your company. You create an Oracle Cloud
Infrastructure user account for this employee, following which they are able to log in, but still
cannot create any resources. What should you do to resolve this?

Send the employee API Signing Keys to log in.

Delete the account and create another one.

Make sure that the employee is logging in to the Oracle Cloud Infrastructure account from
your corporate network only.

Add the employee to a group with policies to grant access to relevant resources.
D

Overall explanation

Correct Ans: Add the employee to a group with policies to grant access to relevant resources.
Question 62

BeforeExam

You are designing a two-tier web application in Oracle Cloud Infrastructure (OCI). Your clients
want to access the web servers from anywhere, but want to prevent access to the database
servers from the Internet. Which is the recommended way to design the network
architecture?

Create public subnets for web servers and private subnets for database servers in your virtual
cloud network (VCN), and associate separate internet gateways for each subnet.

Create public subnets for web servers and associate a dynamic routing gateway with that
subnet, and a private subnet for database servers with no association to dynamic gateway.

Create public subnets for web servers and private subnets for database servers in your VCN,
and associate separate security lists and route tables for each subnet.

Create a single public subnet for your web servers and database servers, and associate only
your web servers to internet gateway.
C

Overall explanation

When you create a subnet, by default it's considered public, which means instances in that
subnet are allowed to have public IP addresses. Whoever launches the instance chooses
whether it will have a public IP address. You can override that behavior when creating the
subnet and request that it be private, which means instances launched in the subnet are
prohibited from having public IP addresses. Network administrators can therefore ensure that
instances in the subnet have no internet access, even if the VCN has a working internet
gateway, and security rules and firewall rules allow the traffic. There are two optional
gateways (virtual routers) that you can add to your VCN depending on the type of internet
access you need: Internet gateway :For resources with public IP addresses that need to be
reached from the internet (example: a web server) or need to initiate connections to the
internet. NAT gateway :For resources without public IP addresses that need to initiate
connections to the internet (example: for software updates) but need to be protected from
inbound connections from the internet. Just having an internet gateway alone does not
expose the instances in the VCN's subnets directly to the internet. The following requirements
must also be met: The internet gateway must be enabled (by default, the internet gateway is
enabled upon creation). The subnet must be public. The subnet must have a route rule that
directs traffic to the internet gateway. The subnet must have security list rules that allow the
traffic (and each instance's firewall must allow the traffic). The instance must have a public IP
address.
Question 63

Which two identity providers can your administrator federate with Oracle Cloud
Infrastructure? (Choose two.)

Microsoft Active Directory

Oracle Identity Cloud Services

AWS Directory Services

Google Directory Federation Services

AB

Overall explanation

Oracle Cloud Infrastructure supports federation with Oracle Identity Cloud Service and
Microsoft Active Directory (via Active Directory Federation Services (AD FS)), and any identity
provider that supports the Security Assertion Markup Language (SAML) 2.0 protocol.
Question 64

An instance is launched with a primary VNIC that is created during instance launch. Which
two operations are true when you add secondary VNICs to an existing instance? (Choose
two.)

You can remove the primary VNIC after the secondary VNIC’s attachment is complete.

You can remove the secondary VNIC later if it is not needed.

The primary and secondary VNIC association should be within the same Availability Domain.

It is not possible to connect two VNICs to an instance.

BC

Overall explanation

Reference: https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingVNICs.htm

Question 65

Which storage service is used on OCI for a Data Transfer Service job?

An instance with enough storage to accommodate the job

An object bucket

A File System service instance

Block Volume
B

Overall explanation

Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/DataTransfer/Concepts/
overview.htm

Question 65

Which certificate format is used with the load balancer?

PFX

PEM

PKCS12

CRT
Overall explanation

Reference: https://docs.cloud.oracle.com/iaas/Content/Balance/Tasks/
managingcertificates.htm

Question 66

You are in the process of setting up a highly available student registration website on Oracle
Cloud Infrastructure (OCI). You use a load balancer and a database service on OCI. You launch
two compute instances each in a different subnet and add them to the back end set of a
public load balancer. The load balancer is configured correctly and working. You then deploy
the student registration application on these two compute instances. The application can
communicate with the database service. However, when you type the URL of this student
registration application in your browser, no web page appears. What could be the cause?

The security lists of the subnets on which the two instances are located do not have ''allow''
rules for port 80 and 443.

The load balancer performed a health check on the application and found that compute
instances were not in a healthy state and terminated the instances.

The client requested https access to the application and the load balancer service does not
support end-to-end SSL from the client to the listener to the back-end set.

Routing Gateway is preventing the client traffic from your data center network from reaching
the public IP of the load balancer.
A

Question 67

Which DNS resource record type is used to point a host name to an IPv4 address?

ALIAS

CNAME

AAAA
B

Question 68

You are responsible for creating and maintaining an enterprise application that consists of
multiple storage volumes across multiple compute instances in Oracle Cloud Infrastructure
(OCI). The storage volumes include boot volumes and block volumes for your data storage.
You need to create backups of these storage volumes in the most time- efficient manner. How
can you meet this requirement?

Create on-demand full backups of block volumes, and create custom images from the boot
volumes.

Create on-demand full backups of boot volumes, and copy data in block volumes to Object
Storage using OCI CLI.

Create clones of all boot volumes and block volumes one at a time.

Group together multiple storage volumes in a volume group and create volume group
backups.
D

Question 69

You are working as a Solution Architect in an organization. You are deploying a highly
available web application in Oracle Cloud Infrastructure and have decided to use a public load
balancer. The back end web servers will be distributed across all three availability domains
(ADs). How many subnets should you create to deliver a secure, highly available application?

Two subnets in total. One regional private subnet to host your back-end web servers and one
regional public subnet to host your public load balancer.

Three subnets in total. One regional public subnet to host your back-end web servers and two
AD specific private subnets to host your private load balancer.

Two subnets in total. One regional public subnet to host your back-end web servers and one
regional private subnet to host your public load balancer.

one subnet in total. One regional private subnet to host your back-end web servers and your
public load balancer.
A

Overall explanation

A public load balancer is regional in scope. If your region includes multiple availability
domains, a public load balancer requires either a regional subnet (recommended) or two
availability domain?specific (AD-specific) subnets, each in a separate availability domain.
With a regional subnet, the Load Balancing service creates a primary load balancer and a
standby load balancer, each in a different availability domain, to ensure accessibility even
during an availability domain outage.

If you create a load balancer in two AD-specific subnets, one subnet hosts the primary load
balancer and the other hosts a standby load balancer. If the primary load balancer fails, the
public IP address switches to the secondary load balancer. The service treats the two load
balancers as equivalent and you cannot specify which one is "primary". Whether you use
regional or AD-specific subnets, each load balancer requires one private IP address from its
host subnet.

The Load Balancing service supplies a floating public IP address to the primary load balancer.
The floating public IP address does not come from your backend subnets. If your region
includes only one availability domain, the service requires just one subnet, either regional or
AD-specific, to host both the primary and standby load balancers. You cannot specify a private
subnet for your public load balancer. When you create a private load balancer, the service
requires only one subnet to host both the primary and standby load balancers. The load
balancer can be regional or AD-specific, depending on the scope of the host subnet.

Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Balance/Concepts/
balanceoverview.htm
Question 70

You have two line of business operations (LOB1, LOB2) leveraging Oracle Cloud Infrastructure.
LOB1 is deployed in VCN1 in the OCI US East region, while LOB2 is deployed in VCN2 in the US
West region. You need to peer VCN1 and VCN2 for disaster recovery and data backup
purposes. To ensure you can utilize the OCI Virtual Cloud Network remote peering feature,
which CIDR ranges should be used?

VCN1 (10.0.0.0/16) and VCN2 (10.0.1.0/24)

VCN1 (10.0.0.0/16) and VCN2 (172.16.0.0/16)

VCN1 (172.16.1.0/24) and VCN2 (172.16.1.0/27)

VCN1 (192.168.0.0/16) and VCN2 (192.168.1.0/27)

B

Overall explanation

VCN1 (10.0.0.0/16) will use the IP Range from 10.0.0.0 to 10.0.255.255 and the VNC 2
(172.16.0.0/16) will use the IP Range from 172.16.0.0 to 172.16.255.255 the will not be
overlap between the 2 VCN

Question 71

You are a system administrator of your company and you are managing a complex
environment consisting of compute instances running Oracle Linux on Oracle Cloud
Infrastructure (OCI). It's your task to apply all the latest kernel security updates to all
instances.

Which OCI service will allow you to complete this task?

OCI Registry

OCI Security Zones to achieve automatic security updates

OS Management service

OCI Streaming service

OCI Cloud Guard to monitor and install the security updates

C

Overall explanation

The Oracle Cloud Infrastructure OS Management service allows you to manage and monitor
updates and patches for the operating system environments on your Oracle Cloud instances,
including instances managed by the OS Management Oracle Autonomous Linux service.
Hence it is the correct ANSWER.

OCI Registry makes it easy to store, share, and manage development artifacts like Docker
images. Hence it is INCORRECT.

Cloud Guard is a cloud native service that helps customers monitor, identify, achieve, and
maintain a strong security posture on Oracle Cloud. Use the service to examine your Oracle
Cloud Infrastructure resources for security weakness related to configuration, and your Oracle
Cloud Infrastructure operators and users for risky activities. Upon detection, Cloud Guard can
suggest, assist, or take corrective actions, based on your configuration. Hence it is INCORRECT.

The OCI Streaming service is a real-time, serverless, Apache Kafka-compatible event

streaming platform for developers and data scientists. Hence it is INCORRECT.

Security Zones enforce security posture on OCI cloud compartments and prevent actions that
could weaken a customers’ security posture. Security Zone policies can be applied to various
cloud infrastructure types (network, compute, storage, database, etc.) to ensure cloud
resources stay secure and prevent security misconfigurations. Hence it is INCORRECT.
Question 73

Which of the following statements is true about the Oracle Cloud Infrastructure (OCI) Object
Storage server-side encryption?

Each object in a bucket is always encrypted with the same data encryption key.

Encryption of data encryption keys with a master encryption key is optional.

Customer-provided encryption keys are always stored in the OCI Vault service.

Encryption is enabled by default and cannot be turned off.

D

Overall explanation

The Oracle Cloud Infrastructure Object Storage service encrypts and decrypts all objects using
256-bit Advanced Encryption Standard (AES-256) to encrypt object data on the server. Each
object is encrypted with its own data encryption key. Data encryption keys are always
encrypted with a master encryption key that is assigned to the bucket (Hence it is not
optional). Encryption is enabled by default and cannot be turned off. Using optional API
headers, you can provide your own 256-bit AES encryption key that is used to encrypt and
decrypt objects uploaded to and downloaded from Object Storage.

Hence, only the statement "Encryption is enabled by default and cannot be turned off." is
true.

Question 74

BeforeExam

You are part of a team that manages a set of workload instances running in an on-premises
environment. The Architect team is tasked with designing and configuring Oracle Cloud
Infrastructure (OCI) Logging service to collect logs from these instances. There is a
requirement to archive Info-level logging data of these instances into the OCI Object Storage.

Which TWO features of OCI can help you achieve this?

Grouping Function

Service Connectors

Agent Configuration

Object Collection Rule

Cloud Agent Plugin

BC

Overall explanation

Custom logs are logs that contain diagnostic information from custom applications, other
cloud providers, or an on-premise environment.

Custom logs can be ingested in the following ways by configuring the Unified Monitoring
Agent. See Installing the Agent for instructions.

The Unified Monitoring Agent can be installed on many machines, and it pulls logs from local
directories, where your apps or systems emit logs. The agent can also parse your logs for you.
All of this is configured in Agent Configurations.

An agent configuration is the central mechanism for defining:

 What hosts you want logs from.

 What specific logs you want from the hosts.

 Additional parsers.

 The custom log destination.

The service connector processes and moves log data from Logging to Object Storage.

Reference: Scenario: Archive Logs to Object Storage (oracle.com)

Question 75

You are launching a new project in the US West (Phoenix) region. You would like to reserve
the compute capacity mentioned below so that the capacity is available for your workloads
when you need it.

1. 10 VM.Standard2.2 Instances

2. 6 VM.Standard.E4.Flex Instances

The project also requires you to be mindful about high availability and place the instances in
at least two Availability Domains.

At a bare minimum, how many capacity reservations would you create to meet this
requirement?

Two

Three

One

Four
A

Overall explanation

When you create your capacity reservation, you specify the availability domain in the tenancy
where you want to reserve capacity. Reservations are specific to that availability domain.

In this scenario, as you need to be mindful about High Availability (placing it in

atleast 2 Availability Domains), at a bare minimum we need 2 Capacity reservations (as it is
AD specific). We can then add capacity configuration as per the requirement.
Question 76

Which statement is TRUE about delegating an existing domain to the Oracle Cloud
Infrastructure (OCI) DNS service?

Domains can be delegated to OCI DNS via FastConnect partners.

Domains can be delegated to OCI DNS from the OCI Marketplace.

Domains can be self-delegated to OCI DNS from its own service portal.

All domains can be retrieved to OCI DNS via DYN.

Domains can be delegated to OCI DNS from the Domain Registrar's self-service portal.
E

Overall explanation

Delegating your domain with your domain's registrar makes your Oracle Cloud Infrastructure
hosted zone accessible through the internet.

To delegate a zone:

1. Open the navigation menu and click Networking. Under DNS Management,
click Overview.

2. Click Zones.

3. Click the Zone Name for the zone you want to delegate. The zone details page appears.

4. In Resources, click Records. A list of records appear.

5. Use the Type sort filter to locate the NS records for your zone.

6. Note the name servers in the RDATA field within each NS record.

7. You can use the noted name servers to change your domain's DNS delegation. Refer to
your registrar's documentation for instructions.

Hence Domains can be delegated to OCI DNS from the Domain Registrar’s self-service portal is
the CORRECT answer.
Question 77

Which of the following resources can be attached to a DRG (Dynamic Routing Gateways)?

Virtual Private Networks (VPNs)

Remote Peering Connections (RPCs)

FastConnect virtual circuits

All of the above

D

Overall explanation

The correct answer is: (D) All of the above

 Virtual Private Networks (VPNs): Site-to-Site VPN connections using IPSec tunnels can
be attached to a DRG for secure communication between your on-premises network
and Oracle Cloud Infrastructure (OCI) Virtual Cloud Networks (VCNs).

 Remote Peering Connections (RPCs): You can establish private network connections
between your VCN and other VCNs in different regions or accounts using RPCs
attached to a DRG.

 FastConnect virtual circuits: Dedicated private connections between your on-premises

network and OCI can be established using FastConnect virtual circuits, which can be
attached to a DRG for routing traffic.

These resources all leverage the DRG as a virtual router to facilitate communication between
your network and OCI resources.

References
: https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm
Question 78

BeforeExam

A financial services company needs to comply with stringent regulatory requirements for
network performance and security.

Which specific capability of Network Path Analyzer can help them meet these requirements?

Real-time compliance reporting

Detailed path analysis with historical data

Automated incident response

User activity monitoring

B

Overall explanation

The correct answer is: B) Detailed path analysis with historical data

Explanation:

1. Why B is Correct:

 Detailed path analysis with historical data allows organizations to understand

how their network has performed over time, including insights into latency,
packet loss, and misconfigurations.

 This capability is crucial for industries like financial services, where compliance
regulations often require proof of consistent network performance and
security.

 By analyzing historical data, the company can:

 Identify trends or recurring issues in the network path.

 Demonstrate adherence to performance benchmarks and security

policies over time.

 Document network diagnostics to meet regulatory requirements.

2. Why Other Options are Incorrect:

 A) Real-time compliance reporting: The Network Path Analyzer does not

provide compliance reports directly. Compliance reporting is typically done
through specialized governance or monitoring tools.

 C) Automated incident response: Incident response automation is not a feature

of Network Path Analyzer. It focuses on diagnostics and analysis, leaving
incident response to tools like Cloud Guard or Security Zones.

 D) User activity monitoring: Monitoring user activities falls under OCI’s Identity
and Access Management (IAM) or audit services, not the Network Path
Analyzer.

How Network Path Analyzer Helps with Compliance:

 Ensuring Network Security: The tool identifies vulnerabilities or misconfigurations in

the network path that could lead to breaches.
 Maintaining Performance Standards: By analyzing and troubleshooting network issues,
it helps maintain the consistent performance needed for compliance.

 Documentation Support: Historical analysis provides traceable evidence of network

conditions over time, aiding in audits and regulatory reporting.
Question 79

BeforeExam

A financial firm is designing an application architecture for its online trading platform that
should have high availability and fault tolerance.

Their solutions architects configured the application to use an Oracle Cloud Infrastructure
(OCI) Object Storage bucket located in the US West (us-phoenix-1) region to store large
amounts of financial data. The stored financial data in the bucket should not be impacted
even if there is an outage in one of the Availability Domains or a complete region.

What should the architect do to avoid any costly service disruptions and ensure data
durability?

Create a lifecycle policy to regularly send data from the Standard to Archive storage.

Create a replication policy to send data to a different bucket in another OCI region.

Create a new Object Storage bucket in another region and configure lifecycle policy to move
data every 5 days.

Copy the Object Storage bucket to a block volume.

B

Overall explanation

Replication provides protection from regional outages, aids in disaster recovery efforts, and
addresses data redundancy compliance requirements. After the replication policy is created,
the destination bucket is read-only and updated only by replication from the source bucket.
Objects uploaded to a source bucket after policy creation are asynchronously replicated to the
destination bucket. Hence "Create a replication policy to send data to a different bucket in
another OCI region." is the CORRECT answer.

The option Create a lifecycle policy to regularly send data from the Standard to Archive
storage is INCORRECT as lifecycle policy rules instruct Object Storage to delete uncommitted
multipart uploads, move objects to a different storage tier, and delete supported resources on
your behalf within a given bucket.

The option Create a new Object Storage bucket in another region and configure lifecycle
policy to move data every 5 days is also INCORRECT as using lifecycle policy we cannot move
data to another region.

The option Copy the Object Storage bucket to a block volume is irrelevant and not necessary
as there is a built in replication policy in object storage that can be used. Moreover the region
information is not specified for the Block Volume. If the Block Volume is in the same region, it
doesn't solve the purpose. Hence this is also INCORRECT.
Question 80

BeforeExam

Which statement is NOT true about the Oracle Cloud Infrastructure (OCI) Object Storage
service?

Immutable option for data stored in Object Storage can be set via retention rules.

Object Storage resources can be shared across tenancies.

Object lifecycle rules can be used to either archive or delete objects.

Object Versioning is enabled at the namespace level.

D

Overall explanation

Option: Object Versioning is enabled at the namespace level: Object versioning is enabled at
the bucket level and not at the namespace level. Hence this statement is NOT true and the
correct answer to this question.

Option: Object Storage resources can be shared across tenancies: You can write policies that
let your tenancy access Object Storage resources in other tenancies. For more
details: Accessing Object Storage Resources Across Tenancies (oracle.com) Hence this
statement is true.

Option: Immutable option for data stored in Object Storage can be set via retention
rules: Retention rules provide immutable, WORM-compliant storage options for data written
to Object Storage and Archive Storage for data governance, regulatory compliance, and legal
hold requirements. Hence this statement is true.

Option: Object lifecycle rules can be used to either archive or delete objects:
You can define rules that automatically do things like the following:

 Move Standard tier objects with a .doc extension to either the Infrequent Access
or Archive tier 60 days after creation or last update.

 Move Standard tier objects to the Archive tier 30 days after creation or last update,
and then automatically delete those archived objects after 180 days.

 Move Standard tier objects to the Infrequent Access tier 90 days after creation or last
update.

 Delete any previous object versions 120 days after the object version transitions from
the latest version to a previous version.

 Delete uncommitted or failed multipart uploads after 5 days.

 Delete all objects and object versions in a bucket in preparation for bucket deletion.

Hence this statement is also true.

Question 81

A developer is concerned about the security of their web application while using acceleration
services.

What security feature does OCI Web Application Acceleration offer to address this concern?

Built-in firewall

DDoS protection

Two-factor authentication

Secure shell (SSH) access

B

Overall explanation

Correct Answer: B) DDoS protection

OCI Web Application Acceleration includes built-in DDoS protection capabilities to mitigate
Distributed Denial of Service attacks. These attacks aim to overwhelm a server or network
with traffic, making it unavailable to legitimate users.

Here's why the other options are incorrect:

 A) Built-in firewall: While Web Application Acceleration might have some basic
security features, it's not primarily a firewall solution.

 C) Two-factor authentication: This is a user authentication method, not a security

feature directly related to the service itself.

 D) Secure shell (SSH) access: SSH is used for secure remote access to servers, not a
security feature of Web Application Acceleration.

By incorporating DDoS protection, OCI Web Application Acceleration helps safeguard your
application from malicious traffic and ensures its availability even during periods of high
demand.
Question 82

You just got a last minute request to create a set of instances in Oracle Cloud Infrastructure
(OCI). The configuration and installed software are identical for every instance, and you
already have a running instance in your OCI tenancy.

Which image option allows you to achieve this task with the least amount of effort?

Use Oracle-provided images and customize the installation using a third-party tool.

Bring your own image and use it as a template for the new instances.

Create a custom image and use it as a template for the new instances.

Select an image from the OCI Marketplace.

C

Overall explanation

The keywords in the question are "configuration and installed software are identical for every
instance" , "already have a running instance" and "least amount of effort".

Option: Use Oracle-provided images and customize the installation using a third-party
tool: This option can be eliminated as using third party tool does not satisfy the "least amount
of work" requirement of the question.

Option: Select an image from the OCI Marketplace: This option can be eliminated as it does
not talk about the configuration and software installation, that is desired as per the scenario
in the question.

Option: Bring your own image and use it as a template for the new instances: This option
does not satisfy the "least amount of work" requirement. It also does not leverage the
existing instance. Hence it is Incorrect. For more information on the process of BYOI
refer : Bring Your Own Image (BYOI) (oracle.com)

Option: Create a custom image and use it as a template for the new instances: Oracle Cloud
Infrastructure uses images to create compute instances. You basically specify which image to
use when you create an instance. You may also create a custom image of an instance’s boot
disk and use that image to create other instances. These instances include the customizations,
configuration, and software that was installed when you created the image. As you already
have a running instance, configure and install the software and then create a custom image
and use it as a template for the new instances. This is the correct answer.
Question 83

An e-commerce website is preparing for a major sale event and expects a significant increase
in traffic. How can OCI Web Application Acceleration help in this situation?

By providing additional storage space

By caching content closer to users to handle increased traffic efficiently

By reducing the number of servers needed

By increasing the bandwidth of the network

B

Overall explanation

By caching content closer to users to handle increased traffic efficiently

Here's why:

 Increased Traffic: During a major sale event, e-commerce websites experience a surge
in traffic, which can overwhelm servers and lead to slow page load times and even
website crashes.

 How OCI Web Application Acceleration Helps: This service caches static and dynamic
content closer to end-users at the edge of the network. When users request a
resource, the cached copy is delivered quickly, reducing the load on the origin servers
and minimizing latency.

Why other options are less relevant:

 A) By providing additional storage space: While increased traffic might indirectly

impact storage needs, the primary benefit of Web Application Acceleration lies in
optimizing content delivery, not increasing storage capacity.

 B) By reducing the number of servers needed: While caching can help reduce the load
on origin servers, it doesn't necessarily reduce the number of servers required.

 D) By increasing the bandwidth of the network: While increased bandwidth can

improve performance, Web Application Acceleration focuses on optimizing content
delivery at the edge, which is more efficient than simply increasing overall bandwidth.

By caching content closer to users, OCI Web Application Acceleration ensures a faster and
more reliable user experience during peak traffic periods, such as major sale events.
Question 84

BeforeExam

A media company is experiencing high latency during peak traffic hours, affecting their
content delivery.

What advanced diagnostic feature of Network Path Analyzer can help identify the root cause?

Bandwidth throttling analysis

Peak traffic simulation

Time-based path analysis

Content caching metrics

Overall explanation

The correct answer is: C) Time-based path analysis

Explanation:

1. Why C is Correct:

 Time-based path analysis in the Network Path Analyzer allows users to analyze
network performance metrics (e.g., latency, packet loss) at specific times or
under varying traffic conditions.

 For a media company experiencing high latency during peak hours, this feature
can:

 Identify which parts of the network path are affected during peak
traffic.

 Correlate performance issues with specific time periods or patterns of

heavy usage.

 Pinpoint bottlenecks, such as overloaded routers or links, that

contribute to the latency.

2. Why Other Options are Incorrect:

 A) Bandwidth throttling analysis: The Network Path Analyzer does not

specifically analyze bandwidth throttling; it focuses on path diagnostics like
latency and packet loss. Bandwidth throttling would be monitored through
other tools or settings in the network.

 B) Peak traffic simulation: The tool does not simulate traffic; it analyzes real-
time and historical network performance.

 D) Content caching metrics: Content caching metrics are related to the

efficiency of caching solutions (e.g., CDNs or edge servers) and not part of the
Network Path Analyzer’s capabilities.
Question 85

BeforeExam

An IT team is tasked with optimizing the network configuration for a distributed application
running in multiple OCI regions.

Which feature of Network Path Analyzer should they use to ensure optimal performance?

Cross-region latency analysis

Single-region path tracing

Static IP allocation

Application performance monitoring

A

Overall explanation

The correct answer is: A) Cross-region latency analysis

Explanation:

1. Why A is Correct:

 Cross-region latency analysis is a feature of the OCI Network Path Analyzer that
enables IT teams to measure and compare network performance metrics (e.g.,
latency, packet loss) between different OCI regions.

 For distributed applications, this analysis is crucial to:

 Identify and minimize delays in communication between regions.

 Optimize routing paths for better performance and reliability.

 Ensure high availability and low latency for end users across regions.

2. Why Other Options are Incorrect:

 B) Single-region path tracing: While useful for diagnosing issues within a single
region, it does not address the challenges of optimizing communication
between multiple regions.

 C) Static IP allocation: Static IPs are used to ensure consistent IP addresses but
have no direct role in analyzing or optimizing network performance.

 D) Application performance monitoring: Application monitoring focuses on

application-level metrics, such as response time and throughput, rather than
underlying network paths.

How Cross-Region Latency Analysis Helps:

 By pinpointing latency issues between regions, the IT team can make informed
decisions, such as:

 Selecting the best regions for hosting specific application components.

 Configuring more efficient routing through OCI’s backbone network or other

providers.

 Adjusting network settings to achieve better performance.

Question 86

Which TWO statements are TRUE about Private IP addresses in Oracle Cloud Infrastructure
(OCI)?

Each VNIC can only have one private IP address.

By default, the primary VNIC of an instance in a subnet has one primary private IP address.

By default, the primary VNIC of an instance in a subnet has one primary private IP address
and one secondary private IP address.

A private IP can have an optional public IP assigned to it if it resides in a public subnet.

BD

Overall explanation

A VNIC enables an instance to connect to a VCN and determines how the instance connects
with endpoints inside and outside the VCN. Each VNIC resides in a subnet in a VCN and
includes these items (list not exhaustive, just for explanation of this question). For more
details refer to Virtual Network Interface Cards (VNICs) (oracle.com)

 One primary private IPv4 address from the subnet the VNIC is in, chosen by either you
or Oracle.

 Up to 31 optional secondary private IPv4 addresses from the same subnet the VNIC is
in, chosen by either you or Oracle.

 An optional public IPv4 address for each private IP, chosen by Oracle but assigned by
you at your discretion.

The first two points make it clear that the option "By default, the primary VNIC of an instance
in a subnet has one primary private IP address" is CORRECT. It also implies the option "By
default, the primary VNIC of an instance in a subnet has one primary private IP address and
one secondary private IP address" is INCORRECT (as the secondary private IP address is
Optional).

The third pointer suggests that the option "A private IP can have an optional public IP
assigned to it if it resides in a public subnet." is CORRECT.

The option "Each VNIC can only have one private IP address" is also INCORRECT as each vnic
can have more than one private IP addresses (one primary and up to 31 secondary).
Question 87

A global company wants to ensure consistent application performance for users in different
geographical locations.

Which feature of OCI Web Application Acceleration is most beneficial for this requirement?

A) Global load balancing

B) Data encryption

C) Automated backups

D) Content delivery network (CDN) integration

D

Overall explanation

Correct Answer: Content delivery network (CDN) integration

Explanation: CDN integration helps in delivering content quickly to users regardless of their
geographical location by caching content at various edge locations around the world.

Incorrect Options:

A) Global load balancing: While useful, CDN integration is more directly related to improving
performance for geographically dispersed users.

B) Data encryption: This is related to security, not performance.

C) Automated backups: This is related to data protection, not performance.

Question 88

BeforeExam

Which type of attachment allows you to connect your DRG to on-premises networks using
encrypted tunnels?

VCN attachments

RPC attachments

IPSEC_TUNNEL attachments

VIRTUAL_CIRCUIT attachments
C

Overall explanation

The correct answer is: (C) IPSec_TUNNEL attachments

 VCN attachments connect VCNs within the same tenancy to a DRG, not on-premises
networks.

 RPC attachments establish private network connections between VCNs in different

regions or accounts, not on-premises networks.

 VIRTUAL_CIRCUIT attachments are used for FastConnect connections, dedicated

private connections between your on-premises network and OCI, but they are not
encrypted by default.

 IPSec_TUNNEL attachments create secure, encrypted tunnels using the IPSec protocol
to connect your DRG to on-premises networks. This is the most secure option for
connecting your on-premises network to OCI.

Reference : https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm
Question 89

What is the primary purpose of Oracle Cloud Infrastructure FastConnect?

To create a dedicated, private connection between your data center and the internet.

To provide higher-bandwidth options for internet-based connections.

To establish a reliable and consistent networking experience between your data center and
Oracle Cloud Infrastructure.

To facilitate communication between different cloud providers.

C

Overall explanation

The correct answer is: (C) To establish a reliable and consistent networking experience
between your data center and Oracle Cloud Infrastructure.

Here's why the other options are incorrect:

 (A) To create a dedicated, private connection between your data center and the
internet: FastConnect bypasses the public internet altogether, creating a private and
secure connection.

 (B) To provide higher-bandwidth options for internet-based connections: While

FastConnect offers higher bandwidth options compared to internet connections, its
primary purpose isn't to enhance existing internet connectivity.

 (D) To facilitate communication between different cloud providers: FastConnect is

specific to Oracle Cloud Infrastructure (OCI) and doesn't directly connect to other cloud
providers.

Reference
: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/fastconnectoverview.htm#
FastConnect_Overview
Question 90

BeforeExam

Which type of peering allows you to extend your existing infrastructure into a virtual cloud
network (VCN) within Oracle Cloud Infrastructure?

Private peering

Public peering

Hybrid peering

Third-party peering
Overall explanation

The correct answer is: (A) Private peering

Here's why:

 Private peering connects two VCNs within the same region or different tenancies in
Oracle Cloud Infrastructure (OCI) using private IP addresses. This allows resources in
each VCN to communicate directly without traversing the public internet or requiring
public IP addresses. This is ideal for extending your existing on-premises network or a
separate VCN within your OCI tenancy into a new VCN.

 Public peering is not a concept within OCI VCN peering. Public peering typically refers
to peering arrangements between different cloud providers, which isn't applicable
here.

 Hybrid peering is not an official term used in OCI VCN peering. It might be a
misunderstanding of private peering in the context of hybrid cloud (combining on-
premises and cloud infrastructure).

 Third-party peering is not relevant to OCI VCN peering.

Reference: https://docs.oracle.com
Question 91

Which OCI compute image option allows users to import and use their custom virtual
machine images, including those with specific software configurations and licenses?

Oracle-provided images

Custom images

General-purpose instances

Linux images
B

Overall explanation

The correct answer is Custom images.

Custom images in Oracle Cloud Infrastructure (OCI) enable users to import and use their own
virtual machine (VM) images, including those with specific software configurations and
licenses. This feature provides flexibility for users who have existing VM images or need to
tailor their images with specific software and configurations.

Oracle-provided images, on the other hand, are pre-configured images offered by Oracle that
include a variety of operating systems and software stacks. While these images are
convenient and ready-to-use, they may not always meet the specific requirements of users
who have custom software configurations or licensing needs.

General-purpose instances and Linux images are not directly related to the image options.
General-purpose instances refer to a type of compute instance in OCI, while Linux images are
a category of operating system images.

Therefore, the correct option for importing and using custom virtual machine images with
specific software configurations and licenses is Custom images.
Question 92

A company is experiencing high latency and slow load times for their web application. They
decide to use OCI Web Application Acceleration.

What primary benefit will they achieve by implementing this service?

Reduced storage costs

Improved application security

Enhanced application performance and reduced latency

Simplified application deployment

C

Overall explanation

Enhanced application performance and reduced latency

is the primary benefit of implementing OCI Web Application Acceleration. Here's a

breakdown:

 Caching: Web Application Acceleration leverages caching to store frequently accessed

content (like static assets, images, and even dynamic content) closer to end-users. This
significantly reduces the need to repeatedly fetch the same data from the origin
server, resulting in faster page load times.

 Compression: It compresses data before transmitting it to users, reducing the amount

of data transferred over the network. This leads to faster page load times and lower
bandwidth consumption.

 Reduced Latency: By caching content closer to end-users and optimizing data

transmission, Web Application Acceleration minimizes latency, resulting in a more
responsive and enjoyable user experience.

Why the other options are incorrect:

 A) Reduced storage costs: While caching can indirectly impact storage costs by
reducing the load on the origin servers, it's not the primary benefit.

 B) Improved application security: While Web Application Acceleration can contribute

to some security enhancements (like caching sensitive data), it's not its primary focus.

 D) Simplified application deployment: Web Application Acceleration simplifies

application delivery by optimizing traffic flow and improving performance, but it
doesn't directly simplify the deployment process itself.

In summary, OCI Web Application Acceleration primarily focuses on enhancing application

performance and reducing latency for end-users by optimizing content delivery and reducing
network traffic
Question 93

An enterprise is planning to deploy a hybrid cloud architecture and needs to ensure secure
and efficient connectivity between OCI and their on-premises network.

How can Network Path Analyzer assist in this deployment?

By providing encryption for data in transit

By analyzing the network path for potential security vulnerabilities and performance
bottlenecks

By managing user access controls

By automating the deployment process

The correct answer is: B) By analyzing the network path for potential security vulnerabilities
and performance bottlenecks

Explanation:

1. Why B is Correct:

 The Network Path Analyzer in OCI is a tool designed to examine and diagnose
network paths between OCI and external networks, such as on-premises
environments.

 During hybrid cloud deployments, it can help by:

 Identifying potential security vulnerabilities, such as misconfigured

network security rules or open ports that should be restricted.

 Detecting performance bottlenecks in the network path, such as high

latency or packet loss in specific segments of the connection.

 This ensures that the connectivity between OCI and the on-premises network is
both secure and efficient, which is critical for hybrid cloud architectures.

2. Why Other Options are Incorrect:

 A) By providing encryption for data in transit: While encryption is critical for

secure communication, this is handled by other mechanisms in OCI (e.g., VPN
or FastConnect using IPsec or TLS). The Network Path Analyzer does not
provide encryption functionality.

 C) By managing user access controls: User access controls are managed through
IAM (Identity and Access Management) policies and rules, not by the Network
Path Analyzer.

 D) By automating the deployment process: Deployment automation involves

tools like Terraform or Resource Manager in OCI. The Network Path Analyzer is
focused on network diagnostics, not deployment.

How Network Path Analyzer Helps:

 It enables organizations to proactively detect and resolve network issues during the
setup of a hybrid cloud, ensuring smooth communication between OCI and on-
premises systems.

 By analyzing metrics like latency, packet loss, and network configuration, it provides
actionable insights to optimize connectivity.
 Question 94

You create a file system and then add a 2 GB file. You then take a snapshot of the file system.
What would be the total meteredBytes shown by the File Storage service after the hourly
update cycle is complete?

 A. 2 GB

 B. 2.5 GB

 C. 3 GB

 D. 4 GB
A

Question 95

You are in the process of migrating several legacy applications from on-premises to Oracle Cloud
Infrastructure (OCI). The current servers are already virtualized. However, you notice that the
version of CentOS currently running does not align with any of the Oracle-provided compute
images.
How would you migrate your existing virtual server images to OCI?

 A. Export your current image in the VDI format and copy to an Object Storage bucket.
Import it as a custom image. Select native mode to ensure the best possible
performance.

 B. Export your current image in the VMDK format and copy to an Object Storage bucket.
Import it as a custom image. Select native mode to ensure the best possible
performance.

 C. Export your current image in the QED format and copy to an Object Storage bucket.
Import it as a custom image. Select emulated mode to ensure compatibility with legacy
drivers.

 D. Export your current image in the QCOW2 format and copy to an Object Storage
bucket. Import it as a custom image. Select emulated mode to ensure compatibility with
legacy drivers.
D

Question 96

Which THREE protocols are supported by the Oracle Cloud Infrastructure (OCI) private Network
Load Balancers?

 A. HTTP

 B. UDP

 C. ICMP

 D. TCP

 E. iSCSI

 F. BGP
BCD

Question 97

You have an instance running in Oracle Cloud Infrastructure (OCI) that cannot be live-migrated
during an infrastructure maintenance event. OCI schedules a maintenance due date within 14 to
16 days and sends you a notification.
What would happen if you choose not to proactively reboot the instance before the scheduled
maintenance due date?

 A. You will receive another notification to reboot within the next 14 days.

 B. The instance will get terminated.

 C. The instance is either reboot-migrated or rebuilt in place for you.

 D. You will receive another notification to reboot within the next 7 days.
C

Question 98

BeforeExam

As a network architect you have been tasked with creating a fully redundant connection from
your on-premises data center to your Virtual Cloud Network (VCN) in the us-ashburn-1 region.

Which TWO options will accomplish this requirement? (Choose two.)

 A. Configure two FastConnect virtual circuits to the us-ashburn-1 region and terminate
them in diverse hardware on-premises.

 B. Configure one FastConnect virtual circuit to the us-ashburn-1 region and the second
FastConnect virtual circuit to the us-phoenix-1 region.

 C. Configure a Site-to-Site VPN from a single on-premises CPE.

 D. Configure one FastConnect virtual circuit to the us-ashburn-1 region and a Site-to-Site
VPN to the us-ashburn-1 region.
AD

Overall explanation

The question has a key word - "fully redundant connection". We can eliminate the
answer Configure a Site-to-Site VPN from a single on-premises CPE as this option is using
a single on-premises Customer Premises Equipment (CPE). It's not a fully redundant solution.

Option: Configure one FastConnect virtual circuit to the us-ashburn-1 region and the second
FastConnect virtual circuit to the us-phoenix-1 region : The question clearly specifies that
the VCN is in the ashburn region. This answer is proposing second Fast Connect virtual circuit to
the phoenix region. hence this is also INCORRECT.

By the process of elimination, we have eliminated two incorrect answers.

So we are left with the remaining two options which are Correct but let's look at why they are
correct.

Option: Configure one FastConnect virtual circuit to the us-ashburn-1 region and a Site-to-Site
VPN to the us-ashburn-1 region : Oracle recommends using Site-to-Site VPN as a backup for
your FastConnect connection. If you do, ensure that the Site-to-Site VPN IPSec tunnels are
configured to use BGP routing with a route-based VPN. Additional Information: Within your
existing on-premises network, manipulate the routing to prefer routes learned through
FastConnect over routes learned through Site-to-Site VPN. For example, use AS_Path Prepend to
influence egress traffic from Oracle, and use local preference to influence egress traffic from
your network.

Option: Configure two FastConnect virtual circuits to the us-ashburn-1 region and terminate
them in diverse hardware on-premises :

For redundancy, Oracle provides multiple providers for each region and Two FastConnect
locations for US East (Ashburn). You should handle redundancy of the physical connection
between your existing network and Oracle.

Question 99

As your company's cloud architect, you have been invited by the CEO to join his staff meeting.
They want your input on interconnecting Oracle Cloud Infrastructure (OCI) to another cloud
provider in London, with some specific requirements:
They want resources in the other cloud provider to leverage OCI Autonomous Data Warehouse
ML capabilities.
The connection between OCI and the other cloud provider should be provisioned as quickly as
possible.
The connection should offer high bandwidth and predictable performance.
Which other cloud provider should you recommend to interconnect with OCI and meet the
above requirements?

 A. IBM Cloud

 B. Microsoft Azure

 C. Digital Ocean

 D. Amazon Web Services

 E. Google Cloud

 F. OCI

 G. Alibaba Cloud
B

Question 100

There are multiple options of migrating Oracle Databases from on-premises to Oracle Cloud
Infrastructure.

Which two characteristics do you need to consider when choosing a migration method?
(Choose two.)

On-premises database character set and application version

On-premises database version and quantity of data, including indexes

On-premises host operating system platform and network bandwidth

On-premises connectivity using remote and local VCN peering

B,C

Overall explanation

Some of the characteristics and factors to consider when choosing a migration method are:

On-premises database version Database service database version On-premises host operating
system and version On-premises database character set Quantity of data, including indexes Data
types used in the on-premises database Storage for data staging Acceptable length of system
outage Network bandwidth.

References: https://docs.cloud.oracle.com/iaas/Content/Database/Tasks/migrating.htm
Question 101

You need to set up instance principals so that an application running on an instance can call
Oracle Cloud Infrastructure (OCI) public services, without the need to configure user
credentials.

A developer in your team has already configured the application built using an OCI SDK to
authenticate using the instance principals provider.

Which is NOT a necessary step to complete this set up?

Create a dynamic group with matching rules to specify which instances you want to allow to
make API calls against services.

Generate Auth Tokens to enable instances in the dynamic group to authenticate with APIs.

Create a policy granting permissions to the dynamic group to access services in your
compartment or tenancy.

Deploy the application and the SDK to all the instances that belong to the dynamic group.
B

Overall explanation

Auth Tokens are to use, when the usage of dynamic groups and instance authentication in not
possible (for example a third-party application).

The following steps summarize the process flow for setting up and using instances as principals.
The subsequent sections provide more details.

1. Create a dynamic group. In the dynamic group definition, you provide the matching rules
to specify which instances you want to allow to make API calls against services.

2. Create a policy granting permissions to the dynamic group to access services in your
tenancy (or compartment).

3. A developer in your organization configures the application built using the Oracle Cloud
Infrastructure SDK to authenticate using the instance principals provider. The developer
deploys the application and the SDK to all the instances that belong to the dynamic
group.

4. The deployed SDK makes calls to Oracle Cloud Infrastructure APIs as allowed by the
policy (without needing to configure API credentials).

5. For each API call made by an instance, the Audit service logs the event, recording the
OCID of the instance as the value of the principal Id in the event log.

Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/
callingservicesfrominstances.htm
Question 102

You are running an online gaming application hosted on a VM.Standard2.1 instance shape in
Oracle Cloud Infrastructure. As the game becomes popular, you identify network throughput
as a bottleneck on your instance when uploading user data.

Though you want to resolve the issue, you want to observe the demand for a week before
adding new application instances.

Which action is the most efficient way to resolve this issue?

Add a secondary virtual network interface card (VNIC).

Change shape of the instance to a higher network bandwidth instance.

Delete the instance while preserving boot volume and spin up a new higher network
bandwidth instance with this boot volume.

Change the performance tier of attached block volume to High Performance.

B

Overall explanation

Reference: https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/resizinginstances.htm

Question 103

Which two methods are supported for migrating your on-premises Oracle database to an
Oracle Autonomous Transaction Processing (ATP) database in Oracle Cloud Infrastructure?
(Choose two.)

Load text files into ATP using SQL Developer.

Use RMAN duplicate.

Use Oracle Data Pump.

Transfer the physical database files and re-create the database.

Use database backup and restore.

A,C

Overall explanation

RMAN Duplicate is mentioned on Oracle Documentation.

Migration Methods Many methods exist to migrate Oracle databases to the Oracle Cloud
Infrastructure Database service. Which of these methods apply to a given migration scenario
depends on several factors, including the version, character set, and platform endian format of
the source and target databases.

Reference: https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/migrating.htm
Question 104

Which two statements are true when Oracle Data Guard is configured (using the Console)
between two Virtual Machine DB Systems deployed in Oracle Cloud Infrastructure? (Choose
two.)

Primary is a 1-node RAC DB system and Standby is a 2-node RAC DB system.

Primary is a 2-node RAC DB system and Standby is a 2-node RAC DB system.

Primary is a 1-node RAC DB system and Standby is a 1-node RAC DB system.

Primary is a 2-node RAC DB system and Standby is a 1-node RAC DB system.

Primary is a Bare Metal DB system and Standby is a 1-node RAC DB system.

B+C

Overall explanation

Reference: https://docs.oracle.com/en-us/iaas/dbcs/doc/use-oracle-data-guard-db-system.html

https://docs.oracle.com/en-us/iaas/dbcs/doc/enable-oracle-data-guard-db-system.html
Question 105

Which two statements are true about Oracle Cloud Infrastructure storage services? (Choose
two.)

You can take incremental snapshots of Block Volumes, File Storage file systems and Object
Storage buckets.

You can move Object Storage buckets, Block Volumes and File Storage mount targets between
compartments.

File Storage uses the network file system (NFS) protocol, whereas Block Volume uses iSCSI.

Block Volume service scales to Exabytes per instance, while File Storage service offers
unlimited scalability.

File storage mount target does not provide a private IP address, while the Object Storage
bucket provides one.
B+C

Overall explanation

Reference:

https://blogs.oracle.com/cloud-infrastructure/oracle-shatters-cloud-storage-limits-with-the-
best-performance

https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm
Question 106

With regard to Oracle Cloud Infrastructure Load Balancing service, which two actions will
occur when a backend server that is registered with a backend set is marked to drain
connections? (Choose two.)

All connections to this backend server are forcibly closed after a timeout period.

Requests to this backend server are redirected to a user-defined error page.

All existing connections to this backend sever will be immediately closed.

All new connections to this backend server are disallowed.

Connections to this backend server will remain open until all in-flight requests are completed.
D,E

Overall explanation

Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Balance/Reference/
sessionpersistence.htm
Question 107

Which of the following statements is true about the Oracle Cloud Infrastructure (OCI) Object
Storage server-side encryption?

Each object in a bucket is always encrypted with the same data encryption key.

Encryption of data encryption keys with a master encryption key is optional.

Encryption is enabled by default and cannot be turned off.

Customer-provided encryption keys are always stored in OCI Vault service.

C

Overall explanation

Encryption is on by default and cannot be turned off. Each object is encrypted with its
encryption key, and the object encryption keys are encrypted with a master encryption key. A
vault is a logical entity that stores the encryption keys you use to protect your data.

https://docs.oracle.com/en-us/iaas/Content/Security/Reference/objectstorage_security.htm
Question 108

You have a high-demand web application running on Oracle Cloud Infrastructure. Your
tenancy administrator has set up a schedule based autoscaling policy on instance pool with
initial size of 5 instances for the application.

Policy 1:

Target pool size: 10 instances -

Execution time: 8:30 a.m. on every Monday through Friday, in every month, in every year

Cron expression: 0 30 8 ? * MON-FRI *

Which statement accurately explains the goal of this policy?

Goal: A recurring monthly schedule. On all days of the month, set the initial pool size to 5
instances. At 8.30 a.m., on every day of the month, scale out to 10 instances.

Goal: A one-time schedule with only one scaling out event. At 8:30 a.m., on December 31,
2021, scale the instance pool to 10 instances from 5.

Goal: A recurring weekly schedule. On all days of the week at 8.30 a.m., scale out the pool to
10 instances from the initial size of 5.

Goal: A recurring daily schedule. On weekday mornings at 8.30 a.m., scale out to 10 instances.
D

Overall explanation

A recurring daily schedule. At 8.30 a.m. on weekdays mornings, a scale out to 10 instances.

https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/autoscalinginstancepools.htm

Question 109

You are running a mission-critical database application in Oracle Cloud Infrastructure (OCI).
You take regular backups of your DB system to OCI object storage.

Recently, you notice a failed database backup status in the console.

What steps can you take to determine the cause of the backup failure?

Ensure the database archiving mode is set to NOARCHIVELOG

Ensure that your database host can connect to the OCI object storage

Don't Restart the dcsagent program if it has a status of stop or waiting

Make sure that the database is not active and running while the backup is in progress
B

Overall explanation

NOARCHIVELOG is one of the issues that causes the failure. if you set the the archive mode to
NOARCHIVELOG, there is nothing to backup. because the only backup option will be offline
backup.

Ensure that your database host can connect to the OCI object storage is Correct choice.

Reference:

https://docs.cloud.oracle.com/en-us/iaas/Content/Database/Troubleshooting/Backup/
backupfail.htm
Question 110

Which statement is true regarding Autonomous Transaction Processing (ATP)?

A database name cannot be used concurrently for both an Autonomous Data Warehouse
(ADW) and an ATP database

After terminating a database, the database name is available for immediate reuse

A maximum of 8 cores can be enabled for an ATP database

A maximum of 2 TB of storage can be enabled for an ATP database

A

Overall explanation

The database name must be unique among all Autonomous Data Warehouses and Autonomous
Databases in your tenancy in the same region.

Terminating an Autonomous Transaction Processing database permanently deletes the instance

and removes all automatic backups. You cannot recover a terminated database.

the maximum number of CPUs and maximum storage capacity that can be provisioned in Oracle
Autonomous Database In the current release up to 128 CPUs and 128TB can be provisioned
from the cloud console. Customers requiring more resources need to call their Oracle account
team

Question 111

BeforeExam
Which service is NOT supported by Oracle Cloud Infrastructure CLI?

load balancer

compute

database

block volumes
D

Overall explanation

Reference : https://docs.cloud.oracle.com/iaas/Content/API/Concepts/cliconcepts.htm#services
Question 112

Which is a customer’s responsibility on an Oracle Cloud Infrastructure database?

patching the database and OS

creating the first default database on the DBCS server

creating an ASM diskgroup for data file or temp file storage

installing the operating system (OS), Grid Infrastructure, and database software
A

Overall explanation

On autonomous there’s no patching needed. But on the regular DB Cloud services you need to
patch the DB and the OS. During the creation on the OCDB the first DB is created automatically

Oracle automatically takes care of Operating system Installation/Configuration, Grid

Infrastructure, ASM diskgroup Creation/Configuration , and database software Installation and
first database on the DB System. that's all when Creating DB Systems. and then the customer
responsible to apply the patches to the database and OS

Question 113

Which statement Is true about Data Guard implementation in Oracle Cloud Infrastructure
(OCI) bare metal and virtual machine database systems?

Primary and standby databases must be in the same OCI region.

Both database systems must be in the same compartment.

Database systems need not be the same shape type (e.g, primary database can be a virtual
machine, and standby database a bare metal shape, and vice versa).

Primary and standby database versions and editions need not be Identical.
B

Overall explanation

Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Database/Tasks/
exausingdataguard.htm

Question 114

You are the Solutions Architect of a large company and are tasked with migrating all your
services to Oracle Cloud Infrastructure. As part of this, you first design a Virtual Cloud
Network (VCN) with a public subnet and a private subnet. Then in order to provide Internet
connectivity to the instances in your private subnet, you create an Oracle Linux instance in
your public subnet and configure NAT on it. However, even after adding all related security list
rules and routes in the Route Table, your private subnet instances still cannot connect to the
Internet.

Which action should you perform to enable Internet connectivity?

Disable “Source and Destination Check” on the VNIC of your Linux instance.

There is no way that a private subnet can connect to the Internet.

Create a Dynamic Routing Gateway (DRG) and route your private IP traffic to the DRG.

Restart the NAT instance.

A

Overall explanation

By default, every VNIC performs the source/destination check on its network traffic. The VNIC
looks at the source and destination listed in the header of each network packet. If the VNIC is
not the source or destination, then the packet is dropped.

If the VNIC needs to forward traffic (for example, if it needs to perform Network Address
Translation (NAT)), you must disable the source/destination check on the VNIC. For instructions,
see To update an existing VNIC. For information about the general scenario, see Using a Private
IP as a Route Target.

Reference: https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/
managingVNICs.htm#Source/D
Question 115

BeforeExam

As the Cloud Architect for your company, you have been tasked with designing a high
performance (HPC) cluster in Oracle Cloud Infrastructure (OCI). The following requirements
have been defined:

 The cluster must be a minimum of three nodes, but may increase to six nodes when
demand requires.

 The cluster must be resilient to any potential infrastructure failures.

 To minimize latency, all nodes must be deployed within the same availability domain
(AD).

 Adding or replacing nodes within the cluster should take no more than 30 minutes.

Which two steps should be performed to satisfy these requirements in OCI? (Choose two.)

Deploy the cluster in a single AD with a shared file system that leverages the file storage
service (FSS). Deploy a standby cluster in another AD and configure it to use the same shared
file system

Deploy the cluster in a single AD. Place each of the nodes in one of the three different fault
domains in that AD.

Create a backup of your HPC node compute instance boot volume. Launch new compute
instances directly from the backup reduce provisioning time.

Create a custom image of your HPC node compute instance. Launch new compute instances
using this image to reduce provisioning time.

Deploy the cluster in a single AD. Place each of the nodes in a different virtual cloud network
(VCN) subnet.
BD

Overall explanation

A fault domain is a grouping of hardware and infrastructure within an availability domain. Each
availability domain contains three fault domains. Fault domains provide anti-affinity: they let
you distribute your instances so that the instances are not on the same physical hardware
within a single availability domain. A hardware failure or Compute hardware maintenance event
that affects one fault domain does not affect instances in other fault domains. In addition, the
physical hardware in a fault domain has independent and redundant power supplies, which
prevents a failure in the power supply hardware within one fault domain from affecting other
fault domains.

To control the placement of your compute instances, bare metal DB system instances, or virtual
machine DB system instances, you can optionally specify the fault domain for a new instance or
instance pool at launch time. If you don't specify the fault domain, the system selects one for
you. Oracle Cloud Infrastructure makes a best-effort anti-affinity placement across different
fault domains, while optimizing for available capacity in the availability domain. To change the
fault domain for an instance, terminate it and launch a new instance in the preferred fault
domain.

Use fault domains to do the following things:

Protect against unexpected hardware failures or power supply failures.

Protect against planned outages because of Compute hardware maintenance.

Question 116

Which statement is true about cloning a volume?

You can clone a volume in another region.

You need to detach a volume before cloning it.

A cloned volume is the same as a snapshot that has a dependency on the source volume.

You can change the block volume size when cloning a volume.
Overall explanation

D is correct, you can change change the block volume size when cloning a volume.

Reference:

https://docs.cloud.oracle.com/en-us/iaas/Content/Block/Tasks/
cloningavolume.htm#UsingtheConsole

Question 117

BeforeExam

Which two are Regional resources in Oracle Cloud Infrastructure? (Choose two.)

Ephemeral public IPs

Compartments

Compute images

Dynamic groups

Block volume backups

Overall explanation

Regional Resources

・Compute images

・Volume backups: They can be restored as new volumes to any availability domain within the
same region in which they are stored.

Reference: https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm

Question 118

You have setup your environment as shown below with the Mount Target "MT" successfully
mounted on both compute instances CLIENT-X and CLIENT-Y.

For security reasons you want to control the access to the File System A in such a way that
CLIENT-X has READ/WRITE and CLIENT-Y has READ only permission.

What you should do?

Update the OS firewall in CLIENT-X to allow READ/WRITE access.

Update the security list TWO to restrict CLIENT-Y access to read-only.

Update the mount target export options to restrict CLIENT-Y access to read-only.

Update the security list ONE to restrict CLIENT-Y access to read only.
C

Overall explanation

You can restrict clients' access to file systems and data by using NFS export options access
controls. If you want clients to consume resources from your file system but not update them,
set access to Read Only. You can also reduce client root access to your file systems and map
specified User IDs (UIDs) and Group IDs (GIDs) to an anonymous UID/GID of your choice. For
more information about how NFS export options work with other security layers, see About
Security.

Reference: https://docs.oracle.com/search/
q=mount+target+export+options+&lang=en&product=en%2Fcloud%2Foracle-cloud-
infrastructure
Question 119

You are deploying a highly available web application in Oracle Cloud Infrastructure and have
decided to use a public load balancer. The back-end web servers will be distributed across all
three availability domains (ADs).

How many subnets should you create to deliver a secure, highly available application?

two subnets in total; one regional private subnet to host your back-end web servers and one
regional public subnet to host your public load load balancer.

one subnet in total; one regional private subnet to host your back-end web servers and your
public load balancer.

three subnets in total; one regional public subnet to host your back-end web servers and two
AD specific private subnets to host your private load load balancer.

two subnets in total; one regional public subnet to host your back-end web servers and one
regional private subnet to host your public load load balancer.
A

Overall explanation

To secure the backend, put it in a private subnet, and the LBAS on Public Subnet since it is must
access from the internet.

load balancer is the interface between internet and the backend web servers in order for it to
distribute the load accordingly so it should be in a public subnet.

Reference: https://docs.oracle.com/en-us/iaas/Content/Balance/Concepts/
balanceoverview.htm

BeforeExam

You plan to upload a large file (3 TiB) to Oracle Cloud Infrastructure (OCI) Object Storage. You
would like to minimize the impact of network failures while uploading, and therefore you
decide to use the multipart upload capability.

Which TWO statements are true about performing a multipart upload using the Multipart
Upload API? (Select Two)

You do not need to split the object into parts. Object Storage splits the object into parts and
uploads all of the parts automatically.

While a multipart upload is still active, you can keep adding parts as long as the total number
is less than 10,000.

When you split the object into individual parts, each part can be as large as 50 GiB.

You do not have to commit the upload after you have uploaded all the object parts.
B,C

Performing a multipart upload using the Multipart Upload API:

Before you use the multipart upload API, you are responsible for creating the parts to upload.

With multipart upload, you split the object you want to upload into individual parts.
Individual parts can be as large as 50 GiB.

While a multipart upload is still active, you can keep adding parts as long as the total number
is less than 10,000.

When you have uploaded all object parts, commit the upload.

BeforeExam

Which statement is NOT correct regarding the Oracle Cloud Infrastructure (OI) File System
snapshots?

Before you can clone a file system, at least one snapshot must exist for the file system.

Snapshots are a consistent, point-in-time view of your file systems.

Snapshots are accessible under the root directory of the file system at .snapshot/name.

Even if nothing has changed within the file system since the last snapshot was taken, a new
snapshot consumes more storage.
D

Overall explanation

A snapshot is a point-in-time view of your file system. Snapshots initially consume no

additional usage in the file system, because they reference the original data instead of
duplicating it, limiting usage cost.

Snapshot data usage is metered against differentiated data only. If nothing has changed
within the file system since the last snapshot was taken, a new snapshot does not consume
more storage.

Reference : Managing Snapshots (oracle.com)

BeforeExam

Your cloud developer is using the Oracle Cloud Infrastructure (OCI) Vault service to encrypt
plaintext. She runs the following command using the OCI Command Line Interface (CLI) and
encounters a service error.

1. oci kms crypto encrypt --key-id

ocid1.key.oc1.iad.bbptfrr5aaeuk.abuwcljt32arg6e6xlswgluvc52lnrtk62jq7jenfejfxlhb46
nkav3zhsta --plaintext foobar --endpoint https://bbptfrr5aaeuk-management.kms.us-
ashburn-1.oraclecloud.com

What could be the most likely reason for this error?

 The plaintext needs to be in the JSON form.

 The developer has the wrong endpoint.

 The developer forgot to specify the region.

 The developer should pass the key version OCID instead of the key OCID.
B

Overall explanation

Each vault has a unique endpoint for create, update, and list operations for keys. This
endpoint is referred to as the control plane URL or management endpoint. Each vault also has
a unique endpoint for cryptographic operations. This endpoint is known as the data plane URL
or the cryptographic endpoint. When using the CLI for key operations, you must provide the
appropriate endpoint for the type of operation.

1. oci kms crypto encrypt --key-id <key_OCID> --plaintext <base64_string> --endpoint

<data_plane_url>

If you look at the endpoint in command (in the question), https://bbptfrr5aaeuk-

management.kms.us-ashburn-1.oraclecloud.com , it is wrong endpoint - It's not a data plane
endpoint, rather it is a management endpoint.
You are part of an organization with thousands of users accessing Oracle Cloud Infrastructure
(OCI). An unknown user action was executed resulting in configuration errors. You are tasked
to quickly identify the details of all users who were active in the last six hours along with any
REST API calls that were executed.

Which OCI service would you use?

 Notifications

 Service Connectors

 Audit

 Logging
C

Overall explanation

Audit provides records of API operations performed against supported services as a list of log
events. The service logs events at both the tenant and compartment level.

When viewing events logged by Audit, you might be interested in specific activities that
happened in the tenancy or compartment and who was responsible for the activity. You will
need to know that the approximate time and date something happened and the
compartment in which it happened to display a list of log events that includes the activity in
question.

Which is NOT a valid action within the Oracle Cloud Infrastructure (OCI) Block Volume
service?

Expanding an existing volume in place with offline resizing.

Attaching a block volume to an instance in a different availability domain.

Cloning an existing volume to a new, larger volume.

Restoring from a volume backup to a larger volume.

B

Overall explanation

The Oracle Cloud Infrastructure Block Volume service lets you expand the size of block
volumes and boot volumes. You have several options to increase the size of your volumes:

 Expand an existing volume in place with online resizing. See Online Resizing of Block
Volumes Using the Console for the steps to do this.

 Restore from a volume backup to a larger volume. See Restoring a Backup to a New
Volume and Restoring a Boot Volume.

 Clone an existing volume to a new, larger volume. See Cloning a Volume and Cloning a
Boot Volume.

 Expand an existing volume in place with offline resizing. See Offline Resizing of Block
Volumes Using the Console for the steps to do this.

As you can see from the above discussion, there are 3 valid actions:

Cloning an existing volume to a new, larger volume.

Expanding an existing volume in place with offline resizing.

Restoring from a volume backup to a larger volume.

So the only one option remaining is Attaching a block volume to an instance in a different
availability domain. This is NOT a valid action as the Block Volume must be in the
same availability domain as the instance. Hence it is the correct answer.
Question 120

BeforeExam

Which two statements about Oracle Cloud Infrastructure File Storage Service are accurate?
(Choose two.)

Customer can encrypt the communication to a mount target via export options.

Mount targets use Oracle-managed keys by default.

File systems use Oracle-managed keys by default.

Customer can encrypt data in their file system using their own Vault encryption key.

Communication with file systems in a mount target is encrypted via HTTPS.

CD

Overall explanation

The File Storage service encrypts all file system and snapshot data at rest. By default all file
systems are encrypted using Oracle-managed encryption keys. ” “You have the option to
encrypt all of your file systems using the keys that you own and manage using the Vault service.
”

Reference: https://docs.oracle.com/en-us/iaas/Content/File/Concepts/filestorageoverview.htm
Question 121

BeforeExam

You have created a public subnet and an internet gateway in your virtual cloud network
(VCN). The public subnet has an associated route table and security list.

However, after creating several compute instances in the public subnet, none can reach the
Internet.

Which two are possible reasons for the connectivity issue? (Choose two.)

The route table has no default route for routing traffic to the internet gateway

There is no stateful egress rule in the security list associated with the public subnet

There is no dynamic routing gateway (DRG) associated with the VCN

There is no stateful ingress rule in the security list associated with the public subnet
AB

Overall explanation

it's not necessary DRG for internet connectivity. DRG is for peering, VPN and Fastconnect.

The gateway supports connections initiated from within the VCN (egress) and connections
initiated from the internet (ingress).

Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Tasks/managingIGs.htm

Question 122

You have an Oracle Cloud Infrastructure (OCI) load balancer distributing traffic via an evenly-
weighted round robin policy to your back-end web servers. You notice that one of your web
servers is receiving more traffic than other web servers.

How can you resolve this to make sure traffic is evenly distributed across all back-end
webservers?

A. Disable cookie-based session persistence on your backend set.

B. Change keep-alive setting between the load balancer and backend
server.
C. Disable SSL configuration associated with your backend set.
D. Create separatelisteners for each backend web server.
A

Overall explanation

Using session persistence, all requests originating from one logical client are directed to one
backend web server. The session persistence feature is enabled when you create a load balancer
or when you create a backend set. The session persistence configuration can also be changed or
enabled in an existing backend set by editing it.

Reference:

https://docs.oracle.com/en-us/iaas/Content/Balance/Reference/sessionpersistence.htm

Question 123

Your company decided to move a few applications to Oracle Cloud Infrastructure (OCI) in the
US West (us-phoenix-1) region.

You need to design a cloud-based disaster recovery (DR) solution with a requirement to
deploy the DR resources in the US East (us-ashburn-1) region to minimize network latency.

What is the recommended deployment?

Deploy production and DR applications in two separate virtual cloud networks (VCNs), each in
different regions, and then use VCN local peering gateways for connectivity.

Deploy production and DR applications in two separate VCNs, each in different regions.
Connect them using a VCN remote peering connection.

Deploy production and DR applications in the same VCN. Create production subnets in one
AD, and DR subnets in another AD (assume a multi-AD region).

Deploy production and DR applications in two separate VCNs in different availability domains
(ADs) within the primary region, and then use a VCN remote peering connection for
connectivity.
B

Overall explanation

Correct Answer: Deploy production and DR applications in two separate VCNs, each in different
regions. Connect them using a VCN remote peering connection.

2 regions to deploy 1 for app and one for DR which should be connected by remote peering
which is used to connect between different regions. while 2 ADs in same region are connected
using local peering.

Reference:

https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm
Question 124

You deployed a database on a Standard Compute instance in Oracle Cloud Infrastructure (OCI)
due to cost concerns. The database requires additional storage with high I/O and you decided
to use OCI Block Volume service for it.

With this requirement in mind, which elastic performance option should you choose for the
Block Volume?

Balanced Performance

Higher performance

Extreme performance

Lower cost
B

Overall explanation

Higher Performance: Recommended for workloads with the highest I/O requirements, requiring
the best possible performance, such as large databases. This option provides the best linear
performance scale with 75 IOPS/GB up to a maximum of 35,000 IOPS per volume. Throughput
also scales at the highest rate at 600 KBPS/GB up to a maximum of 480 MBPS per volume. With
this option you are purchasing 20 VPUs per GB/month.

Reference:

https://docs.oracle.com/en-us/iaas/Content/Block/Concepts/
blockvolumeperformance.htm#Block_Volume_Elastic_Performance
Question 125

You have compartments C and D under the root compartment in your Oracle Cloud
Infrastructure (OCI) tenancy; compartment C contains a sub-compartment also named D. You
are trying to move this sub-compartment D to the parent compartment D like shown in the
picture, but the move fails.

What is the reason for this error?

You need to move all the compartments in the hierarchy to the new parent compartment.
You cannot move a subcompartment to another parent compartment.

Both parent and child compartments cannot have the same name.

Sub-compartment D needs to be empty before it can be moved.

C

Overall explanation

Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/
managingcompartments.htm, (restriction on moving compartments)

Question 126

Which three components can you configure in Oracle Infrastructure Identity and Access
Management? (Choose three.)

Groups

Users

Instances

Policies

VCNs
ABD

Overall explanation

References: https://cloud.oracle.com/governance/identity/faq

Question 127

A customer has launched a compute Instance in the Virtual Cloud Network (VCN), which has
an Internet gateway, a service gateway, a default security lists and a default route table.
Customer has opened up Port 22 in the security lists attached to the compute instance
subnet, however is still unable to connect to compute instances using ssh.

Which option would remedy this situation?

Modify the route table associated with the VCN subnet in which the instance resides. Add a
following route to the route table.

Destination CIDR: 0.0.0.0/0

Target: Internet Gateway (IGW)

Modify the security list associated with the VCN subnet in which the instance resides. Add a
stateful egress rule to allow icmp traffic in addition to the port 22.

Modify the route table associated with the VCN subnet in which the instance resides. Add a
following route to the route table.

Destination CIDR: 0.0.0.0/0

Target: Dynamic Routing Gateway (DRG)

Modify the route table associated with the VCN subnet in which the instance resides. Add a
following route to the route table.

Destination CIDR: 0.0.0.0/0

Target: Service Gateway (SGW)

A

Overall explanation

You create an internet gateway in the context of a specific VCN. In other words, the internet
gateway is automatically attached to a VCN. However, you can disable and re-enable the
internet gateway at any time.

For traffic to flow between a subnet and an internet gateway, you must create a route rule
accordingly in the subnet's route table (for example, destination CIDR = 0.0.0.0/0 and target =
internet gateway). If the internet gateway is disabled, that means no traffic will flow to or from
the internet even if there's a route rule that enables that traffic.

For the purposes of access control, you must specify the compartment where you want the
internet gateway to reside. If you're not sure which compartment to use, put the internet
gateway in the same compartment as the cloud network.
Question 128

BeforeExam

You work for a health insurance company that stores a large number of patient health records
in an Oracle Cloud Infrastructure (OCI) Object Storage bucket named "HealthRecords".

Each record needs to be securely stored for a period of 5 years for regulatory compliance
purposes and cannot be modified, overwritten or deleted during this time period.

What can you do to meet this requirement?

Create an OCI Object Storage Lifecycle Policies rule to archive objects in the HealthRecords
bucket for five years.

Create an OCI Object Storage time-bound Retention Rule on the HealthRecords bucket for five
years. Enable Retention Rule Lock on this bucket.

Enable encryption on the HealthRecords bucket using your own vault master encryption keys.

Enable versioning on the HealthRecords bucket.

B

Overall explanation

Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/
usingretentionrules.htm

Question 129

An Oracle Cloud Infrastructure tenancy administrator is not able to delete a user in the
tenancy.

What can cause this issue?

User has multi-factor authentication (MFA) enabled.

User is member of an Identity and Access Management (IAM) group.

Users can be blocked but not deleted.

User needs to be deleted from federation Identity Provider (IdP) before deleting from IAM.
B

Overall explanation

To delete a user, the user must not be in any groups.

Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/
managingusers.htm
Question 130

What MUST be created before provisioning an Oracle Cloud Infrastructure DB Systems?

Compute instance

Compartment

Virtual Cloud Network

Bucket in Object storage

B

Overall explanation

Reference: https://oracle-base.com/articles/vm/oracle-cloud-infrastructure-oci-create-a-
database-vm#
Question 131

Your company sells a service to photographers where their patrons can preview the photos
that they want to order prints. In order to avoid unauthorized copies, the sample photos have
lower resolution and are watermarked. The photos are processed after they are uploaded.
The process should be fast but not immediate. It creates the samples and sends them to
storage outside of the instances.

Which type of instance is ideal for a process like this: short lived and one that will keep the
cost low?

On-demand instances

Burstable instances

Spot instances

Preemptible instances
D

Overall explanation

Preemptible instances are designed for short-term usage. The capacity is reclaimed when it's
needed elsewhere. The capacity is not guaranteed for a minimum amount of time, so instances
can be reclaimed at any time. The benefit is that preemptible capacity costs less than on-
demand capacity. Therefore, for workloads that can be interrupted, preemptible capacity can
lower your costs.

Reference: https://docs.oracle.com/en-us/iaas/Content/Compute/Concepts/preemptible.htm

Question 132

Which OSI layer traffic is supported by the Oracle Cloud Infrastructure (OCI) Network Load
Balancer?

Layer 4 (Transport)

Layer 5 (Session)

Layer 7 (Application)

Layer 2 (Data Link)

A

Overall explanation

OCI Flexible Load Balancer is a layer 4 (TCP) which supports features such as SSL termination
and advanced HTTP routing policies.

Reference: https://blogs.oracle.com/cloud-infrastructure/post/announcing-oracle-cloud-
infrastructure-flexible-network-load-balancer#

Question 133

Which is NOT a valid compute shape option within the Oracle Cloud Infrastructure (OCI)
compute service?

Container Instance.

Bare Metal.

Dedicated Virtual Machine Host.

Virtual Machine.
A

Overall explanation

Reference: https://docs.oracle.com/iaas/Content/Compute/References/computeshapes.htm

Question 134

Which database option in Oracle Cloud Infrastructure will provide you Oracle Active Data
Guard?

Standard Edition

Enterprise Edition Extreme Performance

Enterprise Edition High Performance

Enterprise Edition
B

Overall explanation

Oracle DB Extreme Performance edition.

Reference: https://docs.oracle.com/en/database/oracle/oracle-database/19/dblic/Licensing-
Information.html#GUID-0F9EB85D-4610-4EDF-89C2-4916A0E7AC87

Question 135

BeforeExam

What is a valid RFC 1918 CIDR prefix that can be used for creating an Oracle Cloud
Infrastructure Virtual Cloud Network?

8.8.8.8/8

10.0.0.0/8

172.16.0.0/12

192.168.0.0/16

189.215.154.89/32

0.0.0.0/0
D

Overall explanation

For your VCN, Oracle recommends using the private IP address ranges specified in RFC 1918 (the
RFC recommends 10.0/8 or 172.16/12 but Oracle doesn't support those sizes so use 10.0/16,
172.16/16, and 192.168/16). However, you can use a publicly routable range.

Reference: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/overview.htm#IPv4
Question 136

BeforeExam

Your company uses the Oracle Cloud Infrastructure (OCI) Object Storage service to share large
data sets with its data science team. The data science team consists of 20 people who work
from offices in Washington, D.C., and Tokyo. While working in these offices, employees are
assigned an IP address from the public IP range 129.146.31.0/27.

Which two steps should you take to ensure that the Object Storage bucket used in this
scenario was only accessible from these office locations? (Choose two.)

Write an IAM policy that includes the conditional statement where

request.networkSource.name = CorpNet

Set the bucket visibility to public and only share the URL with the data science team via email

Create a pre-authenticated request for each data set and only share with the data science
team via email

Create a Network Source named CorpNetwork with a CIDR block of 129.146.31.0/27

Create a Network Source named CorpNetwork with a CIDR block of 129.146.0.0/16

Write an IAM policy that includes the conditional statement where request.region =
129.146.31.0/27
AD

Overall explanation

A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or
IP addresses from VCNs within your tenancy. After you create the network source, you can
reference it in policy or in your tenancy's authentication settings to control access based on the
originating IP address.

Reference: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/
managingnetworksources.htm

Question 137

You are about to upload a large log file (5 TIB size) to Oracle Cloud Infrastructure object
storage and have decided to use multipart upload capability for a more efficient and resilient
upload.

Which two statements are true about multipart upload? (Choose two.)

The maximum size for an uploaded object is 10 TiB.

You do not have to commit the upload after you have uploaded all the object parts.

Individual object parts can be as small as 10 MiB or as large as 50 GiB.

While a multipart upload is still active, you cannot add parts even if the total number of parts
is less than 10,000.
AC

Overall explanation

With multipart upload, you split the object you want to upload into individual parts. Individual
parts can be as large as 50 GiB. Decide what part number you want to use for each part. Part
numbers can range from 1 to 10,000. While a multipart upload is still active, you can keep
adding parts as long as the total number is less than 10,000.

Reference
: https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/usingmultipartuploads.htm

Question 138

You created a public subnet and an internet gateway in your virtual cloud network (VCN) of
Oracle Cloud Infrastructure. The public subnet has an associated route table and security list.
However, after creating several compute instances in the public subnet, none can reach the
Internet.

Which two are possible reasons for the connectivity issue? (Choose two.)

The route table has no default route for routing traffic to the internet gateway.

There is no stateful egress rule in the security list associated with the public subnet.

There is no dynamic routing gateway (DRG) associated with the VCN.

There is no stateful ingress rule in the security list associated with the public subnet.

A NAT gateway is needed to enable the communication flow to internet.

AB

Overall explanation

Reference: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/
securitylists.htm#Default

"Stateful egress: Allow all traffic. This allows instances to initiate traffic of any kind to any
destination. Notice that this means the instances with public IP addresses can talk to any
internet IP address if the VCN has a configured internet gateway. And because stateful security
rules use connection tracking, the response traffic is automatically allowed regardless of any
ingress rules. For more information, see Stateful Versus Stateless Rules." If the instance cannot
reach internet, it means that its default SL doesn't have a stateful egress rule (Even though
default security lists arrive with default stateful egress rule enabling All traffic for all ports rule).

Question 139

BeforeExam

In Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE), what does a Replica Set
do?

It provides declarative updates for Pods.

It maintains a stable set of replica Pods running at any given time.

It ensures that all Nodes run a copy of a Pod.

It exposes an application running on a set of Pods.

B

Overall explanation

It maintains a stable set of replica Pods running at any given time

Reference: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/

Question 140

BeforeExam

You have an AI/ML application running on Oracle Cloud Infrastructure. You identified that the
application needs GPU and at least 20Gbps Network throughput.

The application is currently using a VM.Standard2.1 compute without any block storage
attached to it.

Which two options allow you to get your required performance for your application? (Choose
two.)

Clone your boot volume. Create a new compute instance with a VM Standard 2.8 shape and
select your cloned volume as the boot volume for your new instance.

Terminate the compute instance preserving the boot volume. Create a new compute instance
using the VM.Standard2.2 shape using the boot volume preserved, but no block volume
attached.

Terminate the compute instance preserving the boot volume. Create a new compute instance
using the VM.GPU3.4 shape using the boot volume preserved and use the NVMe devices to
host your application.

Terminate the compute instance preserving the boot volume. Create a new compute instance
using the BM.HPC2.36 shape using the boot volume preserved and use the NVMe devices to
host your application.

Terminate the compute instance preserving the boot volume. Create a new compute instance
using the BM.GPU2.2 shape using the boot volume preserved and attach a new block volume
to host your application.
CE

Overall explanation

Reference: https://docs.oracle.com/en-us/iaas/Content/Compute/References/
computeshapes.htm

Question 141

Which option is NOT a valid action within the Oracle Cloud Infrastructure (OCI) Block Volume
service?

Clone an existing volume to a new, larger volume.

Restore from a volume backup to a larger volume.

Shrink an existing volume in place with offline resizing.

Expand an existing volume in place with offline resizing.

C

Overall explanation

Reference: https://docs.oracle.com/en-us/iaas/Content/Block/Tasks/resizingavolume.htm

Question 142

BeforeExam

Which statement is true about interconnecting Virtual Cloud Network (VCN)?

VCNs support transitive peering.

Peering VCNs should not have overlapping CIDR blocks.

VCNs must be in the same tenancy to be peered.

The only way to interconnect VCNs is through peering.

B

Overall explanation

Cross tenancy VCNs can be peered.

Reference : https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/localVCNpeering.htm

Question 143

You have created a virtual cloud network (VCN) with three private subnets. Two of the
subnets contain application servers and the third subnet contains a DB System. The
application requires a shared file system so you have provisioned one using the file storage
service (FSS). You also created the corresponding mount target in one of the application
subnets. The VCN security lists are properly configured so that both application servers and
the DB System can access the file system. The security team determines that the DB System
should have read-only access to the file system.

What change would you make to satisfy this requirement?

Create an NFS export option that allows READ_ONLY access where the source is the CIDR
range of the DB System subnet.

Connect via SSH to one of the application servers where the file system has been mounted.
Use the Unix command chmod to change permissions on the file system directory, allowing
the database user read-only access.

Modify the security list associated with the subnet where the mount target resides. Change
the ingress rules corresponding to the DB System subnet to be stateless.

Create an instance principal for the DB System. Write an Identity and Access Management
(IAM) policy that allows the instance principal read-only access to the file storage service.
A

Question 144

You have hired a new employee to run reports from the Autonomous Data Warehouse (ADW)
and are not confident in their SQL writing ability.

Into which consumer group will you assign this individual to minimize the impact of their
code?

Lowest

Medium

Highest

High

Low
Low

Overall explanation

With HIGH consumer group it will allocate more resource and the process will be faster and in
case of any mistakes the impact will be more. So to minimize impact the consumer group should
be LOW.

Reference: https://docs.oracle.com/en/cloud/paas/autonomous-data-warehouse-cloud/user/
manage-service.html

Question 145

You have been notified of an application failure indicating that one or more of the Oracle
Cloud Infrastructure (OCI) resources have become unavailable. After scanning the Compute
and Database consoles, you notice that one of the DB Systems is missing.

What should you do to identify the reason for this missing resource?

Navigate to the Audit console and search the previous 24 hours for all DELETE request actions
to get a list of any resource that was deleted in the past 24 hours.

Navigate to the Audit console and search the previous 24 hours for all the GET request actions
to get a list of every event that occurred in the past 24 hours.

View the service limits associated with your account to ensure that you have not exceeded
the allowable number of DB Systems in your tenancy.

Create a serial console connection to the DB System that does not appear in the management
console. Connect to the serial console connection, and then review the system logs under
/var/log/messages.
A

Overall explanation

Reference:

https://docs.cloud.oracle.com/en-us/iaas/Content/GSG/Tasks/usingaudit.htm

Question 146

As a solution architect, you are showcasing the Oracle Cloud Infrastructure (OCI) Object
Storage feature about Object Versioning to a customer.

Which statement is true in regards to OCI Object Storage Versioning?

Object versioning does not provide data protection against accidental or malicious object
update, overwrite, or deletion.

By default, object versioning is disabled on a bucket.

A bucket that is versioning-enabled can have only and always will have a latest version of the
object in the bucket.

Objects are physically deleted from a bucket when versioning is enabled.

B

Overall explanation

Reference:

https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/usingversioning.htm

Overall explanation

Option: Object Versioning is disabled on a bucket by default: Each Object Storage bucket has
object versioning status of disabled, enabled, or suspended. By default, object versioning is
disabled on a bucket. Hence this option is CORRECT.

Object Versioning does not provide data protection against accidental or malicious object
update, overwrite, or deletion: Object versioning provides data protection against accidental or
malicious object update, overwrite, or deletion. For more info : Using Object Versioning
(oracle.com) Hence this option is INCORRECT.

Option: Objects are physically deleted from a bucket when versioning is enabled: No object is
physically deleted from a bucket that has versioning enabled until you take explicit action to do
so. Hence this option is INCORRECT.

Option: A bucket that is versioning-enabled can and will always have the latest version of the
object in the bucket: A bucket that is versioning-enabled can have many versions of an object.
There is always one latest version of the object and zero or more previous versions. Hence this
option is INCORRECT.
Question 147

BeforeExam

Your customer is using an Oracle Cloud Infrastructure (OCI) compartment named Production
that hosts several resources such as compute instances, DB

Systems and File Systems. Each resource in the Production compartment is tagged.

The customer's security team wants to restrict access to DB Systems to only the authorized
group of DBAs.

Which OCI Tagging capability can be used to meet this requirement?

Tags Defaults with predefined values

Tag Defaults

Cost-Tracking Tags

Tag-based Access Control

D

Overall explanation

Reference:

https://docs.cloud.oracle.com/en-us/iaas/Content/Tagging/Tasks/
managingaccesswithtags.htm#about

Question 148

Which statement is true about Data Guard implementation in Oracle Cloud Infrastructure
(OCI) bare metal and virtual machine database systems?

Both database systems must be in the same compartment.

Primary and standby database versions and editions need not be identical.

Primary and standby databases must be in the same OCI region.

Database systems need not be the same shape type (e.g., primary database can be a virtual
machine, and standby database a bare metal shape, and vice versa). -
A

Overall explanation

Both DB systems must be in the same compartment. The DB systems must be the same shape
type (for example, if the shape of the primary database is a virtual machine, then the shape of
the standby database can be any other virtual machine shape).

Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Database/Tasks/
usingdataguard.htm

Question 149

Which two choices are true for Oracle Autonomous Database with Shared Exadata
Infrastructure? (Choose two.)

Autonomous database does not support per-second billing.

Billing for compute usage stops when autonomous database is stopped.

Billing for storage usage continues when autonomous database is stopped.

Billing stops for both CPU and storage usage when autonomous database is stopped.

Billing does not stop when autonomous database is terminated.

BC

Overall explanation

When an Autonomous Database instance is stopped, the following details apply: Tools are no
longer able to connect to a stopped instance. Autonomous Database in-flight transactions and
queries are stopped. Autonomous Database CPU billing is halted. When you stop your
Autonomous Database, billing stops for CPU usage. Billing for storage continues when the
database is stopped

Reference: https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbmanaging.htm

Question 150

BeforeExam

You are managing a tier-1 OLTP application on an Autonomous Transaction Processing (ATP)
database. Your business needs to run hourly batch processes on this ATP database that may
consume more CPUs than what is available on the server.

How can you limit these batch processes to not interfere with the OLTP transactions?

Copy OLTP data into new tables in a new table space and run batch processes against these
new tables

ATP is designed for OLTP workload only; you should not run batch processes on ATP

Disable automated backup during the batch process operations

Configure ATP resource management rules to manage runtime and IO consumption for the
consumer group of batch processes
D

Overall explanation

Reference: https://oracle-base.com/articles/misc/articles-misc

Question 151

Which two components cannot be deleted in your Oracle Cloud Infrastructure Virtual Cloud
Network? (Choose two.)

Service gateway

Default security list

Routing gateway

Default route table

Default subnet
BD

Overall explanation

Your VCN automatically comes with these default components: Default route table, with no
rules Default security list, with default rules Default set of DHCP options, with default values You
can't delete these default components.

Reference: https://www.oracle.com/a/ocom/docs/vcn-deployment-guide.pdf
Question 152

BeforeExam

You are working for a financial institution that is currently running two web applications in
Oracle Cloud Infrastructure (OCI). All resources were created in the root compartment.

Your manager asked you to deploy new resources to support a proof-of-concept (PoC) for
Oracle FlexCube. You must ensure that the FlexCube resources are secured and cannot be
affected by the team that manages the two web applications.

Which two tasks should you complete to ensure the required security of your resources?
(Choose two.)

Create a new compartment for the two web applications and move the existing resources into
the compartment. Deploy the FlexCube application into the root compartment. Create a new
policy in the root compartment that gives the FlexCube project team the ability to manage all
resources in the tenancy.

Create a new policy in the root compartment for the FlexCube project team. Assign a policy
statement that grants the FlexCube project team the ability to manage all resources in the
tenancy, where a specific tag key and tag value are present.

Create a Tag Default within the root compartment with a default value of $
{iam.principle.name} so that each new resource created is tagged with the name of the
person who created it. Create a new IAM policy that allows users to only modify resources
they created.

Create a new compartment for the two web applications and move the existing resources into
this compartment. Modify the existing policy for the team that manages these applications so
that the scope of access is defined as this new compartment.

Create a new compartment for the FlexCube application deployment. Create a policy in this
compartment for the project team that gives them the ability to manage all resources within
the scope of this compartment.
DE

Overall explanation

To ensure the required security of your resources the following tasks can be performed.

 Create a new compartment for the two web applications and move the existing
resources into this compartment. Modify the existing policy for the team that manages
these applications so that the scope of access is defined as this new compartment.

 Create a new compartment for the FlexCube application deployment. Create a policy in
this compartment for the project team that gives them the ability to manage all
resources within the scope of this compartment.
Question 152

BeforeExam

You developed a microservices based application that runs on Oracle Cloud Infrastructure
(OCI) Container Engine for Kubernetes (OKE). You want to provide access to this cluster to
other team members.
What should you do to provide access to this cluster using as fewest steps as possible?

Create a group in OCI Infrastructure Access Management (IAM). Create a policy to grant
access to the OKE cluster. Other team members should use OCI Cloud Shell to generate the
kubeconfig into their own cloud shell environment and access the cluster using kubectl from
cloud shell.

Create a group in OCI Infrastructure Access Management (IAM). Create a policy to grant
access to the OKE cluster. Create individual users and access token for each team member.
Other team members should use OCI Cloud Shell to generate the kubeconfig into their own
cloud shell environment and access the cluster using kubectl from cloud shell.

Create a group in OCI Infrastructure Access Management (IAM). Create a policy to grant
access to the OKE cluster. Create a cluster role and cluster role binding to provide access to
the cluster for each team member. Other team members should install oci cli and kubectl
locally on their laptop. Use the oci cli to generate the kubeconfig and use kubectl to access
the cluster.

Create a group in OCI Infrastructure Access Management (IAM). Create a policy to grant
access to the OKE cluster. Other team members should install oci cli and kubectl locally on
their laptop. Use the oci cli to generate the kubeconfig and use kubectl to access the cluster.
A

Overall explanation

Reference:

https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/
contengdownloadkubeconfigfile.htm

Question 153

A recently hired network administrator has been given the task of removing SSH permissions
from all compute instances in the company’s tenancy. She finds all Virtual Cloud Networks
(VCNs) in the tenancy using Tenancy Explorer. She removes port 22 from the Security Lists in
all VCNs. After she completes the task, the very first compute instance that she tests SSH
against, allows her to still SSH into it. Why is that?

The VNIC of that compute instance is attached to a Network Security Group (NSG) that has a
stateful ingress rule for all protocols on source CIDR 0.0.0.0/0.

The VCN where that compute instance resides still has a route rule that allows port 22.

The VCN where that compute instance resides still has an Internet Gateway.

The VNIC of that compute instance is attached to a Cluster Network that has a stateful ingress
rule for all protocols on source CIDR 0.0.0.0/0.
A

Overall explanation

The Networking service offers two virtual firewall features that both use security rules to control
traffic at the packet level. The two features are:

 Security lists: The original virtual firewall feature from the Networking service.

 Network security groups (NSGs): A subsequent feature designed for application

components that have different security postures.

You can use security lists alone, network security groups alone, or both together. It depends on
your particular security needs.

If you choose to use both security lists and network security groups, the set of rules that
applies to a given VNIC is the union of these items:

 The security rules in the security lists associated with the VNIC's subnet

 The security rules in all NSGs that the VNIC is in

A packet in question is allowed if any rule in any of the relevant lists and groups allows the
traffic.

She removed port 22 from the Security Lists in all VCNs. But she forgot to check the Network
Security Group(NSG).

Hence "The VNIC of that compute instance is attached to a Network Security Group (NSG) that
has a stateful ingress rule for all protocols on source CIDR 0.0.0.0/0." is the correct answer.
Question 154

Which tool provides a diagram of the implemented topology of all Virtual Cloud Networks
(VCNs) in a selected region and tenancy?

VCN Flow Logs

Network Visualizer

Network Watcher

Traffic Analytics
B

Overall explanation

Your Oracle virtual network is composed of virtual cloud networks (VCNs), subnets, gateways,
and other resources. These entities are related and connected through routing that is often
complex. These resources can also have complex relationships with other Oracle Cloud
Infrastructure (OCI) services. The ability to have a concise picture of these entities and their
relationships is essential for understanding the design and operation of a virtual network.

The Network Visualizer provides a diagram of the implemented topology of all VCNs in a
selected region and tenancy.
Question 155

Beforexam

Which of the following Resources you can attach resources to a Dynamic Routing Gateway
(DRG). (Select Three)

Local Peering Connection

Remote Peering Connections

Subnet

VNIC

IPSec Tunnel

Virtual Circuits
BEF

Overall explanation

A DRG acts as a virtual router, providing a path for traffic between your on-premises networks
and VCNs, and can also be used to route traffic between VCNs.

A DRG is a virtual router to which you can attach the following resources:

 VCNs

 Remote Peering Connections

 Site-to-Site VPN IPSec tunnels

 Oracle Cloud Infrastructure FastConnect virtual circuits

Hence, Local Peering Connection, VNIC and Subnet are incorrect options and the remaining
three options( as discussed above) are Correct answers.

Reference : https://docs.oracle.com/en-u

Question 156

Company XYZ is spending $300,000.00 USD per month in egress fees for 7 Petabytes that they
consume for Outbound Data Transfer in North America with their current cloud provider. The
company is seeking to lower that expense considerably without reducing consumption. You
propose migration to OCI because the Gigabyte Outbound Data Transfer in North America
costs just $0.0085 USD per month. With OCI, how much will they spend per month for 7
Petabytes of Outbound Data Transfer? (1 Petabyte = 1000 Terabytes)

$150,000.00

$0.00 (free with OCI)

$59,500.00

$59,415.00
D

Overall explanation

Outbound data transfer (originating in North America) First 10 TB/Month is FREE.

So, 7 Petabytes = 7*1000 TB = 7000 TB

As the first 10TB is free, the revised number is 7000-10 = 6990 TB (6990*1000) GB = 6990000
GB

As per the question, the per GB charges are $0.0085 USD.

So, total spend per month = 6990000 * .0085 = $59,415

Question 157

You want to distribute DNS traffic to different endpoints based on the location of the end
user. Which Traffic Management Steering Policy would you use?

Geolocation

Failover

Load Balancer

IP Prefix
A

Overall explanation

GEOLOCATION STEERING

Geolocation steering policies distribute DNS traffic to different endpoints based on the location
of the end user. Customers can define geographic regions composed of originating continent,
countries or states/provinces (North America) and define a separate endpoint or set of
endpoints for each region.

FAILOVER

Failover policies allow you to prioritize the order in which you want answers served in a policy
(for example, Primary and Secondary). Oracle Cloud Infrastructure Health Checks monitors and
on-demand probes are leveraged to determine the health of answers in the policy. If the
Primary Answer is determined to be unhealthy, DNS traffic will automatically be steered to the
Secondary Answer.

LOAD BALANCER

Load Balancer policies allow distribution of traffic across multiple endpoints. Endpoints can be
assigned equal weights to distribute traffic evenly across the endpoints or custom weights may
be assigned for ratio load balancing. Oracle Cloud Infrastructure Health Checks monitors and
on-demand probes are leveraged to determine the health of the endpoint. DNS traffic will be
automatically distributed to the other endpoints, if an endpoint is determined to be unhealthy.

IP PREFIX STEERING

IP Prefix steering policies enable customers to steer DNS traffic based on the IP Prefix of the
originating query.
Question 158

Which are the TWO tools you would use for Logical migration?

RMAN

Data Guard

Data Pump

GoldenGate

CD
Question 158

You are using a custom application with third-party APIs to manage the application and data
hosted in an Oracle Cloud Infrastructure (OCI) tenancy. Although your third-party APIs do not
support OCI’s signature-based authentication, you want them to communicate with OCI
resources. Which authentication option should you use to ensure this?

SSH Key Pair with 2048-bit algorithm

Auth Tokens

OCI Username and Password

API Signing Key

B

Overall explanation

Auth tokens are Oracle-generated token strings that you can use to authenticate with third-
party APIs that do no support Oracle Cloud Infrastructure's signature-based authentication.

Auth tokens do not expire. Each user can have up to two auth tokens at a time.

To enable third-party APIs that don't support OCI's signature-based authentication to

communicate with OCI resources, OAuth 2.0 Client Credentials Flow is the recommended
authentication method. This approach allows secure machine-to-machine communication
without requiring user interaction or cryptographic signatures.

Solution Overview

The OAuth 2.0 Client Credentials Flow involves:

1. Registering the third-party application in OCI IAM as a confidential client.

2. Exchanging client credentials (client ID and secret) for an access token.

3. Using the access token to authenticate API requests to OCI services.

Question 159

BeforeExam

A few Object Storage buckets in your Oracle Cloud Infrastructure (OCI) tenancy should remain
public, and yet you do not want the Cloud Guard service to detect these as problems.

In which TWO ways would you address this requirement?

Fix the base line by configuring Conditional Groups for the detector.

Resolve or remediate those problems and you should not see Cloud Guard triggering on these
resources ever again.

Dismiss the problems associated with those resources.

Cloud Guard will keep detecting it because a public bucket is a security risk.
AC

Overall explanation

A conditional group sets parameters that you specify, to limit the scope of situations for which
the violation of a detector rule actually triggers a problem.

Example: You have 10 Compute Instances. Two instances (Instance1 and Instance2) should be
public, so you don't want the "Instance is publicly accessible" rule to trigger problems on these
instances. You can use conditional groups to exclude these two instances, using either custom
lists or managed lists.

When you dismiss a problem, you're telling Cloud Guard to ignore this instance of the problem
for that resource, and simply ignore it if it happens in the future. Only the problem history of
the dismissed problem is updated.

When you mark a problem as resolved, you're telling Cloud Guard that it was in fact a problem,
but you've taken an action that handled it. If another instance of this same problem occurs, it's
detected again.
Question 160

Which statement is true about File System Replication in Oracle Cloud Infrastructure (OCI)?

You can replicate the data in one file system to another file system in the same region or a
different region.

You can replicate the data in one file system to another file system only in the same region.

You cannot specify a replication interval when you create the replication resource.

Only a file system that has been exported can be used as a target file system
A

Overall explanation

Cross-region replication for File Storage provides protection from regional outages, aids in
disaster recovery efforts, and addresses data redundancy compliance requirements.

You can replicate the data in one file system to another file system in the same region or a
different region.

REPLICATION INTERVAL: The frequency that the replication operation is performed. You
specify the interval when you create the replication resource.

Only a file system that has never been exported can be used as a target file system.
Question 161

You have objects stored in an OCI Object Storage bucket that you want to share with a partner
company. You decide to use pre-authenticated requests to grant access to the objects. Which
statement is true about pre-authenticated requests?

You need to provide your OCI credentials to the partner company.

You cannot edit a pre-authenticated request.

Pre-authenticated requests can be used to delete buckets or objects.

Deleting a pre-authenticated request does not revoke user access to the associated bucket or
object.
B

Overall explanation

Pre-authenticated requests provide a way to let users access a bucket or an object without
having their own credentials.

You can't edit a pre-authenticated request. If you want to change user access options or enable
object listing in response to changing requirements, you must create a new pre-authenticated
request.

Pre-authenticated requests cannot be used to delete buckets or objects.

Question 162

You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage
workforce authentication and access to all of your Oracle and non-Oracle applications,
whether they are SaaS apps, on-premises enterprise apps, or apps that are hosted in the
cloud. Which IAM Identity Domain type should you create?

Premium

Oracle Apps Premium

Free

External User
A

Overall explanation

Premium identity domains provide the full IAM feature set for employee and workforce use-
cases giving you enterprise-ready access management across hybrid IT environments. It gives
you support for all apps and services, and for unlimited third-party applications. If you are
standardizing on Oracle as your enterprise identity and access manager provider, this is the
identity domain type you want.

Use Case: You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage
workforce authentication and access to all of your Oracle and non-Oracle applications whether
they’re SaaS apps, on-premises enterprise apps, or apps that are hosted in the cloud.
Question 163

BeforeExam

Which TWO statements are TRUE about restoring a volume from a block volume backup in
the Oracle Cloud Infrastructure (OCI) Block Volume service?

You can restore a volume from any full volume backup but not from an incremental backup.

You can restore a volume to any availability domain within the same region where the backup is
stored.

You can restore only one volume from a manual block volume backup.

You can restore a block volume backup to a larger volume size.

You can only restore a volume to the same availability domain in which the original block
volume resides.
BD

Overall explanation

You can restore a block volume backup to a larger volume size. You can only increase the size of
the volume, you cannot decrease the size. Hence the option "You can restore a block volume
backup to a larger volume size." is CORRECT.

You can restore a volume from any of your incremental or full volume backups. Both backup
types enable you to restore the full volume contents to the point-in-time snapshot of the
volume when the backup was taken. Hence the option "You can restore a volume from any full
volume backup but not from an incremental backup." is INCORRECT)

Backups are encrypted and stored in Oracle Cloud Infrastructure Object Storage, and can be
restored as new volumes to any availability domain within the same region they are stored.
Hence the option "You can restore a volume to any availability domain within the same region
where the backup is stored." is CORRECT and the option "You can only restore a volume to the
same availability domain in which the original block volume resides." is INCORRECT.

Manual backups do not expire, they are maintained until you delete them. You can restore
multiple new volumes from the backup later in the future. Hence the statement "You can
restore only one volume from a manual block volume backup." is INCORRECT.
Question 164

BeforeExam

In which two ways can Oracle Security Zones assist with the cloud security shared
responsibility model? (Select two)

Add or move a standard compartment to a highly secured security zone compartment.

Deny public access to Oracle Cloud Infrastructure resources, such as databases and object
storage buckets.

Allow access to an unsecured compartment, which is moved from a standard compartment.

Encrypt storage resources with a customer-managed key.

BD

Overall explanation

In general, security zone policies align with the following core security principles.

 Resources in a security zone can’t be moved to a compartment outside of the security

zone because it might be less secure.

 All the required components for a resource in a security zone must also be located in the
same security zone. Resources that are not in a security zone might be vulnerable, and
resources in a different security zone might have a lower security posture.

 For example, an instance (Compute) in a security zone can't use a boot volume that is
not in the same security zone.

 Resources in a security zone must not be accessible from the public internet.

 Resources in a security zone must be encrypted using customer-managed keys.

 Resources in a security zone must be regularly and automatically backed up.

 Data in a security zone is considered privileged and can't be copied outside of the
security zone because it might be less secure.

 Resources in a security zone must use only configurations and templates approved by
Oracle.
Question 165

When defining a query for metric data in Monitoring, which field provides the time window
for aggregating metric data points plotted on the metric chart?

Statistic

Dimension

Interval

Namespace
C

Overall explanation

interval: The time window used to convert the set of raw data points.

dimension: A qualifier provided in a metric definition.

statistic: The aggregation function applied to the set of raw data points.

metric namespace: Indicator of the resource , service, or application that emits the metric.
Question 166

Which statement accurately describes the key features and benefits of OCI Confidential
Computing?

It provides automatic scalability and load balancing capabilities, which allow seamless
integration with other cloud providers.

It enables users to securely store and retrieve data by using distributed file systems, ensuring
high availability and fault tolerance.

It optimizes network performance and reduces latency through advanced routing algorithms
and caching mechanisms.

It encrypts and isolates in-use data and the applications processing that data, thereby
preventing unauthorized access or modification.
D

Overall explanation

 Confidential computing encrypts and isolates in-use data and the applications
processing that data.

 Confidential instances are compute virtual machines (VMs) or bare metal instances
where both the data and the application processing the data are encrypted and
isolated while the application processes the data, preventing unauthorized access or
modification of either the data or the application.

 Confidential computing improves isolation using real-time encryption. Data and

applications are encrypted using a per-VM encryption key generated during the VM
creation and resides solely in the AMD Secure Processor, which is part of the CPU. This
key is not accessible from any applications, the VM or instance, the hypervisor, or
Oracle Cloud Infrastructure.

 Hence "It encrypts and isolates in-use data and the applications processing that data,
thereby preventing unauthorized access or modification." is the CORRECT answer.

Question 167

Which is NOT a valid option for an Oracle Cloud Infrastructure (OCI) compute shape?

Dedicated Virtual Machine Host

Exadata Virtual Machine

Bare Metal

Virtual Machine
B

Overall explanation

A shape is a template that determines the number of OCPUs , amount of memory, and other
resources that are allocated to an instance. Oracle Cloud Infrastructure offers both bare metal
and virtual machine instances:

 Bare metal: A bare metal compute instance gives you dedicated physical server access
for highest performance and strong isolation.

 Virtual machine: A virtual machine (VM) is an independent computing environment that

runs on top of physical bare metal hardware. The virtualization makes it possible to run
multiple VMs that are isolated from each other. VMs are ideal for running applications
that do not require the performance and resources (CPU, memory, network bandwidth,
storage) of an entire physical machine.

Hence the options Bare Metal & Virtual Machine are VALID and hence NOT the correct
answers.

Now, let's consider Dedicated Virtual Machine Host.

Dedicated virtual machine hosts let you run Oracle Cloud Infrastructure Compute virtual
machine (VM) instances on dedicated servers that are a single tenant and not shared with other
customers. Use dedicated virtual machine hosts to meet compliance and regulatory
requirements for isolation that prevent you from using shared infrastructure. You can also use
dedicated virtual machine hosts to meet node-based or host-based licensing requirements that
require you to license an entire server.

Hence Dedicated virtual machine host is also a valid Compute Shape and hence NOT the
correct answer.

We are left with Exadata Virtual Machine. Oracle Exadata is a pre-configured combination of
hardware and software that provides an infrastructure for running Oracle Database. It consists
of a database layer and a storage layer connected through an InfiniBand network. It is NOT a
valid Compute shape and hence the CORRECT answer.
Question 168

You have a high-demand web application running on Oracle Cloud Infrastructure (OCI). Your
tenancy administrator has set up a schedule-based autoscaling policy on instance pool with
an initial size of 5 instances for the application.

Policy 1:

Target pool size: 10 instances

Execution time: 8:30 a.m. on every Monday through Friday, in every month, in every
year

Cron expression: 0 30 8 ? * MON-FRI *

Which statement accurately explains the goal of this policy?

Goal: A recurring weekly schedule. On all days of the week at 8.30 a.m., scale out the pool to
10 instances from the initial size of 5.

Goal: A one-time schedule with only one scaling out event. At 8:30 a.m., on December 31,
2021, scale the instance pool to 10 instances from 5.

Goal: A recurring daily schedule. On weekday mornings at 8.30 a.m., scale out to 10 instances.

Goal: A recurring monthly schedule. On all days of the month, set the initial pool size to 5
instances. At 8.30 a.m., on every day of the month, scale out to 10 instances.
C

Overall explanation

In this question, we should employ the elimination process to arrive at the correct answer.

It is clearly specified in the question that the Execution time is 8:30 a.m. on every Monday
through Friday, in every month, in every year. Please pay special attention to the words every
month and every year. It clearly means it is NOT a one time schedule and rather a recurring
schedule.

Hence the option "Goal: A one-time schedule with only one scaling out event. At 8:30 a.m., on
December 31, 2021, scale the instance pool to 10 instances from 5." can be eliminated.

Now please pat special attention to the words every Monday through Friday in the statement
"Execution time: 8:30 a.m. on every Monday through Friday, in every month, in every year" -->
It does not mean "all days of the week". Hence the option "Goal: A recurring weekly
schedule. On all days of the week at 8.30 a.m., scale out the pool to 10 instances from the
initial size of 5." can be eliminated.

On similar lines, the option "Goal: A recurring monthly schedule. On all days of the month, set
the initial pool size to 5 instances. At 8.30 a.m., on every day of the month, scale out to 10
instances. can be eliminated as the execution time is not intended to be on all the days of the
month.

Now, we are left with only one option "Goal: A recurring daily schedule. On weekday mornings
at 8.30 a.m., scale out to 10 instances." Let's understand why this is the CORRECT answer.

This option mentions weekday mornings -> This satisfies the execution time in policy (every
Monday through Friday).
Question 169

BeforeExam

Which TWO statements are NOT correct regarding the Oracle Cloud Infrastructure (OCI)
burstable instances? (Select two)

Burstable instances are designed for scenarios where an instance s not typically idle and has
high CPU utilization.

If the instance's average CPU utilization over the past 24 hours is below the baseline, the
system allows it to burst above the baseline.

Burstable instances cost less than regular instances with the same total OCPU count.

Burstable instances are charged according to the baseline OCPU.

Baseline utilization is a fraction of each CPU core, either 25% or 75%.

AE

Overall explanation

Burstable instances are designed for scenarios where an instance is typically idle, or
has low CPU utilization with occasional spikes in usage.

When you create a burstable instance, you specify the total OCPU count (or CPU cores) and the
baseline CPU utilization. The baseline utilization is a fraction of each CPU core, either 12.5% or
50% (and NOT 75% as mentioned in one of the options)

Hence, the below two statements are INCORRECT.

1. Burstable instances are designed for scenarios where an instance is not typically idle and has
high CPU utilization.

2. Baseline utilization is a fraction of each CPU core, either 25% or 75%

Reference: Burstable Instances (oracle.com)

Question 170

Which statement is true regarding the run command feature in the Oracle Cloud
Infrastructure (OCI) Compute service?

The run command feature is not supported on compute instances that use the Windows
Server platform images.

You cannot run commands on an instance if the instance does not have SSH access or open
inbound ports.

The run command feature does not require any Oracle Cloud Agent plugins to be enabled and
running.

The maximum size for a script file that you upload directly to an instance in plain text is 4 KB.
D

Overall explanation

You can run commands on an instance even when the instance does not have SSH access or
open inbound ports.

The run command feature is supported on compute instances that use the following platform
images:

 Oracle Autonomous Linux

 Oracle Linux

 CentOS

 Windows Server

The run command feature uses the Compute Instance Run Command plugin that is managed
by the Oracle Cloud Agent software.

The maximum size for a script file that you upload directly to an instance in plain text is 4 KB.

To provide a larger file, save the file in an Object Storage location.

Hence the statement "The maximum size for a script file that you upload directly to an instance
in plain text is 4 KB." is Correct.
Question 171

In which TWO ways does Cloud Guard help improve the overall security posture for your
tenancy?

Allows you to centrally manage encryption keys.

Prevents you from creating misconfigurations on your resources in Oracle Cloud Infrastructure
(OCI).

Monitors unauthorized or suspicious user activity.

Masks sensitive data and monitors security controls on your Oracle databases.

Helps detect misconfigured resources, such as publicly accessible Object Storage buckets,
instances, and restricted ports on security lists.
CE

Overall explanation

Oracle Data Safe is a unified control center for your Oracle databases which helps you
understand the sensitivity of your data, evaluate risks to data, mask sensitive data, implement
and monitor security controls, assess user security, monitor user activity, and address data
security compliance requirements.

Hence Masks sensitive data and monitors security controls on your Oracle databases is
INCORRECT.

Oracle Cloud Infrastructure (OCI) Vault lets you to centrally manage and control use of keys and
secrets across a wide range of OCI services and applications.

Hence Allows you to centrally manage encryption keys is INCORRECT.

Security Zones enforce security posture on OCI cloud compartments and prevent actions that
could weaken a customers’ security posture. Security Zone policies can be applied to various
cloud infrastructure types (network, compute, storage, database, etc.) to ensure cloud
resources stay secure and prevent security misconfigurations.

Hence Prevents you from creating misconfigurations on your resources in Oracle Cloud
Infrastructure (OCI) is incorrect.

We are left with two choices -

Monitors unauthorized or suspicious user activity &

Helps detect misconfigured resources, such as publicly accessible Object Storage buckets,
instances, and restricted ports on security lists.

Oracle Cloud Guard is an Oracle Cloud Infrastructure service that helps customers monitor,
identify, achieve, and maintain a strong security posture on Oracle Cloud.
Use the service to examine your Oracle Cloud Infrastructure resources for security weakness
related to configuration, and your operators and users for risky activities. Upon detection,
Cloud Guard can suggest, assist, or take corrective actions, based on your configuration.
Question 172

Beforeexam

Which is NOT a valid statement regarding the Oracle Cloud Infrastructure (OCI) Audit service?

Audit logs are displayed for Compartments.

Changes within the objects stored in an Object Storage bucket are collected as Audit logs.

Retention period for Audit logs is 365 days and it cannot be changed

Audit service can record REST API calls executed by a custom client.
B

Overall explanation

Changes within the objects stored in an Object Storage bucket are NOT collected as Audit logs.

Audit service automatically records calls to all supported Oracle Cloud Infrastructure public
application programming interface (API) endpoints as log events. Currently, all services support
logging by Audit. Object Storage service supports logging for bucket-related events, but NOT
for object-related events.

Log events recorded by the Audit service include API calls made by the Oracle Cloud
Infrastructure Console, Command Line Interface (CLI), Software Development Kits (SDK), your
own custom clients, or other Oracle Cloud Infrastructure services.

If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure
resources that your company owns, contact your administrator to set up a user ID for you. The
administrator can confirm which compartment or compartments you should be using. Audit
provides records of API operations performed against supported services as a list of log events.
The service logs events at both the tenant and compartment level.

By default, Audit logs are retained for 365 days. You can view the log retention period in
the tenancy details page.

Retention period is a tenancy-level setting. The value of the retention period setting affects all
regions and all compartments. The retention period cannot be changed.
Question 173

You need to implement automatic backups for your database system. You can easily check
“Enable Automatic Backup” in the web console. Before you do that though, you need to have
which of the following TWO prerequisites in place?

Connectivity to Swift endpoints

Private SSH key to the database

VCN configured with VPN for secure access to the Oracle Cloud Infrastructure (OCI) Object
Storage service

Access to the OCI Object Storage service

AD

Overall explanation

The DB system requires access to the Oracle Cloud Infrastructure Object Storage
service, including connectivity to the applicable Swift endpoint for Object Storage.

Reference: Oracle Base Database Service

Question 173

You plan to launch a VM instance with the VM.Standard2.24 shape and Oracle Linux 8
platform image. You want to protect your VM instance from low-level threats, such as rootkits
and bootkits that can infect the firmware and operating system and are difficult to detect.

What should you do?

Use in-transit encryption.

Create a shielded instance.

Use Vulnerability Scanning Service.

Create a burstable instance.

B

Overall explanation

Threats like rootkits and bootkits that have kernel-level privileges can infect the firmware and
operating system and are difficult to detect. Rootkits containing low-level malware allow an
attacker to perform the following tasks:

 Take control of the system without the owner’s knowledge

 Run files remotely

 Change system configuration

 Steal passwords and encryption keys

 Perform data exfiltration

Bootkits are a type of rootkit that targets the boot code and can cause system instability and
inability to launch the operating system. These tactics are commonly used to perform
ransomware attacks.

Unfortunately, rootkits and bootkits are hard to detect because they activate even before the
operating system boots and can block antivirus and antimalware software, rendering them
ineffective. You can use Shielded instances, which protect virtual machines (VM) and bare
metal instances against these low-level threats.

Reference: Shielded Instances (oracle.com)

Question 174

BeforeExam

You are using the Oracle Cloud Infrastructure (OCI) Vault service to create and manage
Secrets. For your database password, you have created a secret and rotated the secret one
time. The secret versions are as follows:

Version Number | Status

-----------------------------------------

2 (latest) | Current

1 | Previous

You later realize that you have made a mistake in updating the secret content for version 2
and want to rollback to version 1.

What should you do to rollback to version 1?

From the version 1 menu on the OCI console, select "Promote to Current".

From the version 2 (latest) menu, select "Rollback" and select version 1 when given the
option.

Deprecate version 2 (latest). Create new Secret version 3. Create soft link from version 3 to
version 1.

Create a new secret version 3 and set to Pending. Copy the content of version 1 into version 3.
A

Overall explanation

To promote an existing secret version to current:

Open the navigation menu, click Identity & Security, and then click Vault.

Under List Scope, in the Compartment list, click the name of the compartment that contains the
vault that has the secret that you want to update.

From the list of vaults in the compartment, click the vault name.

Click Secrets, and then click the name of the secret that you want to update to use a different
secret version. (If needed, first change the list scope to the compartment that contains the
secret.)

Make a different secret version the current secret version by doing one of the following:

Click Edit, click Current Version, and then click the version number you want to
promote. When you're ready, click Save Changes.

Under Secret Version List, locate the version number that you want to promote, click the
Actions icon (three dots) for that secret version, and then click Promote to Current. Confirm the
promotion by clicking Promote to Current.
Question 175

What security consideration should you be mindful of before performing a database

migration?

Backup and restore your TDE wallets from the source to the target database.

Place the database in the restricted mode so that no one accesses it during migration.

Encrypt all files that are used for migration.

Migration can only be done in the web-based interface of Oracle.

A

Overall explanation

Oracle Cloud databases provide fully automated backups that can be enabled by the click of a
button. However, the backups are stored in an Oracle-managed bucket. Hence, the automatic
backups can only be used to restore on the same database host or create a new database in the
same availability domain.

If you want to restore the database into another availability domain, OCI region, or on-premises,
you need access to the Object Storage bucket where the backup files reside. To do so, you can
create your own RMAN backup into a user-defined Object Storage bucket using:

 dbcli utility for Database Cloud Service virtual and bare metal machines, bkup_api utility
for Exadata Cloud Service. Or,

 Database Cloud Backup Module for virtual, bare metal, and Exadata machines. And for
on-premises Oracle databases as well.

Reference: Restore a TDE encrypted Cloud Database Backup to another Availability Domain, OCI
Region, or On-Premises – Database Heartbeat (database-heartbeat.com)
Question 176

BeforeExam

Your customer would run month-end jobs on their on-premises databases that would take
around 14 hours to complete and sometimes even fail due to overloaded database systems.
After a detailed evaluation, they migrated their database to Oracle Autonomous Data
Warehouse. They realized they could also move their analytics platform to Oracle Analytics
Cloud (OAC) and have their best of breed technology platforms meet their critical business
requirements.

After migrating their analytics platform, they want to use one consumer group for running
month-end jobs and another consumer group that can be used by the analytics team for
performing data analytics tasks everyday.

How can your customer implement this requirement?

Use consumer group high for month-end jobs and consumer group medium for data analytics.

Use consumer group medium for month-end jobs and consumer group low for data analytics.

Use consumer group high for both month-end jobs and data analytics.

Use consumer group high for data analytics and consumer group low for month-end jobs.
A

Overall explanation

By default, the CPU/IO shares assigned to the consumer groups HIGH, MEDIUM, LOW are 4, 2,
and 1, respectively. With the default settings the consumer group HIGH will be able to use 4
times more CPU/IO resources compared to LOW and 2 times more CPU/IO resources
compared to MEDIUM, when needed.

The consumer group MEDIUM will be able to use 2 times more CPU/IO resources compared to
LOW, when needed.
Question 177

BeforeExam

You are a security administrator for your company's Oracle Cloud Infrastructure (OCI) tenancy.
Your storage administrator informs you that she cannot associate an encryption key from an
existing Vault to a new Object Storage bucket.

What could be a possible reason for this behavior?

The Object Storage bucket policy lacks the necessary Access Control List (ACL).

The storage administrator forgot to select "Encrypt using Oracle managed keys" while creating
the bucket.

The secret for the key was not created beforehand.

There is no Identity and Access Management (IAM) policy that allows the Object Storage
service to use the key.
D

Overall explanation

Instead of using an encryption key that Oracle manages, you can assign master encryption
keys that you manage to buckets.

Keys associated with buckets will not work unless you authorize Object Storage to use keys on
your behalf.

Additionally, you must also authorize users to delegate key usage to these services in the first
place.

Object Storage is a regional service, it has regional endpoints. As such, you must specify the
regional service name for each region where you’re using Object Storage with Vault
encryption.

1. Allow service objectstorage-<region_name> to use keys in compartment ABC where

target.key.id = '<key_OCID>'
Question 178

You want to run compute virtual machine (VM) instances in Oracle Cloud Infrastructure (OCI).
Your business unit has the following requirements that need to be considered before you
launch the VMs:

Requirement 1: Shared infrastructure should not be used to deploy VMs.

Requirement 2: Meet node-based licensing requirements that require you to license an entire
server.

Which compute capacity type would you select to meet these requirements?

Dedicated host

Preemptible capacity

Capacity reservation

On-demand capacity
A

Overall explanation

The Oracle Cloud Infrastructure Compute service's dedicated virtual machine host feature gives
you the ability to run compute virtual machine (VM) instances on dedicated servers that are
a single tenant and not shared with other customers.

This feature lets you meet compliance and regulatory requirements for isolation that prevent
you from using shared infrastructure. You can also use this feature to meet node-based or
host-based licensing requirements that require you to license an entire server.
Question 179

You have a block volume created in the US West (Phoenix) region. You enabled Cross Region
Replication for the volume and selected US West (San Jose) as the destination region. Now,
you would like to create a new volume from the volume replica in the US West (San Jose)
region.

What should you do?

Activate the replica.

No action required. By default, the replica is available as a block volume.

Initiate the replica.

Trigger the replica.

A

Overall explanation

To create a new volume from a volume replica, you need to activate the replica. The
activation process creates a new volume by cloning the replica.

Open the navigation menu and click Storage.

Under Block Storage, click Block Volume Replicas.

Ensure that you are in correct destination region that contains the volume replica you want to
activate.

Click the replica that you want to activate.

Click Activate to open the Activate Volume Replica form.

On the Activate Volume Replica, specify the settings for the new volume,

Click Create. The new volume will appear in the block volumes list, in the provisioning state.
Question 180

BeforeExam

You are responsible for creating and maintaining an enterprise application that consists of
multiple storage volumes across multiple compute instances in Oracle Cloud Infrastructure
(OCI).

The storage volumes include boot volumes and block volumes for your data storage. You need
to create a backup for the boot volumes that will be done daily and a backup for the block
volumes that will be done every six hours.

How can you meet this requirement?

Create on-demand full backups of block volumes, and create custom images from the boot
volumes. Use a function to run at a specific time to start the backup process.

Create clones of all boot volumes and block volumes one at a time.

Group the boot volumes into a volume group and create a custom backup policy. Group the
block volumes and create a custom backup policy.

Group multiple storage volumes in a volume group and create volume group backups.
C

Overall explanation

Group multiple storage volumes in a volume group and create volume group
backups is incorrect as we have different custom schedule requirement - backup for boot
volumes to be done daily and backup of block volumes to be done every six hours. Hence one
Volume Group won't satisfy the requirement mentioned.

Create clones of all boot volumes and block volumes one at a time is incorrect as the question
is about backup and the answer talks about creating clones.

Create on-demand full backups of block volumes, and create custom images from the boot
volumes. Use a function to run at a specific time to start the backup process is incorrect as the
option doesn't talk about volume groups.
Question 181

A customer’s webserver runs a complicated application on three Baremetal instances that

serve as backends on a backend set for an OCI public Load Balancer. If one of the Baremetal
instances fails, what will the OCI Load Balancer do?

It will launch an API call

It will fix the failing Baremetal instance

It will send an SOS notification

It will delete the failing Baremetal instance

It will no longer send traffic to it.

E

Overall explanation

If one of the backend server goes down or gets disconnected, the load balancer stops sending
new connections to that unhealthy instance and will send the new connections to remaining
healthy backend endpoints
Question 182

Your DevOps team needs to interconnect the on-premises network to the Oracle Cloud
Infrastructure (OCI) resources, such as a managed database that resides in a private subnet.
They indicate that they have a low budget and their bandwidth requirements are minimal, so
you decide that a site-to-site VPN is the best option. They provide you with their router public
IP address. You need to create an object in OCI that represents this router. Which object
would you create?

Dynamic Routing Gateway (DRG)

Virtual Network Interface Card (vNIC)

Customer Premises Equipment (CPE)

Internet Gateway

IPSec Tunnel

Bastion Host
C

Overall explanation

At your end of Site-to-Site VPN is the actual device in your on-premises network (whether
hardware or software). The term customer-premises equipment (CPE) is commonly used in
some industries to refer to this type of on-premises equipment. When setting up the VPN, you
must create a virtual representation of the device. Oracle calls the virtual representation a CPE,
but this documentation typically uses the term CPE object to help distinguish the virtual
representation from the actual CPE device. The CPE object contains basic information about
your device that Oracle needs.
Question 183

Which TWO statements are TRUE about Public IP addresses in Oracle Cloud Infrastructure
(OCI)?

You must use OCI provided public IP addresses. You cannot bring your own IP addresses to
OCI.

You can assign a given instance multiple public IPs across one or more VNICs.

By default, an instance in a public subnet has one primary public IP address.

Public IP addresses can be ephemeral or reserved.

BD

Overall explanation

Oracle Cloud Infrastructure allows you to Bring Your Own IP (BYOIP) address space to use with
resources in Oracle Cloud Infrastructure, in addition to using Oracle owned addresses. Bring
Your Own IP (oracle.com) . Hence option You must use OCI provided public IP addresses. You
cannot bring your own IP addresses to OCI is NOT TRUE.

There are two types of public IPs:

 Ephemeral: Think of it as temporary and existing for the lifetime of the instance.

 Reserved: Think of it as persistent and existing beyond the lifetime of the instance it's
assigned to. You can unassign it and then reassign it to another instance whenever you
like. Exception: reserved public IPs on public load balancers

Therefore the option Public IP addresses can be ephemeral or reserved is TRUE.

You can assign a public IP address to an instance to enable communication with the internet.
The instance is assigned a public IP address from the Oracle Cloud Infrastructure address pool.
The assignment is actually to a private IP object on the instance. The VNIC that the private IP is
assigned to must be in a public subnet. A given instance can have multiple secondary VNICs, and
a given VNIC can have multiple secondary private IPs. So you can assign a given instance
multiple public IPs across one or more VNICs if you like. Hence option You can assign a given
instance multiple public IPs across one or more VNICs is TRUE.

Option: By default, an instance in a public subnet has one primary public IP address: As
discussed earlier the instance is assigned a public IP address from the Oracle Cloud
Infrastructure address pool. The assignment is actually to a private IP object on the
instance. Therefore the option is NOT TRUE.
Question 184

You are responsible for deploying an application on Oracle Cloud Infrastructure (OCI). The
application is memory intensive and performs poorly if enough memory is not available. You
have created an instance pool of Linux compute instances in OCI to host the application and
defined Autoscaling Configuration for the instance pool. What should you do to ensure that
the instance pool autoscales to prevent poor application performance?

Configure the autoscaling policy to monitor memory usage and scale up the number of
instances when it meets the threshold.

Install OCI SDK on all compute instances and create a script that triggers the autoscaling event
if there is high memory usage.

Install the monitoring agent on all compute instances, which triggers the autoscaling group.

Configure the autoscaling policy to monitor CPU usage and scale up the number of instances
when it meets the threshold.
A

Overall explanation

When you configure an Autoscaling policy, you have the option to select Memory Utilization as
the performance metric (as shown in the screenshot below):

The question mentions that the application is memory intensive and performs poorly if enough
memory is not available.

You can directly eliminate Install OCI SDK on all compute instances and create a script that
triggers the autoscaling event if there is high memory usage and Install the monitoring agent
on all compute instances, which triggers the autoscaling group as these options do not
mention the use of auto scaling policy.

Now the remaining two options talk about autoscaling policy but the option "Configure the
autoscaling policy to monitor CPU usage and scale up the number of instances when it meets
the threshold." can be eliminated as the question is mentioning memory sensitive application
which performs poorly if enough memory is not available.

So the correct answer is Configure the autoscaling policy to monitor memory usage and scale
up the number of instances when it meets the threshold.
Question 185

You have three compartments: ProjectA, ProjectB, and ProjectC. For each compartment, there
is an admin group set up: A-Admins, B-Admins, and C-Admins.

Each admin group has full access over their respective compartments as shown in the graphic
below.

Your organization has set up a tag namespace, EmployeeGroup.Role and all your admin
groups are tagged with a value of 'Admin'.

You want to set up a Test compartment for members of the three projects to share. You also
need to provide admin access to all three of your existing admin groups.

Which policy would you write to accomplish this task?

Allow group any-group to manage all-resources in compartment Test

where request.principal.group.tag.EmployeeGroup.Role='Admin'

Allow any-user to manage all-resources in compartment Test

where request.principal.group.tag.EmployeeGroup.Role='Admin'

Allow all-group to manage all-resources in compartment Test

where request.principal.group.tag.EmployeeGroup.Role='Admin'
Allow dynamic-group to manage all-resources in compartment Test
where request.principal.group.tag.EmployeeGroup.Role='Admin'
B

Overall explanation

To arrive at the correct answer use the process of elimination:

1. Allow <subject> to <verb> <resource-type> in <location> where <conditions>

Subject: group <group_name> | group id <group_ocid> | dynamic-group <dynamic-

group_name> | dynamic-group id<dynamic-group_ocid> | any-user

This eliminates Allow all-group to manage all-resources in compartment Test where

request.principal.group.tag.EmployeeGroup.Role='Admin' and Allow group any-group to
manage all-resources in compartment Test where
request.principal.group.tag.EmployeeGroup.Role='Admin'

We can easily eliminate Allow dynamic-group to manage all-resources in compartment Test

where request.principal.group.tag.EmployeeGroup.Role='Admin' as here you are allowing
dynamic groups. Dynamic groups allow you to group Oracle Cloud Infrastructure compute
instances as "principal" actors (similar to user groups). For example, a rule could specify that all
instances in a particular compartment are members of the dynamic group.

So the correct answer is Allow any-user to manage all-resources in compartment Test where
request.principal.group.tag.EmployeeGroup.Role='Admin'
Question 186

Which of the following statements is true about cloning a volume in the Oracle Cloud
Infrastructure (OCI) Block Volume service?

You need to detach a volume before cloning it.

You can change the block volume size when cloning a volume.

Creating a clone takes longer than creating a backup of a volume.

You can clone a volume to another region.

B

Overall explanation

You can only create a clone for a volume within the same region, availability domain and tenant.
So the option You can clone a volume to another region is incorrect.

Creating a clone is faster than creating backup. Reference: See the comparison table of Backup
vs Clone here Cloning a Volume (oracle.com) Hence the option Creating a clone takes longer
than creating a backup of a volume is incorrect as well.

The option You need to detach a volume before cloning it is also Incorrect as per the below
statement from Oracle documentation :

"If the source volume is attached when a clone is created, you need to wait for the first clone
operation to complete from the source volume before creating additional clones. If the source
volume is detached, you can create up to ten clones from the same source volume
simultaneously"

This means irrespective of whether the volume is detached or attached, you can create clones.

The option You can change the block volume size when cloning a volume is CORRECT as you
can clone an existing volume to a new, larger volume. Since the clone is a copy of the source
volume it will be the same size as the source volume unless you specify a larger volume size
when you create the clone. (you have the option to specify a larger size).
Question 187

Which is NOT a valid Oracle Cloud Infrastructure (OCI) Virtual Cloud Network (VCN) approach?

Ensure not all IP addresses are allocated at once within a VCN or subnet; instead reserve
some IP addresses for future use.

Ensure VCN CIDR prefix overlaps with other VCNs in your tenancy or with your organizations
private IP network ranges.

Use OCI tags to tag VCN resources so that all resources follow organizational tagging/naming
conventions.

Private subnets should ideally have individual route tables to control the flow of traffic within
and outside of VCN.
B

Overall explanation

We have to identify an INVALID Statement.

Private subnets should ideally have individual route tables to control the flow of traffic within
and outside of VCN: When you have a public subnet and a private subnet in your VCN (for an
example, see Scenario C: Public and Private Subnets with a VPN), you'll need to use different
route tables for the subnets because the route rules for the subnets need to be different. Hence
this is a VALID statement.

Use OCI tags to tag VCN resources so that all resources follow organizational tagging/naming
conventions: Oracle Cloud Infrastructure Tagging allows you to add metadata to resources,
which enables you to define keys and values and associate them with resources. You can use the
tags to organize and list resources based on your business needs. Hence this is a VALID
statement.

Ensure not all IP addresses are allocated at once within a VCN or subnet; instead reserve
some IP addresses for future use: This is one of the best practices to be adopted during the
VCN design/implementation phase. Hence this is a VALID statement.

Ensure VCN CIDR prefix overlaps with other VCNs in your tenancy or with your organizations
private IP network ranges.: If you intend to connect a VCN to your on-premise network or
another VCN, Oracle recommends that you ensure that the IP address ranges don’t overlap.
This is NOT a valid approach and hence it is the answer.
Question 188

Your company requires a highly available and low-latency connection between your on-
premises data center and OCI. Which connectivity option should you choose?

Site-to-Site VPN

FastConnect with redundant connections

Internet Gateway

Local Peering
B

Overall explanation

B) FastConnect with redundant connections

Here's why:

 FastConnect is a dedicated, high-bandwidth connection between your on-premises

network and the Oracle Cloud. It provides low latency and high bandwidth, which are
crucial for mission-critical applications.

 Redundancy: Establishing redundant FastConnect connections (e.g., through different

physical paths or providers) ensures high availability and minimizes the impact of
potential outages.

Why other options are less suitable:

 Site-to-Site VPN: While a VPN can provide connectivity, it may have higher latency and
lower bandwidth compared to FastConnect, especially for high-throughput applications.

 Internet Gateway: Using the internet for connectivity can introduce latency and security
risks.

 Local Peering: Local Peering is used to connect VCNs within the same region, not for
connecting to on-premises networks.

By choosing FastConnect with redundant connections, you can achieve the highest level of
availability, performance, and security for your on-premises to cloud connectivity.

Reference :

https://www.oracle.com/in/cloud/networking/fastconnec

https://docs.oracle.com/en-us/iaas/Content/Netwo
Question 189

You have multiple VCNs that need to communicate with each other and with your on-
premises network. Which component should you use as the central hub for routing traffic?

Internet Gateway

Dynamic Routing Gateway (DRG)

NAT Gateway

Service Gateway
Overall explanation

B) Dynamic Routing Gateway (DRG)

Here's why:

 DRG as a Central Hub: The DRG acts as a central point for routing traffic between your
VCNs and on-premises network. It allows you to establish connections with other VCNs
(using Remote Peering) and on-premises networks (using IPSec VPN or FastConnect).

 Role of DRG:

 Inter-VCN Communication: Facilitates routing between different VCNs within

your tenancy.

 On-premises Connectivity: Enables secure and reliable connectivity between

your VCNs and your on-premises network.

 Centralized Routing: Provides a single point for managing and controlling traffic
flow within your entire cloud infrastructure.

 Incorrect Options:

 Internet Gateway: Primarily used for internet connectivity for subnets with
public IP addresses.

 NAT Gateway: Enables instances in private subnets to access the internet

without exposing their private IP addresses.

 Service Gateway: Used for connecting to specific Oracle services like Object
Storage.

By using a DRG, you create a robust and scalable network architecture that supports efficient
and secure communication between your various network components.
Question 190

Which of the following is NOT a valid way to define a Dynamic Group in OCI?

By tags applied to resources.

By user attributes.

By IP address range.

By subscription status.
D

Overall explanation

Explanation:

While tags, user attributes, and IP address ranges can be used to define Dynamic Groups,
"subscription status" is not a valid criteria for defining a Dynamic Group in OCI.
Question 191

What is the significance of the "Deny" rule in IAM policies?

Policies only allow access; they cannot deny it. Instead there's an implicit deny, which means
by default, users can do nothing and have to be granted access through policies.

It is used to deny access to all resources by default.

It is only applicable to root users.

It is used to temporarily block access to a resource.

A

Overall explanation

Explanation:

Policies only allow access; they cannot deny it. Instead, there's an implicit deny, which means
by default, users can do nothing and have to be granted access through policies.

 This is correct. OCI IAM policies do not explicitly include a "Deny" statement. Instead,
the default behavior is an implicit deny, meaning that unless access is explicitly granted
through an "Allow" policy, users cannot perform any actions on resources.

The other options are incorrect or misleading:

 B) It is used to deny access to all resources by default. This is not the default behavior.
By default, access is typically restricted, and you need to explicitly grant permissions.

 C) It is only applicable to root users. Deny rules can be applied to any user, group, or
service principal within the tenancy.

 D) It is used to temporarily block access to a resource. While you can use deny rules to
temporarily block access, they are not specifically designed for temporary blocks.

Reference : https://docs.oracle.com/iaas/Content/Identity/Concepts/policies.htm

https://www.freecram.com/Oracle-certification/1Z0-1072-25-exam-questions.html#
Before Exam

You are backing up your on-premises data to the Oracle Cloud Infrastructure (OCI) Object
Storage Service.

Your requirements are:

1. Backups need to be retained for at least full 31 days.

2. Data should be accessible immediately if and when needed after the backup.

Which OCI Object Storage tier is suitable for storing the backup to minimize cost?

Archive tier

Standard tier

Infrequent Access tier

Auto-Tiering tier
B

Overall explanation

The Standard tier is the primary, default storage tier used for Object Storage service data. The
Standard storage tier is "hot" storage used for data that you need to access quickly,
immediately, and frequently. Data accessibility and performance justifies a higher price to store
data in the Standard tier. It does not satisfy the "minimum cost" requirement mentioned in the
question and hence is INCORRECT.

The Infrequent Access tier is "cool" storage used for data that you access infrequently, but that
must be available immediately when needed. Storage costs are lower than Standard. The
Infrequent Access tier has a minimum storage retention period and data retrieval fees. The
minimum storage retention period for the Infrequent Access tier is 31 days. This satisfies all
requirements mentioned in the question and hence this is the CORRECT ANSWER.

The Archive tier is the primary, default storage tier used for Archive Storage service data. The
Archive storage tier is "cold" storage used for data seldom or rarely accessed, but that must be
retained and preserved for long periods of time. Objects in the Archive tier must be restored
before they are available for access. It does not satisfy the "Data should be accessible
immediately if and when needed after the backup" requirement of the question and hence it is
INCORRECT.

Auto-Tiering monitors data access patterns and helps you reduce storage costs by automatically
moving objects larger than 1 MiB out of the Standard tier into the more cost-effective
Infrequent Access tier. This is not exactly an Object Storage tier and hence this is also
INCORRECT.
As a network architect you have deployed a public subnet on your Virtual Cloud Network
(VCN) with this security list:

You have also created a network security group (NSG) as shown in the table here, and
assigned it to your bastion host:

You have confirmed that routing is correct but when you SSH to the VM from your home over
the Internet you are unable to connect.

What could be the problem?

 Public subnet does not have a route rule to the Internet Gateway.

 User will be able to SSH to the VM from the Internet as SSH is open on the NSG.

 Internet traffic should be allowed only on the NSG.

 SSH traffic is not allowed in the security list nor on the NSG from the Internet.
D

Overall explanation

If you look at the security list rules, port 22 (SSH) is not there on the Destination Port list.
Hence SSH traffic is not allowed from the internet.

If you look at the NSG, port 22 (SSH) does appear in the Destination Port list but the source is
not 0.0.0.0/0 (Internet) - look at CIDR range.

Hence SSH traffic is not allowed in the security list nor on the NSG from the Internet is the
CORRECT answer.
Which OCI networking feature enables customers to establish a private, high-bandwidth, and
low-latency connection between their on-premises data center and the OCI cloud
infrastructure?

Virtual Cloud Network (VCN)

Site-to-Site VPN

FastConnect

Remote Peering
C

Overall explanation

The OCI networking feature that enables customers to establish a private, high-bandwidth, and
low-latency connection between their on-premises data center and the OCI cloud infrastructure
is Oracle Cloud Infrastructure FastConnect.

FastConnect provides a dedicated private connection between your on-premises network and
Oracle Cloud Infrastructure (OCI). It offers higher-bandwidth options and a more reliable and
consistent networking experience compared to internet-based connections. With FastConnect,
you can establish a private connection with consistent latency and throughput, ensuring optimal
performance for your critical workloads.

Key benefits of using FastConnect include:

1. Dedicated private connection: FastConnect establishes a private connection between

your on-premises network and OCI, bypassing the public internet. This ensures a more
secure and reliable connection for sensitive data transfers.

2. High-bandwidth options: FastConnect offers a range of bandwidth options, from 1 Gbps

to 10 Gbps, allowing you to choose the right speed for your workload requirements.

3. Low latency: FastConnect provides a dedicated path between your on-premises network
and OCI, reducing latency and improving performance for latency-sensitive applications.

4. Consistent network performance: FastConnect offers a more consistent networking

experience compared to internet-based connections, ensuring reliable performance for
your applications.

Overall, Oracle Cloud Infrastructure FastConnect is the preferred choice for establishing a
private, high-bandwidth, and low-latency connection between your on-premises data center
and the OCI cloud infrastructure.
Can a single DRG (Dynamic Routing Gateway) be associated with multiple VCNs?

Yes, as long as the VCNs are in the same tenancy.

No, a DRG can only be associated with one VCN.

Only if the VCNs are in different regions.

It depends on the DRG’s configuration.

A

Overall explanation

The correct answer is: (A) Yes, as long as the VCNs are in the same tenancy.

 A single DRG can be associated with multiple VCNs in the same tenancy. This allows you
to connect and route traffic between those VCNs through the DRG.

 A VCN, however, can only be associated with one DRG at a time.

There are no restrictions on the number of VCNs you can connect to a DRG within the same
tenancy, with a maximum limit of 300.

Reference :https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm
BeforeExam

What is the purpose of the playground in the OCI Console?

To write code for custom models.

To explore hosted pretrained and custom models without writing code.

To create and manage virtual machines.

To visualize neural network architectures.

B

Overall explanation

To explore hosted pretrained and custom models without writing code.

The OCI Console playground provides a user-friendly interface for interacting with Oracle's pre-
trained AI models and potentially your own custom models. This allows you to test different
models, refine prompts and parameters, and get a feel for their capabilities without needing to
write any code yourself.

Reference :https://docs.oracle.com/en-us/iaas/Content/generative-ai/home.htm
A media streaming service wants to reduce buffering times for its users.

How does OCI Web Application Acceleration help achieve this goal?

By compressing video files

By caching media content at edge locations

By increasing server processing power

By reducing the resolution of videos

B

Overall explanation

Correct Answer: B) By caching media content at edge locations

Caching media content at edge locations reduces the distance data has to travel, thereby
reducing buffering times and improving the streaming experience.

Incorrect Options:

A) Compressing video files: This might help, but caching is more directly related to reducing
buffering times.

C) Increasing server processing power: This is not directly related to reducing buffering times.

D) Reducing the resolution of videos: This would degrade the user experience rather than
improve it.

Scenario: An organization is looking to optimize the delivery of static content such as images
and scripts on their website.

An organization is looking to optimize the delivery of static content such as images and scripts
on their website. Which OCI Web Application Acceleration feature should they utilize?

Dynamic content caching

Static content caching

Database acceleration

API management
Overall explanation

Correct Answer: B) Static content caching

Explanation: Static content caching is specifically designed to optimize the delivery of static
content like images and scripts by storing them closer to the user.

Incorrect Options:

A) Dynamic content caching: This is for dynamic content, not static content.

C) Database acceleration: This is related to database performance, not content delivery.

D) API management: This is related to managing APIs, not content delivery.

A healthcare provider needs to ensure that their network path between OCI and their on-
premises systems is secure and compliant with HIPAA regulations.

How can Network Path Analyzer help achieve this goal?

By providing encryption for data at rest

By identifying and mitigating potential security risks in the network path

By managing patient data access

By automating compliance reporting

Overall explanation

The correct answer is: B) By identifying and mitigating potential security risks in the network
path

Explanation:

1. Why B is Correct:

 The Network Path Analyzer helps identify misconfigurations or vulnerabilities in

the network path, such as:

 Unsecured open ports.

 Incorrect security rules in network security groups (NSGs) or security lists.

 Routing issues that expose sensitive data to unauthorized access.

 These insights are critical for ensuring that the network path is secure and
adheres to strict regulatory requirements like HIPAA.

 By addressing these risks, the healthcare provider can create a secure, compliant
network path for transmitting sensitive patient data between OCI and their on-
premises systems.

2. Why Other Options are Incorrect:

 A) By providing encryption for data at rest: Network Path Analyzer does not
handle encryption for data at rest; this is managed by OCI services like Block
Volumes or Object Storage using encryption keys.

 C) By managing patient data access: Patient data access is controlled through

IAM policies and application-level security, not through the Network Path
Analyzer.

 D) By automating compliance reporting: While Network Path Analyzer helps

with security diagnostics, compliance reporting is typically handled by
governance tools like OCI Cloud Guard or third-party solutions.

Network Path Analyzer Supports HIPAA Compliance:

 It ensures secure network paths by detecting and mitigating risks that could lead to data
breaches or non-compliance.

 By continuously monitoring and analyzing network paths, it helps maintain the security
posture required by HIPAA.
BeforeExam

A global logistics company is experiencing packet loss between their OCI instances and
remote offices. Which advanced feature of Network Path Analyzer can help pinpoint the
cause of packet loss?

Packet capture and analysis

Path visualization with packet loss metrics

Bandwidth allocation

Traffic shaping
Overall explanation

The correct answer is: B) Path visualization with packet loss metrics

Explanation:

1. Why B is Correct:

 Path visualization with packet loss metrics is a key feature of the OCI Network
Path Analyzer. It provides a detailed view of the network path, showing each hop
from the source to the destination.

 This feature includes metrics such as:

 Packet loss at each hop.

 Latency and other network performance indicators.

 Using this information, the logistics company can identify the exact segment of
the network path where packet loss is occurring, whether it’s due to a faulty
network device, misconfigured router, or congestion.

2. Why Other Options are Incorrect:

 A) Packet capture and analysis: While packet capture tools analyze individual
packets for troubleshooting, this is not a feature of the Network Path Analyzer.
Such analysis typically requires separate tools like Wireshark.

 C) Bandwidth allocation: Bandwidth allocation refers to managing and reserving

bandwidth, which is unrelated to diagnosing packet loss.

 D) Traffic shaping: Traffic shaping involves prioritizing certain types of traffic to

optimize network performance but does not help directly in identifying the cause
of packet loss.

How Path Visualization Helps:

 By correlating packet loss metrics with specific network hops, the logistics company can:

 Identify problematic routers or links.

 Work with their service provider to resolve issues on external networks.

 Optimize their network configuration to minimize packet loss.

For additional details, refer to:

 OCI Network Path Analyzer Documentation

  OCI Blog: Introducing Network Path Analyzer

BeforeExam

A software development company needs to ensure that their development and production
environments in OCI have optimal network connectivity.

Which feature of Network Path Analyzer can assist in this verification?

Environment-specific path analysis

Code quality checks

Automated deployment

User access controls

Overall explanation

The correct answer is: A) Environment-specific path analysis

Explanation:

1. Why A is Correct:

 Environment-specific path analysis is a feature of the OCI Network Path Analyzer

that allows organizations to analyze and verify the network paths between
specific environments, such as development and production.

 This helps the software development company:

 Ensure that network connectivity is optimal between the environments.

 Identify any issues, such as latency, misconfigurations, or security rule

mismatches, that could affect communication between development and
production.

 Optimize the network setup to avoid disruptions in CI/CD pipelines or

application performance.

2. Why Other Options are Incorrect:

 B) Code quality checks: Code quality checks focus on application code, not
network connectivity. These are handled by development tools or CI/CD systems.

 C) Automated deployment: Automated deployment ensures smooth

deployment of applications but does not diagnose or optimize network paths.

 D) User access controls: User access controls relate to permissions and identity
management, which are outside the scope of Network Path Analyzer's
functionality.

How Environment-Specific Path Analysis Helps:

 It ensures that both environments (development and production) are interconnected

with low latency and no misconfigurations.

 By diagnosing and optimizing the network path, it prevents issues like timeouts, high
latency, or communication failures, which are critical for development and production
workflows.
An educational institution is experiencing slow network performance during online exams
hosted on OCI. How can Network Path Analyzer help improve the performance?

By increasing server capacity

By analyzing the network path for latency and congestion issues

By upgrading the software platform

By implementing stricter security measures

B

Overall explanation

The correct answer is: B) By analyzing the network path for latency and congestion issues

Explanation:

1. Why B is Correct:

 The Network Path Analyzer in OCI helps diagnose network performance issues
by analyzing the network path between users (e.g., students taking online exams)
and the OCI-hosted application.

 It specifically identifies:

 Latency hotspots: Points in the network path causing delays.

 Congestion: Overloaded links or routers that result in slow performance.

 Packet loss: Loss of data packets during transmission, which affects the
user experience.

 Using these insights, the institution can:

 Optimize routing configurations.

 Collaborate with their network service provider to address bottlenecks.

 Ensure smooth and reliable performance during critical periods like

exams.

2. Why Other Options are Incorrect:

 A) By increasing server capacity: While adding server resources can help with
processing power, it does not address network path issues like latency or
congestion, which are independent of server capacity.

 C) By upgrading the software platform: Upgrading software may bring feature

improvements, but it won’t resolve underlying network performance issues.

 D) By implementing stricter security measures: Stricter security measures (e.g.,

firewalls, stricter rules) can actually add overhead to network traffic and would
not directly improve performance.

How Network Path Analyzer Helps:

  By pinpointing the exact causes of slow network performance, the tool enables
proactive measures to improve connectivity and ensure a seamless user experience
during exams.

BeforeExam

A telecommunications company needs to ensure high availability and reliability of their

network services in OCI.

Which feature of Network Path Analyzer can help achieve this goal?

High availability configuration

Path redundancy analysis

Service level agreements (SLAs)

User activity logs

B
Explanation

High availability configuration refers to the setup and configuration of resources in a way that ensures
minimal downtime and maximum uptime. While this is important for achieving high availability and
reliability, it is not a specific feature of Network Path Analyzer that directly contributes to this goal.

Explanation

Path redundancy analysis is a key feature of Network Path Analyzer that helps in ensuring high
availability and reliability of network services. By analyzing multiple paths for network traffic, the tool
can identify redundant paths that can be used as backups in case of failures, thus improving the overall
resilience of the network.

Explanation

Service level agreements (SLAs) are agreements between a service provider and a customer that define
the level of service expected. While SLAs are important for setting expectations and ensuring
accountability, they are not a feature of Network Path Analyzer that directly contributes to achieving
high availability and reliability of network services.

Explanation

User activity logs are records of actions performed by users within a system. While monitoring user
activity is important for security and compliance purposes, it is not a feature of Network Path Analyzer
that directly helps in achieving high availability and reliability of network services.

Overall explanation

B) Path redundancy analysis

 Explanation: Path redundancy analysis helps ensure that there are multiple reliable network
paths available, enhancing the availability and reliability of network services.

 Incorrect Options:

 A) High availability configuration: This is related to system configuration, not network

path analysis.

 C) Service level agreements (SLAs): These are contractual terms, not diagnostic tools.

 D) User activity logs: This is related to security, not network path analysis.
BeforeExam

How can you adjust the routes advertised to your on-premises network when using
FastConnect?

By modifying the route filtering settings for your connection

By contacting Oracle support

By creating additional virtual circuits

By adjusting the VCN configuration

Overall explanation

The correct answer is:

(A) By modifying the route filtering settings for your connection

FastConnect allows you to control the routes advertised to your on-premises network through
route filtering settings. This enables you to customize which routes are propagated and ensure
only the desired traffic flows through the connection.

Here's why the other options are incorrect:

 (B) By contacting Oracle support: While Oracle support can assist with troubleshooting
connectivity issues, adjusting route filtering is typically a user-configurable option.

 (C) By creating additional virtual circuits: Creating additional virtual circuits won't
directly adjust the routes advertised on existing ones.

 (D) By adjusting the VCN configuration: VCN configuration primarily affects routing
within the VCN itself, not the routes advertised to on-premises networks.
BeforeExam

Oracle Cloud Agent is a lightweight process that manages plugins running on compute
instances.

Which is NOT a valid Oracle Cloud Agent plugin name?

Bastion

Compute Instance Run Command

Live Migration Agent

OS Management Service Agent

C

Overall explanation

OS Management Service Agent Plugin: Manages updates and patches for the operating system
environment on the instance.

Bastion Plugin: Allows secure shell (SSH) connections to an instance without public IP addresses
using the Bastion service.

Compute Instance Run Command Plugin: Runs scripts within the instance to remotely
configure, manage, and troubleshoot the instance.

Live Migration Agent is NOT a valid Oracle Cloud Agent plugin name.

Reference: You can find the list of available plugins here : Managing Plugins with Oracle Cloud
Agent
In an Object Storage bucket you have two objects named ObjectA and ObjectB. ObjectA was
last modified six months ago and ObjectB was modified 14 months ago. You create a retention
rule and specify a duration of 1 year.

What does the rule do?

It prevents the modification or deletion of ObjectA for the next 12 months and prevents the
modification or deletion of ObjectB for the next 14 months.

It prevents the modification or deletion of ObjectA for the next 6 months and allows the
modification or deletion of ObjectB.

It prevents the modification or deletion of ObjectA and ObjectB for the next 12 months.

It prevents the modification or deletion of ObjectA for the next 6 months and prevents the
modification or deletion of ObjectB for the next 2 months
B

Overall explanation

It's important to understand retention duration for time-bound rules. Even though you are
creating retention rules for a bucket, the duration of a rule is applied to each object in the
bucket individually, and is based on the object's Last Modified timestamp.

In this scenario, you have two objects in the bucket, ObjectA and ObjectB.

ObjectA was last modified 6 months ago and ObjectB was last modified 14 months ago.

You create a retention rule with a duration of 1 year.

This rule prevents the modification or deletion of ObjectA for the next 6 months.

The rule allows the modification or deletion of ObjectB because the retention rule duration (1
year) is less that the object's Last Modified timestamp (14 months).
BeforeExam

Which TWO components are optional while creating the Monitoring Query Language (MQL)
expressions in the Oracle Cloud Infrastructure (OCI) Monitoring service? (Select two)

Grouping Function

Metric

Statistic

Dimensions

Interval
AD

Overall explanation

An MQL expression includes the following components:

 metric

 interval

 dimensions , as one or more name-value pairs (optional)

 grouping function (optional)

 statistic

 comparison operation (optional). Useful for defining alarms.

More Read: Monitoring Query Language (MQL) Reference (oracle.com)

Your VCN has multiple subnets, and you need to ensure that traffic between these subnets is
routed correctly. Which component should you configure?

Internet Gateway

Route Tables

Security Lists

Network Security Groups

B

Overall explanation

B) Route Tables

Route Tables are the correct component to configure to ensure proper routing between subnets
within a VCN.

Here's why:

 Route Tables: Define the routing rules for traffic within a VCN. By creating specific route
rules, you can control how traffic flows between subnets, directing it through the
appropriate gateways or other network components.

 Incorrect Options:

 Internet Gateway: Primarily used for internet connectivity for subnets with
public IP addresses.

 Security Lists: Control ingress and egress traffic to and from instances within a
subnet. They don't directly control routing between subnets.

 Network Security Groups: Similar to Security Lists, they control traffic flow at the
instance level, not between subnets.

By properly configuring Route Tables, you can ensure that network traffic within your VCN flows
efficiently and securely between different subnets according to your specific requirements.
BeforeExam

Which TWO predefined service names can you use when connecting to an Oracle Cloud
Infrastructure (OCI) Autonomous Data Warehouse?

TP for a connection service when you do not want to run with parallelism.

High for the highest level of resources to process each SQL statement.

TPUrgent for a connection service when you do want to run with parallelism.

Medium for a lower level of resources to process each SQL statement.

BD

Overall explanation
BeforeExam

Which TWO are key benefits of setting up Site-to-Site VPN on Oracle Cloud Infrastructure
(OCI)?

When setting up Site-to-Site VPN, customers can expect bandwidth above 2 Gbps.

When setting up Site-to-Site VPN, it creates a private connection that provides consistent
network experience.

When setting up Site-to-Site VPN, customers can configure it to use static or dynamic routing
(BGP).

When setting up Site-to-Site VPN, OCI provisions redundant VPN tunnels.

CD

Overall explanation

Oracle Cloud Infrastructure supports only the tunnel mode for IPSec VPNs. Each Oracle IPSec
connection consists of multiple redundant IPSec tunnels.

So the option When setting up Site-to-Site VPN, OCI provisions redundant VPN tunnels is
correct.

For a given tunnel, you can use either Border Gateway Protocol (BGP) dynamic routing or
static routing to route that tunnel's traffic.

Hence the option When setting up Site-to-Site VPN, customers can configure it to use static or
dynamic routing (BGP) is also correct.

Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private
connection between your data center and Oracle Cloud Infrastructure. FastConnect
provides higher-bandwidth options, and a more reliable and consistent networking experience
compared to internet-based connections.

Hence the options When setting up Site-to-Site VPN, it creates a private connection that
provides consistent network experience and When setting up Site-to-Site VPN, customers can
expect bandwidth above 2 Gbps are INCORRECT.
BeforeExam

Which Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) policy is
invalid?

Allow any-user to inspect users in tenancy

Allow group A-Admins to manage all-resources in compartment Project-A

Allow group A-Developers to create volumes in compartment Project-A

Allow dynamic-group FrontEnd to manage instance-family in compartment Project-A

C

Overall explanation

The overall syntax of a policy statement is as follows:

Allow <subject> to <verb> <resource-type> in <location> where <conditions>

The supported verbs are :

inspect

read

use

manage

For more details, see this : Policy Reference (without Identity Domains) (oracle.com)

If we look at the option : Allow group A-Developers to create volumes in compartment Project-
A, it has a verb create which is NOT a valid verb type. Hence it is invalid.
Which THREE capabilities are available with the Oracle Cloud Infrastructure (OCI) DNS
service?

Creating and managing records

Creating and managing WAF rules

Creating and managing Identity Access Management (IAM) policies

Creating and managing security lists

Creating and managing zones

Viewing all zones

ADE

Overall explanation

The Oracle Cloud Infrastructure Domain Name System (DNS) service lets you create and
manage your DNS zones.

Reference: Managing DNS Service Zones (oracle.com) .

You can create zones, add records to zones, and allow Oracle Cloud Infrastructure's edge
network to handle your domain's DNS queries. You can also list zones.

Hence Creating and managing zones, Creating and managing records and Viewing all zones are
the capabilities of DNS service and therefore the CORRECT ANSWERS.

WAF is a security service that helps protect applications from malicious and unwanted internet
traffic . By combining threat intelligence with consistent rule enforcement on Oracle Flexible
Load Balancer, Oracle Cloud Infrastructure Web Application Firewall strengthens defenses and
protects internet-facing application servers and internal applications. It is a security service.
Hence it is NOT the correct answer.

IAM Policy is a document that specifies who can access which Oracle Cloud Infrastructure
resources that your company has, and how. Nothing to do with DNS service. Hence it is NOT the
correct answer.

Security Lists: Act as virtual firewalls for your compute instances and other kinds of resources. A
security list consists of a set of ingress and egress security rules that apply to all the VNICs in any
subnet that the security list is associated with. Hence it is NOT the correct answer.
You have multiple applications running on a compute instance that generate a large amount
of log files. You are required to retain these log files retained for a total of 60 days; at least 15
days on the boot volume, and an additional 45 days in any location.

Which is the most cost-effective way to meet the 15-day boot volume retention requirement
and the 60-day total retention requirement?

Do not delete any logs but resize the boot volume of the instance every time additional space
is needed.

Create an Object Storage bucket and use a script that runs daily to move log files older than
15 days from the boot volume to the bucket. Create a lifecycle rule for the bucket to delete
any logs over 60 days old.

Terminate the instance while preserving the boot volume. Create a new instance from the
boot volume and select a DenseIO shape to take advantage of the local NVMe storage.

Attach a block volume and use a script that moves log files older than 15 days to the new
volume and deletes them completely after 60 days.
B

Overall explanation

The question mentions " most cost-effective way". Whenever you see this keyword you have to
directly think about Object Storage service.

Option: Attach a block volume and use a script that moves log files older than 15 days to the
new volume and deletes them completely after 60 days. - It is incorrect as the Block Volume
service costs more than Object Storage.

Option: Do not delete any logs but resize the boot volume of the instance every time additional
space is needed.- You can reject this option right away as using this option would increase the
cost. You want the log files to be retained for 60 days and this option doesn't talk about that.
It is incorrect.

Option: Terminate the instance while preserving the boot volume. Create a new instance from
the boot volume and select a DenseIO shape to take advantage of the local NVMe storage. - Not
at all a cost-effective option. This option too doesn't talk about the requirements mentioned
in the question.

Option: Create an Object Storage bucket and use a script that runs daily to move log files older
than 15 days from the boot volume to the bucket. Create a lifecycle rule for the bucket to delete
any logs over 60 days old. - This is the only option which talks about Object Storage service.
You can leverage lifecycle policy rules to delete the logs after 60 days. Object Storage service
is the most effective amongst all storage options in OCI- Object, Block and File Storage.
Which type of OCI compute instance is best suited for applications that require high
computational power and access to dedicated physical servers?

General-purpose instances

Memory-optimized instances

Bare metal instances

GPU-based instances
C

Overall explanation

The answer is Bare metal instances.

Bare metal instances provide direct access to the underlying physical server hardware, offering
the highest levels of performance and isolation. They are ideal for applications that require high
computational power, such as high-performance computing (HPC), database workloads, and
real-time applications.

Here's a breakdown of why the other options are not as suitable:

 General-purpose instances: These instances are designed for a wide range of workloads,
but they may not provide the same level of performance as bare metal instances for
applications that require high computational power.

 Memory-optimized instances: These instances are designed for workloads that require a
lot of memory, such as in-memory databases and big data processing. While they may
offer some performance benefits for these types of workloads, they are not as well-
suited for applications that require high computational power.

 GPU-based instances: These instances are designed for workloads that require GPU
acceleration, such as machine learning and graphics processing. While they can provide
significant performance benefits for these types of workloads, they are not as well-
suited for applications that require high computational power on the CPU.

Therefore, for applications that demand high computational power and dedicated physical
server access, bare metal instances are the most suitable choice.
BeforeExam

You have a VCN with both public and private subnets. You need to deploy a bastion host to
allow secure SSH access to instances in the private subnet. Where should you deploy the
bastion host?

In the private subnet

In the public subnet

In both subnets

Outside the VCN

Overall explanation

B) In the public subnet

Here's why:

 Bastion Host Purpose: A bastion host acts as a secure jump server. It resides in a public
subnet and allows you to establish a secure SSH connection from the internet to your
private subnets.

 Security: By placing the bastion host in the public subnet, you create a single point of
entry for secure access to your private network. This enhances security by minimizing
the attack surface and allowing for centralized security controls.

Incorrect Options:

 A) In the private subnet: Placing the bastion host in the private subnet would make it
inaccessible from the internet, defeating its purpose.

 C) In both subnets: While it's possible to deploy the bastion host in both subnets, it's
generally not necessary and can introduce unnecessary complexity.

 D) Outside the VCN: Deploying the bastion host outside the VCN would compromise the
security of your network and make it difficult to manage.

By deploying the bastion host in the public subnet, you establish a secure and controlled access
point to your private resources within the VCN.
You need to assign a public IP address to an instance in a private subnet for temporary
internet access. What is the best approach to achieve this?

Assign a public IP directly to the instance.

Use a NAT Gateway.

Move the instance to a public subnet.

Use a Service Gateway.

Overall explanation

B) Use a NAT Gateway.

Here's why:

 NAT Gateway: A Network Address Translation (NAT) Gateway allows instances in private
subnets to communicate with the internet without exposing their private IP addresses
directly. This enhances security by hiding the internal IP addresses of your instances.

 Why other options are less suitable:

 A) Assign a public IP directly to the instance: This would compromise the

security of the private subnet by directly exposing the instance to the internet.

 C) Move the instance to a public subnet: Moving the instance to a public subnet
would expose it directly to the internet, increasing security risks.

 D) Use a Service Gateway: Service Gateways are primarily used for connecting to
other Oracle Cloud services like Object Storage, not for providing internet access
to instances in private subnets.

By using a NAT Gateway, you can provide temporary internet access to your instance in the
private subnet while maintaining the security and isolation of your private network.
optional

https://mylearn.oracle.com/ou/learning-path/become-an-oci-architect-associate-2025/147631

https://www.examtopics.com/exams/oracle/1z0-1072-23/view/
ABE
C
B
BD
B

BeforeExam
B
C
D
C
D
BC
AB
BD
CD
C
D
D
C
BD
CD
ADEF
D
A
AB
B
A
B
ACD
B

BeforeExam
CD
A
BC

BeforeExam
CD

BeforeExam
B

BeforeExam
D
D

BeforeExam
D
AB
D

BeforeExam
C
C
B
D
C
D
D
B

BeforeExam
BC

BeforeExam
A
B