1072-2025 Certification Dump
1072-2025 Certification Dump
html
Question 51
QUESTION 1
You have a AI/ML application running on Oracle Cloud Infrastructure. You identified that the
application needs GPU and at least 20Gbps Network throughput.
The application is currently using a VM.Standard2.1 compute without any block storage
attached to it.
Which two options allow you to get your required performance for your application?
Terminate the compute instance preserving the boot volume. Create a new compute instanceA.
using the BM.GPU2.2 shape using the boot volume preserved and attach a new block volume to
host your application.
Terminate the compute instance preserving the boot volume. Create a new compute instanceB.
using the BM.HPC2.36 shape using the boot volume preserved and use the NVMe devices to
host your application.
Terminate the compute instance preserving the boot volume. Create a new compute instanceC.
using the BM.GPU2.2 shape using the boot volume preserved, but no block volume attached.
Terminate the compute instance preserving the boot volume. Create a new compute instanceD.
using the VM.Standard2.2 shape using the boot volume preserved, but no block volume
attached.
Terminate the compute instance preserving the boot volume. Create a new compute instanceE.
using the VM.GPU3.4 shape using the boot volume preserved and use the NVMe devices to
host your application
AE
Terminate the compute instance preserving the boot volume. Create a new compute instance
using the VM.GPU3.4 shape using the boot volume preserved and use the NVMe devices to
host your application.
Terminate the compute instance preserving the boot volume. Create a new compute instance
using the BM.GPU2.2 shape using the boot volume preserved and attach a new block volume
to host your application.
Both options provide the required GPU capability and the necessary network throughput for
your AI/ML application. VM.GPU3.4 offers a higher performance with 8 NVIDIA V100 GPUs and
100 Gbps network bandwidth, BM.GPU2.2 while provides a more cost-effective solution with 2
NVIDIA P100 GPUs and 25 Gbps network bandwidth.
Terminate the compute instance preserving the boot volume. Create a new compute instance
using the VM.GPU3.4 shape using the boot volume preserved and use the NVMe devices to
host your application. This option is highly recommended as it provides the best performance
for your AI/ML application. The VM.GPU3.4 shape offers 8 NVIDIA V100 GPUs for superior GPU
processing power and 100 Gbps network bandwidth to handle the high data transfer demands
of your application. Additionally, the NVMe devices provide fast and reliable storage for your
application data.
Terminate the compute instance preserving the boot volume. Create a new compute instance
using the BM.GPU2.2 shape using the boot volume preserved and attach a new block volume
to host your application. This option is a viable alternative to Option C, providing a balance
between performance and cost-effectiveness. The BM.GPU2.2 shape offers 2 NVIDIA P100 GPUs
for adequate GPU processing power and 25 Gbps network bandwidth, meeting your minimum
requirements. Additionally, attaching a new block volume provides additional storage for your
application data.
In conclusion, These are two most appropriate choices for providing the required GPU capability
and network throughput for your AI/ML application. Option C offers superior performance with
8 NVIDIA V100 GPUs and 100 Gbps network bandwidth, while Option E provides a more cost-
effective solution with 2 NVIDIA P100 GPUs and 25 Gbps network bandwidth. The choice
between the two options depends on your specific performance and budget requirements.
Question 52
You created a virtual cloud network (VCN) with three private subnets. Two of the subnets
contain application servers and the third subnet contains a DB System. The application requires
a shared file system, therefore you have provisioned one using the file storage service (FSS).
You have also created the corresponding mount target in one of the application subnets. The
VCN security lists are properly configured so that the application servers can access FSS. The
security team changed the settings for the DB System to have read-only access to the file
system. However, when they test it, they are unable to access FSS.
How would you allow access to FSS?
A. Create an NFS export option that allows READ_ONLY access where the source is the
CIDR range of the DB System subnet.
B. Modify the security list associated with the subnet where the mount target resides.
Change the ingress rules corresponding to the DB System subnet to be stateless.
C. Create an instance principal for the DB System. Write an Identity and Access
Management (IAM) policy that allows the instance principal read-only access to the file
storage service.
D. Modify the security list associated with the subnet where the mount target resides.
Change the ingress rules corresponding to the DB System subnet to be stateful.
D
Question 53
You want to create a policy to allow the NetworkAdmins group to manage VCN in Compartment
C. You want to attach this policy to the tenancy. The compartment hierarchy is shown as below:
Question 54
What happens after you successfully run the following command on your Oracle Cloud
Infrastructure Container Engine for Kubernetes (OKE) using the YAML file defined below?
apiVersion: v1
kind: Pod
metadata:
name: myapp
labels:
app: myapp
spec:
containers:
- name: nginx-image
image: nginx
- name: mysql-image
image: mysql
Question 55
BeforeExam
Which of the below options is true regarding Oracle Cloud Infrastructure's load balancing
service?
The Load Balancing service enables you to create only public load balancer within your VCN.
You can dynamically change load balancer shape to handle more incoming traffic.
When you create a private load balancer, the service requires only one subnet to host both
the primary and standby load balancers.
Overall explanation
When you create a private load balancer, the service requires only one subnet to host both the
primary and standby load balancers. The load balancer can be regional or AD-specific,
depending on the scope of the host subnet. The load balancer is accessible only from within the
VCN that contains the host subnet, or as further restricted by your security rules.
Question 56
Which of the following is NOT a good use case for the volume backup feature of the Oracle
Cloud Infrastructure Block Volume service?
Retain a copy of data in a volume, so that you can duplicate an environment later or preserve
the data for future use.
Meet compliance and regulatory requirements for data to remain unchanged over time, so
that it can be retrieved for audit purpose.
Overall explanation
Retain a backup of the data in a volume, so that you can duplicate an environment later or
preserve the data for future use. Meet compliance and regulatory requirements, because the
data in a backup remains unchanged over time. Support business continuity requirements.
Reduce the risk of outages or data mutation over time.
Question 57
BeforeExam
You are an administrator with an application running on OCI. The company has a fleet of OCI
compute virtual instances behind an OCI Load Balancer. The OCI Load Balancer Backend Set
health check API is providing a 'Critical' level warning. You have confirmed that your
application is running healthy on the backend servers. What is the possible reason for this
'Critical' warning?
A user does not have correct IAM credentials on the Backend Servers
The Backend Server VCN's Security List does not include the IP range for the source of the
health check requests
The Backend Server VCN's Route Table does not include the route for OCI LB
B
Question 57
BeforeExam
Which advanced feature of Network Path Analyzer should they use to diagnose the issue?
Overall explanation
The correct answer is: B) Multi-hop analysis with latency and packet loss metrics
Explanation:
1. Why B is Correct:
Multi-hop analysis with latency and packet loss metrics is a specific feature of
the Network Path Analyzer that examines the entire route between two
endpoints, such as an OCI instance and an on-premises data center.
It provides detailed insights into each hop in the network path, measuring
latency, packet loss, and other key metrics. This information is essential for
diagnosing inconsistent performance, as it helps pinpoint the segment of the
network causing the issue.
A) Basic path tracing: While basic path tracing might show the route, it lacks
advanced diagnostic metrics like latency and packet loss, making it insufficient for
resolving complex performance issues.
C) Simple ping tests: Ping tests only check connectivity and round-trip time
between two endpoints. They do not provide detailed insights into intermediate
hops, which is crucial for diagnosing issues in a multi-hop network path.
D) Static route configuration: Static routes are used to define fixed paths for
network traffic but are unrelated to diagnosing performance issues. Configuring
static routes won’t help identify or resolve inconsistencies in the existing network
path.
Supporting Information:
The Network Path Analyzer uses tools like traceroute and combines them with advanced
diagnostics for a comprehensive view of the network path.
Detailed metrics like latency and packet loss enable network engineers to identify and
address specific problems, such as congested routers or misconfigured network devices.
Question 58
You deployed a compute instance (VM.Standard2.16) to run a SQL database. After a few
weeks, you need to increase disk performance by using NVMe disks; the number of CPUs will
not change. As a first step you terminate the instance and preserve the boot volume. What is
the next step?
Create a new instance using a VM.Standard1.16 using the preserved boot volume and move
the SQL Database data to NVMe disks.
Create a new instance using a VM.DenseIO2.16 using the preserved boot volume and move
the SQL Database data to block volume.
Create a new instance using a VM.DenseIO2.8 using the preserved boot volume and move the
SQL Database data to NVMe disks.
Create a new instance using a VM.DenseIO2.16 using the preserved boot volume and move
the SQL Database data to NVMe disks.
D
Overall explanation
Start – Restarts a stopped instance. After the instance is restarted, the Stop action is
enabled
Stop – Shuts down the instance. After the instance is powered off, the Start action is
enabled • Reboot – Shuts down the instance, and then restarts it
Instance's public and private IP addresses are released and become available for other
instances
By default, the instance's boot volume is deleted, however you can preserve the boot
volume and attach it to a different instance as a data volume, or use it to launch a new
instance
Question 59
BeforeExam
You have an application server running in a public subnet on a compute instance in US West
(us-phoenix-1) region of Oracle Cloud Infrastructure (OCI). The data sitting on this instance
needs to be copied to OCI Object storage bucket available in the same region without
traversing over the internet. To enable the connectivity between the instance and Object
Storage, you created a service gateway with service CIDR of all Object Storage in us-phoenix-1
enabled. You also modified the security rules to allow the desired traffic. However, when you
tried sending the data to the Object Storage bucket, you notice that the data is going over the
internet and not via the service gateway. What could be the possible reason for this behavior?
entity and Access Management (IAM) policies restrict the access to the object storage bucket.
The service gateway created in the VCN resides in a different availability domain.
The security list associated with the subnet has an egress rule that allows all traffic to be
forwarded to a destination CIDR 0.0.0.0/0.
The route table associated with the subnet has no route rule where the destination is object
storage service.
D
Overall explanation
The route table associated with the subnet has no route rule where the destination is the
Object Storage service.
Explanation:
Even though you've configured the Service Gateway and security rules correctly, the traffic still
goes over the internet because the default route for the subnet is pointing to the internet
gateway. This means that the traffic is not being routed through the Service Gateway as
intended.
To resolve this issue, you need to create a route rule in the route table associated with the
subnet. This route rule should:
Destination: The Service CIDR of the Object Storage service in the us-phoenix-1 region.
By adding this route rule, you ensure that the traffic destined for Object Storage is routed
through the Service Gateway, bypassing the internet and maintaining a private connection.
Remember to ensure that the security lists associated with the subnet allow traffic to the
Service Gateway.
Question 60
You are asked to create a user that will access programmatic endpoints in Oracle Cloud
Infrastructure. The user must not be allowed to authenticate by username and password.
Auth tokens
Windows password
Correct Answer :
1. API Keys
2. Auth Tokens
Both of these methods provide secure and efficient ways to authenticate API requests
without relying on traditional username and password credentials.
API Signing Keys: API Signing Keys are another method for authenticating requests to OCI
services. They involve generating a private key and a public key pair. The private key is used to
sign requests, while the public key is used to verify the signature.
By using API Signing Keys, you can create users that can access programmatic endpoints
without requiring username and password-based authentication, enhancing security and
streamlining access management.
Auth Tokens are a secure and efficient way to authenticate API requests without requiring
traditional username and password credentials. 1 They provide a temporary token that can be
used to access OCI resources.
Reference :
https://docs.oracle.com/en-us/iaas/Content/Identity/access/working-with-auth-tokens.htm
https://docs.oracle.com/apisignining
BC
Question 61
A new employee has just started working for your company. You create an Oracle Cloud
Infrastructure user account for this employee, following which they are able to log in, but still
cannot create any resources. What should you do to resolve this?
Make sure that the employee is logging in to the Oracle Cloud Infrastructure account from
your corporate network only.
Add the employee to a group with policies to grant access to relevant resources.
D
Overall explanation
Correct Ans: Add the employee to a group with policies to grant access to relevant resources.
Question 62
BeforeExam
You are designing a two-tier web application in Oracle Cloud Infrastructure (OCI). Your clients
want to access the web servers from anywhere, but want to prevent access to the database
servers from the Internet. Which is the recommended way to design the network
architecture?
Create public subnets for web servers and private subnets for database servers in your virtual
cloud network (VCN), and associate separate internet gateways for each subnet.
Create public subnets for web servers and associate a dynamic routing gateway with that
subnet, and a private subnet for database servers with no association to dynamic gateway.
Create public subnets for web servers and private subnets for database servers in your VCN,
and associate separate security lists and route tables for each subnet.
Create a single public subnet for your web servers and database servers, and associate only
your web servers to internet gateway.
C
Overall explanation
When you create a subnet, by default it's considered public, which means instances in that
subnet are allowed to have public IP addresses. Whoever launches the instance chooses
whether it will have a public IP address. You can override that behavior when creating the
subnet and request that it be private, which means instances launched in the subnet are
prohibited from having public IP addresses. Network administrators can therefore ensure that
instances in the subnet have no internet access, even if the VCN has a working internet
gateway, and security rules and firewall rules allow the traffic. There are two optional
gateways (virtual routers) that you can add to your VCN depending on the type of internet
access you need: Internet gateway :For resources with public IP addresses that need to be
reached from the internet (example: a web server) or need to initiate connections to the
internet. NAT gateway :For resources without public IP addresses that need to initiate
connections to the internet (example: for software updates) but need to be protected from
inbound connections from the internet. Just having an internet gateway alone does not
expose the instances in the VCN's subnets directly to the internet. The following requirements
must also be met: The internet gateway must be enabled (by default, the internet gateway is
enabled upon creation). The subnet must be public. The subnet must have a route rule that
directs traffic to the internet gateway. The subnet must have security list rules that allow the
traffic (and each instance's firewall must allow the traffic). The instance must have a public IP
address.
Question 63
Which two identity providers can your administrator federate with Oracle Cloud
Infrastructure? (Choose two.)
Overall explanation
Oracle Cloud Infrastructure supports federation with Oracle Identity Cloud Service and
Microsoft Active Directory (via Active Directory Federation Services (AD FS)), and any identity
provider that supports the Security Assertion Markup Language (SAML) 2.0 protocol.
Question 64
An instance is launched with a primary VNIC that is created during instance launch. Which
two operations are true when you add secondary VNICs to an existing instance? (Choose
two.)
You can remove the primary VNIC after the secondary VNIC’s attachment is complete.
The primary and secondary VNIC association should be within the same Availability Domain.
Overall explanation
Reference: https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingVNICs.htm
Question 65
Which storage service is used on OCI for a Data Transfer Service job?
An object bucket
Block Volume
B
Overall explanation
Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/DataTransfer/Concepts/
overview.htm
Question 65
PFX
PEM
PKCS12
CRT
Overall explanation
Reference: https://docs.cloud.oracle.com/iaas/Content/Balance/Tasks/
managingcertificates.htm
Question 66
You are in the process of setting up a highly available student registration website on Oracle
Cloud Infrastructure (OCI). You use a load balancer and a database service on OCI. You launch
two compute instances each in a different subnet and add them to the back end set of a
public load balancer. The load balancer is configured correctly and working. You then deploy
the student registration application on these two compute instances. The application can
communicate with the database service. However, when you type the URL of this student
registration application in your browser, no web page appears. What could be the cause?
The security lists of the subnets on which the two instances are located do not have ''allow''
rules for port 80 and 443.
The load balancer performed a health check on the application and found that compute
instances were not in a healthy state and terminated the instances.
The client requested https access to the application and the load balancer service does not
support end-to-end SSL from the client to the listener to the back-end set.
Routing Gateway is preventing the client traffic from your data center network from reaching
the public IP of the load balancer.
A
Question 67
Which DNS resource record type is used to point a host name to an IPv4 address?
ALIAS
CNAME
AAAA
B
Question 68
You are responsible for creating and maintaining an enterprise application that consists of
multiple storage volumes across multiple compute instances in Oracle Cloud Infrastructure
(OCI). The storage volumes include boot volumes and block volumes for your data storage.
You need to create backups of these storage volumes in the most time- efficient manner. How
can you meet this requirement?
Create on-demand full backups of block volumes, and create custom images from the boot
volumes.
Create on-demand full backups of boot volumes, and copy data in block volumes to Object
Storage using OCI CLI.
Create clones of all boot volumes and block volumes one at a time.
Group together multiple storage volumes in a volume group and create volume group
backups.
D
Question 69
You are working as a Solution Architect in an organization. You are deploying a highly
available web application in Oracle Cloud Infrastructure and have decided to use a public load
balancer. The back end web servers will be distributed across all three availability domains
(ADs). How many subnets should you create to deliver a secure, highly available application?
Two subnets in total. One regional private subnet to host your back-end web servers and one
regional public subnet to host your public load balancer.
Three subnets in total. One regional public subnet to host your back-end web servers and two
AD specific private subnets to host your private load balancer.
Two subnets in total. One regional public subnet to host your back-end web servers and one
regional private subnet to host your public load balancer.
one subnet in total. One regional private subnet to host your back-end web servers and your
public load balancer.
A
Overall explanation
A public load balancer is regional in scope. If your region includes multiple availability
domains, a public load balancer requires either a regional subnet (recommended) or two
availability domain?specific (AD-specific) subnets, each in a separate availability domain.
With a regional subnet, the Load Balancing service creates a primary load balancer and a
standby load balancer, each in a different availability domain, to ensure accessibility even
during an availability domain outage.
If you create a load balancer in two AD-specific subnets, one subnet hosts the primary load
balancer and the other hosts a standby load balancer. If the primary load balancer fails, the
public IP address switches to the secondary load balancer. The service treats the two load
balancers as equivalent and you cannot specify which one is "primary". Whether you use
regional or AD-specific subnets, each load balancer requires one private IP address from its
host subnet.
The Load Balancing service supplies a floating public IP address to the primary load balancer.
The floating public IP address does not come from your backend subnets. If your region
includes only one availability domain, the service requires just one subnet, either regional or
AD-specific, to host both the primary and standby load balancers. You cannot specify a private
subnet for your public load balancer. When you create a private load balancer, the service
requires only one subnet to host both the primary and standby load balancers. The load
balancer can be regional or AD-specific, depending on the scope of the host subnet.
Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Balance/Concepts/
balanceoverview.htm
Question 70
You have two line of business operations (LOB1, LOB2) leveraging Oracle Cloud Infrastructure.
LOB1 is deployed in VCN1 in the OCI US East region, while LOB2 is deployed in VCN2 in the US
West region. You need to peer VCN1 and VCN2 for disaster recovery and data backup
purposes. To ensure you can utilize the OCI Virtual Cloud Network remote peering feature,
which CIDR ranges should be used?
Overall explanation
VCN1 (10.0.0.0/16) will use the IP Range from 10.0.0.0 to 10.0.255.255 and the VNC 2
(172.16.0.0/16) will use the IP Range from 172.16.0.0 to 172.16.255.255 the will not be
overlap between the 2 VCN
Question 71
You are a system administrator of your company and you are managing a complex
environment consisting of compute instances running Oracle Linux on Oracle Cloud
Infrastructure (OCI). It's your task to apply all the latest kernel security updates to all
instances.
OCI Registry
OS Management service
Overall explanation
The Oracle Cloud Infrastructure OS Management service allows you to manage and monitor
updates and patches for the operating system environments on your Oracle Cloud instances,
including instances managed by the OS Management Oracle Autonomous Linux service.
Hence it is the correct ANSWER.
OCI Registry makes it easy to store, share, and manage development artifacts like Docker
images. Hence it is INCORRECT.
Cloud Guard is a cloud native service that helps customers monitor, identify, achieve, and
maintain a strong security posture on Oracle Cloud. Use the service to examine your Oracle
Cloud Infrastructure resources for security weakness related to configuration, and your Oracle
Cloud Infrastructure operators and users for risky activities. Upon detection, Cloud Guard can
suggest, assist, or take corrective actions, based on your configuration. Hence it is INCORRECT.
Security Zones enforce security posture on OCI cloud compartments and prevent actions that
could weaken a customers’ security posture. Security Zone policies can be applied to various
cloud infrastructure types (network, compute, storage, database, etc.) to ensure cloud
resources stay secure and prevent security misconfigurations. Hence it is INCORRECT.
Question 73
Which of the following statements is true about the Oracle Cloud Infrastructure (OCI) Object
Storage server-side encryption?
Each object in a bucket is always encrypted with the same data encryption key.
Customer-provided encryption keys are always stored in the OCI Vault service.
Overall explanation
The Oracle Cloud Infrastructure Object Storage service encrypts and decrypts all objects using
256-bit Advanced Encryption Standard (AES-256) to encrypt object data on the server. Each
object is encrypted with its own data encryption key. Data encryption keys are always
encrypted with a master encryption key that is assigned to the bucket (Hence it is not
optional). Encryption is enabled by default and cannot be turned off. Using optional API
headers, you can provide your own 256-bit AES encryption key that is used to encrypt and
decrypt objects uploaded to and downloaded from Object Storage.
Hence, only the statement "Encryption is enabled by default and cannot be turned off." is
true.
Question 74
BeforeExam
You are part of a team that manages a set of workload instances running in an on-premises
environment. The Architect team is tasked with designing and configuring Oracle Cloud
Infrastructure (OCI) Logging service to collect logs from these instances. There is a
requirement to archive Info-level logging data of these instances into the OCI Object Storage.
Grouping Function
Service Connectors
Agent Configuration
Overall explanation
Custom logs are logs that contain diagnostic information from custom applications, other
cloud providers, or an on-premise environment.
Custom logs can be ingested in the following ways by configuring the Unified Monitoring
Agent. See Installing the Agent for instructions.
The Unified Monitoring Agent can be installed on many machines, and it pulls logs from local
directories, where your apps or systems emit logs. The agent can also parse your logs for you.
All of this is configured in Agent Configurations.
Additional parsers.
The service connector processes and moves log data from Logging to Object Storage.
You are launching a new project in the US West (Phoenix) region. You would like to reserve
the compute capacity mentioned below so that the capacity is available for your workloads
when you need it.
1. 10 VM.Standard2.2 Instances
2. 6 VM.Standard.E4.Flex Instances
The project also requires you to be mindful about high availability and place the instances in
at least two Availability Domains.
At a bare minimum, how many capacity reservations would you create to meet this
requirement?
Two
Three
One
Four
A
Overall explanation
When you create your capacity reservation, you specify the availability domain in the tenancy
where you want to reserve capacity. Reservations are specific to that availability domain.
Which statement is TRUE about delegating an existing domain to the Oracle Cloud
Infrastructure (OCI) DNS service?
Domains can be self-delegated to OCI DNS from its own service portal.
Domains can be delegated to OCI DNS from the Domain Registrar's self-service portal.
E
Overall explanation
Delegating your domain with your domain's registrar makes your Oracle Cloud Infrastructure
hosted zone accessible through the internet.
To delegate a zone:
1. Open the navigation menu and click Networking. Under DNS Management,
click Overview.
2. Click Zones.
3. Click the Zone Name for the zone you want to delegate. The zone details page appears.
5. Use the Type sort filter to locate the NS records for your zone.
6. Note the name servers in the RDATA field within each NS record.
7. You can use the noted name servers to change your domain's DNS delegation. Refer to
your registrar's documentation for instructions.
Hence Domains can be delegated to OCI DNS from the Domain Registrar’s self-service portal is
the CORRECT answer.
Question 77
Which of the following resources can be attached to a DRG (Dynamic Routing Gateways)?
Overall explanation
Virtual Private Networks (VPNs): Site-to-Site VPN connections using IPSec tunnels can
be attached to a DRG for secure communication between your on-premises network
and Oracle Cloud Infrastructure (OCI) Virtual Cloud Networks (VCNs).
Remote Peering Connections (RPCs): You can establish private network connections
between your VCN and other VCNs in different regions or accounts using RPCs
attached to a DRG.
These resources all leverage the DRG as a virtual router to facilitate communication between
your network and OCI resources.
References
: https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm
Question 78
BeforeExam
A financial services company needs to comply with stringent regulatory requirements for
network performance and security.
Which specific capability of Network Path Analyzer can help them meet these requirements?
Overall explanation
The correct answer is: B) Detailed path analysis with historical data
Explanation:
1. Why B is Correct:
This capability is crucial for industries like financial services, where compliance
regulations often require proof of consistent network performance and
security.
D) User activity monitoring: Monitoring user activities falls under OCI’s Identity
and Access Management (IAM) or audit services, not the Network Path
Analyzer.
BeforeExam
A financial firm is designing an application architecture for its online trading platform that
should have high availability and fault tolerance.
Their solutions architects configured the application to use an Oracle Cloud Infrastructure
(OCI) Object Storage bucket located in the US West (us-phoenix-1) region to store large
amounts of financial data. The stored financial data in the bucket should not be impacted
even if there is an outage in one of the Availability Domains or a complete region.
What should the architect do to avoid any costly service disruptions and ensure data
durability?
Create a lifecycle policy to regularly send data from the Standard to Archive storage.
Create a replication policy to send data to a different bucket in another OCI region.
Create a new Object Storage bucket in another region and configure lifecycle policy to move
data every 5 days.
Overall explanation
Replication provides protection from regional outages, aids in disaster recovery efforts, and
addresses data redundancy compliance requirements. After the replication policy is created,
the destination bucket is read-only and updated only by replication from the source bucket.
Objects uploaded to a source bucket after policy creation are asynchronously replicated to the
destination bucket. Hence "Create a replication policy to send data to a different bucket in
another OCI region." is the CORRECT answer.
The option Create a lifecycle policy to regularly send data from the Standard to Archive
storage is INCORRECT as lifecycle policy rules instruct Object Storage to delete uncommitted
multipart uploads, move objects to a different storage tier, and delete supported resources on
your behalf within a given bucket.
The option Create a new Object Storage bucket in another region and configure lifecycle
policy to move data every 5 days is also INCORRECT as using lifecycle policy we cannot move
data to another region.
The option Copy the Object Storage bucket to a block volume is irrelevant and not necessary
as there is a built in replication policy in object storage that can be used. Moreover the region
information is not specified for the Block Volume. If the Block Volume is in the same region, it
doesn't solve the purpose. Hence this is also INCORRECT.
Question 80
BeforeExam
Which statement is NOT true about the Oracle Cloud Infrastructure (OCI) Object Storage
service?
Immutable option for data stored in Object Storage can be set via retention rules.
Overall explanation
Option: Object Versioning is enabled at the namespace level: Object versioning is enabled at
the bucket level and not at the namespace level. Hence this statement is NOT true and the
correct answer to this question.
Option: Object Storage resources can be shared across tenancies: You can write policies that
let your tenancy access Object Storage resources in other tenancies. For more
details: Accessing Object Storage Resources Across Tenancies (oracle.com) Hence this
statement is true.
Option: Immutable option for data stored in Object Storage can be set via retention
rules: Retention rules provide immutable, WORM-compliant storage options for data written
to Object Storage and Archive Storage for data governance, regulatory compliance, and legal
hold requirements. Hence this statement is true.
Option: Object lifecycle rules can be used to either archive or delete objects:
You can define rules that automatically do things like the following:
Move Standard tier objects with a .doc extension to either the Infrequent Access
or Archive tier 60 days after creation or last update.
Move Standard tier objects to the Archive tier 30 days after creation or last update,
and then automatically delete those archived objects after 180 days.
Move Standard tier objects to the Infrequent Access tier 90 days after creation or last
update.
Delete any previous object versions 120 days after the object version transitions from
the latest version to a previous version.
Delete all objects and object versions in a bucket in preparation for bucket deletion.
A developer is concerned about the security of their web application while using acceleration
services.
What security feature does OCI Web Application Acceleration offer to address this concern?
Built-in firewall
DDoS protection
Two-factor authentication
Overall explanation
OCI Web Application Acceleration includes built-in DDoS protection capabilities to mitigate
Distributed Denial of Service attacks. These attacks aim to overwhelm a server or network
with traffic, making it unavailable to legitimate users.
A) Built-in firewall: While Web Application Acceleration might have some basic
security features, it's not primarily a firewall solution.
D) Secure shell (SSH) access: SSH is used for secure remote access to servers, not a
security feature of Web Application Acceleration.
By incorporating DDoS protection, OCI Web Application Acceleration helps safeguard your
application from malicious traffic and ensures its availability even during periods of high
demand.
Question 82
You just got a last minute request to create a set of instances in Oracle Cloud Infrastructure
(OCI). The configuration and installed software are identical for every instance, and you
already have a running instance in your OCI tenancy.
Which image option allows you to achieve this task with the least amount of effort?
Use Oracle-provided images and customize the installation using a third-party tool.
Bring your own image and use it as a template for the new instances.
Create a custom image and use it as a template for the new instances.
Overall explanation
The keywords in the question are "configuration and installed software are identical for every
instance" , "already have a running instance" and "least amount of effort".
Option: Use Oracle-provided images and customize the installation using a third-party
tool: This option can be eliminated as using third party tool does not satisfy the "least amount
of work" requirement of the question.
Option: Select an image from the OCI Marketplace: This option can be eliminated as it does
not talk about the configuration and software installation, that is desired as per the scenario
in the question.
Option: Bring your own image and use it as a template for the new instances: This option
does not satisfy the "least amount of work" requirement. It also does not leverage the
existing instance. Hence it is Incorrect. For more information on the process of BYOI
refer : Bring Your Own Image (BYOI) (oracle.com)
Option: Create a custom image and use it as a template for the new instances: Oracle Cloud
Infrastructure uses images to create compute instances. You basically specify which image to
use when you create an instance. You may also create a custom image of an instance’s boot
disk and use that image to create other instances. These instances include the customizations,
configuration, and software that was installed when you created the image. As you already
have a running instance, configure and install the software and then create a custom image
and use it as a template for the new instances. This is the correct answer.
Question 83
An e-commerce website is preparing for a major sale event and expects a significant increase
in traffic. How can OCI Web Application Acceleration help in this situation?
Overall explanation
Here's why:
Increased Traffic: During a major sale event, e-commerce websites experience a surge
in traffic, which can overwhelm servers and lead to slow page load times and even
website crashes.
How OCI Web Application Acceleration Helps: This service caches static and dynamic
content closer to end-users at the edge of the network. When users request a
resource, the cached copy is delivered quickly, reducing the load on the origin servers
and minimizing latency.
B) By reducing the number of servers needed: While caching can help reduce the load
on origin servers, it doesn't necessarily reduce the number of servers required.
By caching content closer to users, OCI Web Application Acceleration ensures a faster and
more reliable user experience during peak traffic periods, such as major sale events.
Question 84
BeforeExam
A media company is experiencing high latency during peak traffic hours, affecting their
content delivery.
What advanced diagnostic feature of Network Path Analyzer can help identify the root cause?
Explanation:
1. Why C is Correct:
Time-based path analysis in the Network Path Analyzer allows users to analyze
network performance metrics (e.g., latency, packet loss) at specific times or
under varying traffic conditions.
For a media company experiencing high latency during peak hours, this feature
can:
Identify which parts of the network path are affected during peak
traffic.
B) Peak traffic simulation: The tool does not simulate traffic; it analyzes real-
time and historical network performance.
BeforeExam
An IT team is tasked with optimizing the network configuration for a distributed application
running in multiple OCI regions.
Which feature of Network Path Analyzer should they use to ensure optimal performance?
Static IP allocation
Overall explanation
Explanation:
1. Why A is Correct:
Cross-region latency analysis is a feature of the OCI Network Path Analyzer that
enables IT teams to measure and compare network performance metrics (e.g.,
latency, packet loss) between different OCI regions.
Ensure high availability and low latency for end users across regions.
B) Single-region path tracing: While useful for diagnosing issues within a single
region, it does not address the challenges of optimizing communication
between multiple regions.
C) Static IP allocation: Static IPs are used to ensure consistent IP addresses but
have no direct role in analyzing or optimizing network performance.
By pinpointing latency issues between regions, the IT team can make informed
decisions, such as:
Which TWO statements are TRUE about Private IP addresses in Oracle Cloud Infrastructure
(OCI)?
By default, the primary VNIC of an instance in a subnet has one primary private IP address.
By default, the primary VNIC of an instance in a subnet has one primary private IP address
and one secondary private IP address.
Overall explanation
A VNIC enables an instance to connect to a VCN and determines how the instance connects
with endpoints inside and outside the VCN. Each VNIC resides in a subnet in a VCN and
includes these items (list not exhaustive, just for explanation of this question). For more
details refer to Virtual Network Interface Cards (VNICs) (oracle.com)
One primary private IPv4 address from the subnet the VNIC is in, chosen by either you
or Oracle.
Up to 31 optional secondary private IPv4 addresses from the same subnet the VNIC is
in, chosen by either you or Oracle.
An optional public IPv4 address for each private IP, chosen by Oracle but assigned by
you at your discretion.
The first two points make it clear that the option "By default, the primary VNIC of an instance
in a subnet has one primary private IP address" is CORRECT. It also implies the option "By
default, the primary VNIC of an instance in a subnet has one primary private IP address and
one secondary private IP address" is INCORRECT (as the secondary private IP address is
Optional).
The third pointer suggests that the option "A private IP can have an optional public IP
assigned to it if it resides in a public subnet." is CORRECT.
The option "Each VNIC can only have one private IP address" is also INCORRECT as each vnic
can have more than one private IP addresses (one primary and up to 31 secondary).
Question 87
A global company wants to ensure consistent application performance for users in different
geographical locations.
Which feature of OCI Web Application Acceleration is most beneficial for this requirement?
B) Data encryption
C) Automated backups
Overall explanation
Explanation: CDN integration helps in delivering content quickly to users regardless of their
geographical location by caching content at various edge locations around the world.
Incorrect Options:
A) Global load balancing: While useful, CDN integration is more directly related to improving
performance for geographically dispersed users.
BeforeExam
Which type of attachment allows you to connect your DRG to on-premises networks using
encrypted tunnels?
VCN attachments
RPC attachments
IPSEC_TUNNEL attachments
VIRTUAL_CIRCUIT attachments
C
Overall explanation
VCN attachments connect VCNs within the same tenancy to a DRG, not on-premises
networks.
IPSec_TUNNEL attachments create secure, encrypted tunnels using the IPSec protocol
to connect your DRG to on-premises networks. This is the most secure option for
connecting your on-premises network to OCI.
Reference : https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm
Question 89
To create a dedicated, private connection between your data center and the internet.
To establish a reliable and consistent networking experience between your data center and
Oracle Cloud Infrastructure.
Overall explanation
The correct answer is: (C) To establish a reliable and consistent networking experience
between your data center and Oracle Cloud Infrastructure.
(A) To create a dedicated, private connection between your data center and the
internet: FastConnect bypasses the public internet altogether, creating a private and
secure connection.
Reference
: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/fastconnectoverview.htm#
FastConnect_Overview
Question 90
BeforeExam
Which type of peering allows you to extend your existing infrastructure into a virtual cloud
network (VCN) within Oracle Cloud Infrastructure?
Private peering
Public peering
Hybrid peering
Third-party peering
Overall explanation
Here's why:
Private peering connects two VCNs within the same region or different tenancies in
Oracle Cloud Infrastructure (OCI) using private IP addresses. This allows resources in
each VCN to communicate directly without traversing the public internet or requiring
public IP addresses. This is ideal for extending your existing on-premises network or a
separate VCN within your OCI tenancy into a new VCN.
Public peering is not a concept within OCI VCN peering. Public peering typically refers
to peering arrangements between different cloud providers, which isn't applicable
here.
Hybrid peering is not an official term used in OCI VCN peering. It might be a
misunderstanding of private peering in the context of hybrid cloud (combining on-
premises and cloud infrastructure).
Reference: https://docs.oracle.com
Question 91
Which OCI compute image option allows users to import and use their custom virtual
machine images, including those with specific software configurations and licenses?
Oracle-provided images
Custom images
General-purpose instances
Linux images
B
Overall explanation
Custom images in Oracle Cloud Infrastructure (OCI) enable users to import and use their own
virtual machine (VM) images, including those with specific software configurations and
licenses. This feature provides flexibility for users who have existing VM images or need to
tailor their images with specific software and configurations.
Oracle-provided images, on the other hand, are pre-configured images offered by Oracle that
include a variety of operating systems and software stacks. While these images are
convenient and ready-to-use, they may not always meet the specific requirements of users
who have custom software configurations or licensing needs.
General-purpose instances and Linux images are not directly related to the image options.
General-purpose instances refer to a type of compute instance in OCI, while Linux images are
a category of operating system images.
Therefore, the correct option for importing and using custom virtual machine images with
specific software configurations and licenses is Custom images.
Question 92
A company is experiencing high latency and slow load times for their web application. They
decide to use OCI Web Application Acceleration.
Overall explanation
A) Reduced storage costs: While caching can indirectly impact storage costs by
reducing the load on the origin servers, it's not the primary benefit.
An enterprise is planning to deploy a hybrid cloud architecture and needs to ensure secure
and efficient connectivity between OCI and their on-premises network.
By analyzing the network path for potential security vulnerabilities and performance
bottlenecks
Explanation:
1. Why B is Correct:
The Network Path Analyzer in OCI is a tool designed to examine and diagnose
network paths between OCI and external networks, such as on-premises
environments.
This ensures that the connectivity between OCI and the on-premises network is
both secure and efficient, which is critical for hybrid cloud architectures.
C) By managing user access controls: User access controls are managed through
IAM (Identity and Access Management) policies and rules, not by the Network
Path Analyzer.
It enables organizations to proactively detect and resolve network issues during the
setup of a hybrid cloud, ensuring smooth communication between OCI and on-
premises systems.
By analyzing metrics like latency, packet loss, and network configuration, it provides
actionable insights to optimize connectivity.
Question 94
You create a file system and then add a 2 GB file. You then take a snapshot of the file system.
What would be the total meteredBytes shown by the File Storage service after the hourly
update cycle is complete?
A. 2 GB
B. 2.5 GB
C. 3 GB
D. 4 GB
A
Question 95
You are in the process of migrating several legacy applications from on-premises to Oracle Cloud
Infrastructure (OCI). The current servers are already virtualized. However, you notice that the
version of CentOS currently running does not align with any of the Oracle-provided compute
images.
How would you migrate your existing virtual server images to OCI?
A. Export your current image in the VDI format and copy to an Object Storage bucket.
Import it as a custom image. Select native mode to ensure the best possible
performance.
B. Export your current image in the VMDK format and copy to an Object Storage bucket.
Import it as a custom image. Select native mode to ensure the best possible
performance.
C. Export your current image in the QED format and copy to an Object Storage bucket.
Import it as a custom image. Select emulated mode to ensure compatibility with legacy
drivers.
D. Export your current image in the QCOW2 format and copy to an Object Storage
bucket. Import it as a custom image. Select emulated mode to ensure compatibility with
legacy drivers.
D
Question 96
Which THREE protocols are supported by the Oracle Cloud Infrastructure (OCI) private Network
Load Balancers?
A. HTTP
B. UDP
C. ICMP
D. TCP
E. iSCSI
F. BGP
BCD
Question 97
You have an instance running in Oracle Cloud Infrastructure (OCI) that cannot be live-migrated
during an infrastructure maintenance event. OCI schedules a maintenance due date within 14 to
16 days and sends you a notification.
What would happen if you choose not to proactively reboot the instance before the scheduled
maintenance due date?
A. You will receive another notification to reboot within the next 14 days.
D. You will receive another notification to reboot within the next 7 days.
C
Question 98
BeforeExam
As a network architect you have been tasked with creating a fully redundant connection from
your on-premises data center to your Virtual Cloud Network (VCN) in the us-ashburn-1 region.
A. Configure two FastConnect virtual circuits to the us-ashburn-1 region and terminate
them in diverse hardware on-premises.
B. Configure one FastConnect virtual circuit to the us-ashburn-1 region and the second
FastConnect virtual circuit to the us-phoenix-1 region.
D. Configure one FastConnect virtual circuit to the us-ashburn-1 region and a Site-to-Site
VPN to the us-ashburn-1 region.
AD
Overall explanation
The question has a key word - "fully redundant connection". We can eliminate the
answer Configure a Site-to-Site VPN from a single on-premises CPE as this option is using
a single on-premises Customer Premises Equipment (CPE). It's not a fully redundant solution.
Option: Configure one FastConnect virtual circuit to the us-ashburn-1 region and the second
FastConnect virtual circuit to the us-phoenix-1 region : The question clearly specifies that
the VCN is in the ashburn region. This answer is proposing second Fast Connect virtual circuit to
the phoenix region. hence this is also INCORRECT.
So we are left with the remaining two options which are Correct but let's look at why they are
correct.
Option: Configure one FastConnect virtual circuit to the us-ashburn-1 region and a Site-to-Site
VPN to the us-ashburn-1 region : Oracle recommends using Site-to-Site VPN as a backup for
your FastConnect connection. If you do, ensure that the Site-to-Site VPN IPSec tunnels are
configured to use BGP routing with a route-based VPN. Additional Information: Within your
existing on-premises network, manipulate the routing to prefer routes learned through
FastConnect over routes learned through Site-to-Site VPN. For example, use AS_Path Prepend to
influence egress traffic from Oracle, and use local preference to influence egress traffic from
your network.
Option: Configure two FastConnect virtual circuits to the us-ashburn-1 region and terminate
them in diverse hardware on-premises :
For redundancy, Oracle provides multiple providers for each region and Two FastConnect
locations for US East (Ashburn). You should handle redundancy of the physical connection
between your existing network and Oracle.
Question 99
As your company's cloud architect, you have been invited by the CEO to join his staff meeting.
They want your input on interconnecting Oracle Cloud Infrastructure (OCI) to another cloud
provider in London, with some specific requirements:
They want resources in the other cloud provider to leverage OCI Autonomous Data Warehouse
ML capabilities.
The connection between OCI and the other cloud provider should be provisioned as quickly as
possible.
The connection should offer high bandwidth and predictable performance.
Which other cloud provider should you recommend to interconnect with OCI and meet the
above requirements?
A. IBM Cloud
B. Microsoft Azure
C. Digital Ocean
E. Google Cloud
F. OCI
G. Alibaba Cloud
B
Question 100
There are multiple options of migrating Oracle Databases from on-premises to Oracle Cloud
Infrastructure.
Which two characteristics do you need to consider when choosing a migration method?
(Choose two.)
Overall explanation
Some of the characteristics and factors to consider when choosing a migration method are:
On-premises database version Database service database version On-premises host operating
system and version On-premises database character set Quantity of data, including indexes Data
types used in the on-premises database Storage for data staging Acceptable length of system
outage Network bandwidth.
References: https://docs.cloud.oracle.com/iaas/Content/Database/Tasks/migrating.htm
Question 101
You need to set up instance principals so that an application running on an instance can call
Oracle Cloud Infrastructure (OCI) public services, without the need to configure user
credentials.
A developer in your team has already configured the application built using an OCI SDK to
authenticate using the instance principals provider.
Create a dynamic group with matching rules to specify which instances you want to allow to
make API calls against services.
Generate Auth Tokens to enable instances in the dynamic group to authenticate with APIs.
Create a policy granting permissions to the dynamic group to access services in your
compartment or tenancy.
Deploy the application and the SDK to all the instances that belong to the dynamic group.
B
Overall explanation
Auth Tokens are to use, when the usage of dynamic groups and instance authentication in not
possible (for example a third-party application).
The following steps summarize the process flow for setting up and using instances as principals.
The subsequent sections provide more details.
1. Create a dynamic group. In the dynamic group definition, you provide the matching rules
to specify which instances you want to allow to make API calls against services.
2. Create a policy granting permissions to the dynamic group to access services in your
tenancy (or compartment).
3. A developer in your organization configures the application built using the Oracle Cloud
Infrastructure SDK to authenticate using the instance principals provider. The developer
deploys the application and the SDK to all the instances that belong to the dynamic
group.
4. The deployed SDK makes calls to Oracle Cloud Infrastructure APIs as allowed by the
policy (without needing to configure API credentials).
5. For each API call made by an instance, the Audit service logs the event, recording the
OCID of the instance as the value of the principal Id in the event log.
Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/
callingservicesfrominstances.htm
Question 102
You are running an online gaming application hosted on a VM.Standard2.1 instance shape in
Oracle Cloud Infrastructure. As the game becomes popular, you identify network throughput
as a bottleneck on your instance when uploading user data.
Though you want to resolve the issue, you want to observe the demand for a week before
adding new application instances.
Delete the instance while preserving boot volume and spin up a new higher network
bandwidth instance with this boot volume.
Overall explanation
Reference: https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/resizinginstances.htm
Question 103
Which two methods are supported for migrating your on-premises Oracle database to an
Oracle Autonomous Transaction Processing (ATP) database in Oracle Cloud Infrastructure?
(Choose two.)
Overall explanation
Migration Methods Many methods exist to migrate Oracle databases to the Oracle Cloud
Infrastructure Database service. Which of these methods apply to a given migration scenario
depends on several factors, including the version, character set, and platform endian format of
the source and target databases.
Reference: https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/migrating.htm
Question 104
Which two statements are true when Oracle Data Guard is configured (using the Console)
between two Virtual Machine DB Systems deployed in Oracle Cloud Infrastructure? (Choose
two.)
Overall explanation
Reference: https://docs.oracle.com/en-us/iaas/dbcs/doc/use-oracle-data-guard-db-system.html
https://docs.oracle.com/en-us/iaas/dbcs/doc/enable-oracle-data-guard-db-system.html
Question 105
Which two statements are true about Oracle Cloud Infrastructure storage services? (Choose
two.)
You can take incremental snapshots of Block Volumes, File Storage file systems and Object
Storage buckets.
You can move Object Storage buckets, Block Volumes and File Storage mount targets between
compartments.
File Storage uses the network file system (NFS) protocol, whereas Block Volume uses iSCSI.
Block Volume service scales to Exabytes per instance, while File Storage service offers
unlimited scalability.
File storage mount target does not provide a private IP address, while the Object Storage
bucket provides one.
B+C
Overall explanation
Reference:
https://blogs.oracle.com/cloud-infrastructure/oracle-shatters-cloud-storage-limits-with-the-
best-performance
https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/managingbuckets.htm
Question 106
With regard to Oracle Cloud Infrastructure Load Balancing service, which two actions will
occur when a backend server that is registered with a backend set is marked to drain
connections? (Choose two.)
All connections to this backend server are forcibly closed after a timeout period.
Connections to this backend server will remain open until all in-flight requests are completed.
D,E
Overall explanation
Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Balance/Reference/
sessionpersistence.htm
Question 107
Which of the following statements is true about the Oracle Cloud Infrastructure (OCI) Object
Storage server-side encryption?
Each object in a bucket is always encrypted with the same data encryption key.
Overall explanation
Encryption is on by default and cannot be turned off. Each object is encrypted with its
encryption key, and the object encryption keys are encrypted with a master encryption key. A
vault is a logical entity that stores the encryption keys you use to protect your data.
https://docs.oracle.com/en-us/iaas/Content/Security/Reference/objectstorage_security.htm
Question 108
You have a high-demand web application running on Oracle Cloud Infrastructure. Your
tenancy administrator has set up a schedule based autoscaling policy on instance pool with
initial size of 5 instances for the application.
Policy 1:
Execution time: 8:30 a.m. on every Monday through Friday, in every month, in every year
Goal: A recurring monthly schedule. On all days of the month, set the initial pool size to 5
instances. At 8.30 a.m., on every day of the month, scale out to 10 instances.
Goal: A one-time schedule with only one scaling out event. At 8:30 a.m., on December 31,
2021, scale the instance pool to 10 instances from 5.
Goal: A recurring weekly schedule. On all days of the week at 8.30 a.m., scale out the pool to
10 instances from the initial size of 5.
Goal: A recurring daily schedule. On weekday mornings at 8.30 a.m., scale out to 10 instances.
D
Overall explanation
A recurring daily schedule. At 8.30 a.m. on weekdays mornings, a scale out to 10 instances.
https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/autoscalinginstancepools.htm
Question 109
You are running a mission-critical database application in Oracle Cloud Infrastructure (OCI).
You take regular backups of your DB system to OCI object storage.
What steps can you take to determine the cause of the backup failure?
Ensure that your database host can connect to the OCI object storage
Make sure that the database is not active and running while the backup is in progress
B
Overall explanation
NOARCHIVELOG is one of the issues that causes the failure. if you set the the archive mode to
NOARCHIVELOG, there is nothing to backup. because the only backup option will be offline
backup.
Ensure that your database host can connect to the OCI object storage is Correct choice.
Reference:
https://docs.cloud.oracle.com/en-us/iaas/Content/Database/Troubleshooting/Backup/
backupfail.htm
Question 110
A database name cannot be used concurrently for both an Autonomous Data Warehouse
(ADW) and an ATP database
After terminating a database, the database name is available for immediate reuse
Overall explanation
The database name must be unique among all Autonomous Data Warehouses and Autonomous
Databases in your tenancy in the same region.
the maximum number of CPUs and maximum storage capacity that can be provisioned in Oracle
Autonomous Database In the current release up to 128 CPUs and 128TB can be provisioned
from the cloud console. Customers requiring more resources need to call their Oracle account
team
Question 111
BeforeExam
Which service is NOT supported by Oracle Cloud Infrastructure CLI?
load balancer
compute
database
block volumes
D
Overall explanation
Reference : https://docs.cloud.oracle.com/iaas/Content/API/Concepts/cliconcepts.htm#services
Question 112
installing the operating system (OS), Grid Infrastructure, and database software
A
Overall explanation
On autonomous there’s no patching needed. But on the regular DB Cloud services you need to
patch the DB and the OS. During the creation on the OCDB the first DB is created automatically
Question 113
Which statement Is true about Data Guard implementation in Oracle Cloud Infrastructure
(OCI) bare metal and virtual machine database systems?
Database systems need not be the same shape type (e.g, primary database can be a virtual
machine, and standby database a bare metal shape, and vice versa).
Primary and standby database versions and editions need not be Identical.
B
Overall explanation
Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Database/Tasks/
exausingdataguard.htm
Question 114
You are the Solutions Architect of a large company and are tasked with migrating all your
services to Oracle Cloud Infrastructure. As part of this, you first design a Virtual Cloud
Network (VCN) with a public subnet and a private subnet. Then in order to provide Internet
connectivity to the instances in your private subnet, you create an Oracle Linux instance in
your public subnet and configure NAT on it. However, even after adding all related security list
rules and routes in the Route Table, your private subnet instances still cannot connect to the
Internet.
Disable “Source and Destination Check” on the VNIC of your Linux instance.
Create a Dynamic Routing Gateway (DRG) and route your private IP traffic to the DRG.
Overall explanation
By default, every VNIC performs the source/destination check on its network traffic. The VNIC
looks at the source and destination listed in the header of each network packet. If the VNIC is
not the source or destination, then the packet is dropped.
If the VNIC needs to forward traffic (for example, if it needs to perform Network Address
Translation (NAT)), you must disable the source/destination check on the VNIC. For instructions,
see To update an existing VNIC. For information about the general scenario, see Using a Private
IP as a Route Target.
Reference: https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/
managingVNICs.htm#Source/D
Question 115
BeforeExam
As the Cloud Architect for your company, you have been tasked with designing a high
performance (HPC) cluster in Oracle Cloud Infrastructure (OCI). The following requirements
have been defined:
The cluster must be a minimum of three nodes, but may increase to six nodes when
demand requires.
To minimize latency, all nodes must be deployed within the same availability domain
(AD).
Adding or replacing nodes within the cluster should take no more than 30 minutes.
Which two steps should be performed to satisfy these requirements in OCI? (Choose two.)
Deploy the cluster in a single AD with a shared file system that leverages the file storage
service (FSS). Deploy a standby cluster in another AD and configure it to use the same shared
file system
Deploy the cluster in a single AD. Place each of the nodes in one of the three different fault
domains in that AD.
Create a backup of your HPC node compute instance boot volume. Launch new compute
instances directly from the backup reduce provisioning time.
Create a custom image of your HPC node compute instance. Launch new compute instances
using this image to reduce provisioning time.
Deploy the cluster in a single AD. Place each of the nodes in a different virtual cloud network
(VCN) subnet.
BD
Overall explanation
A fault domain is a grouping of hardware and infrastructure within an availability domain. Each
availability domain contains three fault domains. Fault domains provide anti-affinity: they let
you distribute your instances so that the instances are not on the same physical hardware
within a single availability domain. A hardware failure or Compute hardware maintenance event
that affects one fault domain does not affect instances in other fault domains. In addition, the
physical hardware in a fault domain has independent and redundant power supplies, which
prevents a failure in the power supply hardware within one fault domain from affecting other
fault domains.
To control the placement of your compute instances, bare metal DB system instances, or virtual
machine DB system instances, you can optionally specify the fault domain for a new instance or
instance pool at launch time. If you don't specify the fault domain, the system selects one for
you. Oracle Cloud Infrastructure makes a best-effort anti-affinity placement across different
fault domains, while optimizing for available capacity in the availability domain. To change the
fault domain for an instance, terminate it and launch a new instance in the preferred fault
domain.
Question 116
A cloned volume is the same as a snapshot that has a dependency on the source volume.
You can change the block volume size when cloning a volume.
Overall explanation
D is correct, you can change change the block volume size when cloning a volume.
Reference:
https://docs.cloud.oracle.com/en-us/iaas/Content/Block/Tasks/
cloningavolume.htm#UsingtheConsole
Question 117
BeforeExam
Which two are Regional resources in Oracle Cloud Infrastructure? (Choose two.)
Compartments
Compute images
Dynamic groups
Regional Resources
・Compute images
・Volume backups: They can be restored as new volumes to any availability domain within the
same region in which they are stored.
Reference: https://docs.oracle.com/en-us/iaas/Content/General/Concepts/regions.htm
Question 118
You have setup your environment as shown below with the Mount Target "MT" successfully
mounted on both compute instances CLIENT-X and CLIENT-Y.
For security reasons you want to control the access to the File System A in such a way that
CLIENT-X has READ/WRITE and CLIENT-Y has READ only permission.
Update the mount target export options to restrict CLIENT-Y access to read-only.
Update the security list ONE to restrict CLIENT-Y access to read only.
C
Overall explanation
You can restrict clients' access to file systems and data by using NFS export options access
controls. If you want clients to consume resources from your file system but not update them,
set access to Read Only. You can also reduce client root access to your file systems and map
specified User IDs (UIDs) and Group IDs (GIDs) to an anonymous UID/GID of your choice. For
more information about how NFS export options work with other security layers, see About
Security.
Reference: https://docs.oracle.com/search/
q=mount+target+export+options+&lang=en&product=en%2Fcloud%2Foracle-cloud-
infrastructure
Question 119
You are deploying a highly available web application in Oracle Cloud Infrastructure and have
decided to use a public load balancer. The back-end web servers will be distributed across all
three availability domains (ADs).
How many subnets should you create to deliver a secure, highly available application?
two subnets in total; one regional private subnet to host your back-end web servers and one
regional public subnet to host your public load load balancer.
one subnet in total; one regional private subnet to host your back-end web servers and your
public load balancer.
three subnets in total; one regional public subnet to host your back-end web servers and two
AD specific private subnets to host your private load load balancer.
two subnets in total; one regional public subnet to host your back-end web servers and one
regional private subnet to host your public load load balancer.
A
Overall explanation
To secure the backend, put it in a private subnet, and the LBAS on Public Subnet since it is must
access from the internet.
load balancer is the interface between internet and the backend web servers in order for it to
distribute the load accordingly so it should be in a public subnet.
Reference: https://docs.oracle.com/en-us/iaas/Content/Balance/Concepts/
balanceoverview.htm
BeforeExam
You plan to upload a large file (3 TiB) to Oracle Cloud Infrastructure (OCI) Object Storage. You
would like to minimize the impact of network failures while uploading, and therefore you
decide to use the multipart upload capability.
Which TWO statements are true about performing a multipart upload using the Multipart
Upload API? (Select Two)
You do not need to split the object into parts. Object Storage splits the object into parts and
uploads all of the parts automatically.
While a multipart upload is still active, you can keep adding parts as long as the total number
is less than 10,000.
When you split the object into individual parts, each part can be as large as 50 GiB.
You do not have to commit the upload after you have uploaded all the object parts.
B,C
Before you use the multipart upload API, you are responsible for creating the parts to upload.
With multipart upload, you split the object you want to upload into individual parts.
Individual parts can be as large as 50 GiB.
While a multipart upload is still active, you can keep adding parts as long as the total number
is less than 10,000.
When you have uploaded all object parts, commit the upload.
BeforeExam
Which statement is NOT correct regarding the Oracle Cloud Infrastructure (OI) File System
snapshots?
Before you can clone a file system, at least one snapshot must exist for the file system.
Snapshots are accessible under the root directory of the file system at .snapshot/name.
Even if nothing has changed within the file system since the last snapshot was taken, a new
snapshot consumes more storage.
D
Overall explanation
Snapshot data usage is metered against differentiated data only. If nothing has changed
within the file system since the last snapshot was taken, a new snapshot does not consume
more storage.
BeforeExam
Your cloud developer is using the Oracle Cloud Infrastructure (OCI) Vault service to encrypt
plaintext. She runs the following command using the OCI Command Line Interface (CLI) and
encounters a service error.
The developer should pass the key version OCID instead of the key OCID.
B
Overall explanation
Each vault has a unique endpoint for create, update, and list operations for keys. This
endpoint is referred to as the control plane URL or management endpoint. Each vault also has
a unique endpoint for cryptographic operations. This endpoint is known as the data plane URL
or the cryptographic endpoint. When using the CLI for key operations, you must provide the
appropriate endpoint for the type of operation.
Notifications
Service Connectors
Audit
Logging
C
Overall explanation
Audit provides records of API operations performed against supported services as a list of log
events. The service logs events at both the tenant and compartment level.
When viewing events logged by Audit, you might be interested in specific activities that
happened in the tenancy or compartment and who was responsible for the activity. You will
need to know that the approximate time and date something happened and the
compartment in which it happened to display a list of log events that includes the activity in
question.
Which is NOT a valid action within the Oracle Cloud Infrastructure (OCI) Block Volume
service?
Overall explanation
The Oracle Cloud Infrastructure Block Volume service lets you expand the size of block
volumes and boot volumes. You have several options to increase the size of your volumes:
Expand an existing volume in place with online resizing. See Online Resizing of Block
Volumes Using the Console for the steps to do this.
Restore from a volume backup to a larger volume. See Restoring a Backup to a New
Volume and Restoring a Boot Volume.
Clone an existing volume to a new, larger volume. See Cloning a Volume and Cloning a
Boot Volume.
Expand an existing volume in place with offline resizing. See Offline Resizing of Block
Volumes Using the Console for the steps to do this.
As you can see from the above discussion, there are 3 valid actions:
So the only one option remaining is Attaching a block volume to an instance in a different
availability domain. This is NOT a valid action as the Block Volume must be in the
same availability domain as the instance. Hence it is the correct answer.
Question 120
BeforeExam
Which two statements about Oracle Cloud Infrastructure File Storage Service are accurate?
(Choose two.)
Customer can encrypt the communication to a mount target via export options.
Customer can encrypt data in their file system using their own Vault encryption key.
CD
Overall explanation
The File Storage service encrypts all file system and snapshot data at rest. By default all file
systems are encrypted using Oracle-managed encryption keys. ” “You have the option to
encrypt all of your file systems using the keys that you own and manage using the Vault service.
”
Reference: https://docs.oracle.com/en-us/iaas/Content/File/Concepts/filestorageoverview.htm
Question 121
BeforeExam
You have created a public subnet and an internet gateway in your virtual cloud network
(VCN). The public subnet has an associated route table and security list.
However, after creating several compute instances in the public subnet, none can reach the
Internet.
Which two are possible reasons for the connectivity issue? (Choose two.)
The route table has no default route for routing traffic to the internet gateway
There is no stateful egress rule in the security list associated with the public subnet
There is no stateful ingress rule in the security list associated with the public subnet
AB
Overall explanation
it's not necessary DRG for internet connectivity. DRG is for peering, VPN and Fastconnect.
The gateway supports connections initiated from within the VCN (egress) and connections
initiated from the internet (ingress).
Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Tasks/managingIGs.htm
Question 122
You have an Oracle Cloud Infrastructure (OCI) load balancer distributing traffic via an evenly-
weighted round robin policy to your back-end web servers. You notice that one of your web
servers is receiving more traffic than other web servers.
How can you resolve this to make sure traffic is evenly distributed across all back-end
webservers?
Overall explanation
Using session persistence, all requests originating from one logical client are directed to one
backend web server. The session persistence feature is enabled when you create a load balancer
or when you create a backend set. The session persistence configuration can also be changed or
enabled in an existing backend set by editing it.
Reference:
https://docs.oracle.com/en-us/iaas/Content/Balance/Reference/sessionpersistence.htm
Question 123
Your company decided to move a few applications to Oracle Cloud Infrastructure (OCI) in the
US West (us-phoenix-1) region.
You need to design a cloud-based disaster recovery (DR) solution with a requirement to
deploy the DR resources in the US East (us-ashburn-1) region to minimize network latency.
Deploy production and DR applications in two separate virtual cloud networks (VCNs), each in
different regions, and then use VCN local peering gateways for connectivity.
Deploy production and DR applications in two separate VCNs, each in different regions.
Connect them using a VCN remote peering connection.
Deploy production and DR applications in the same VCN. Create production subnets in one
AD, and DR subnets in another AD (assume a multi-AD region).
Deploy production and DR applications in two separate VCNs in different availability domains
(ADs) within the primary region, and then use a VCN remote peering connection for
connectivity.
B
Overall explanation
Correct Answer: Deploy production and DR applications in two separate VCNs, each in different
regions. Connect them using a VCN remote peering connection.
2 regions to deploy 1 for app and one for DR which should be connected by remote peering
which is used to connect between different regions. while 2 ADs in same region are connected
using local peering.
Reference:
https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm
Question 124
You deployed a database on a Standard Compute instance in Oracle Cloud Infrastructure (OCI)
due to cost concerns. The database requires additional storage with high I/O and you decided
to use OCI Block Volume service for it.
With this requirement in mind, which elastic performance option should you choose for the
Block Volume?
Balanced Performance
Higher performance
Extreme performance
Lower cost
B
Overall explanation
Higher Performance: Recommended for workloads with the highest I/O requirements, requiring
the best possible performance, such as large databases. This option provides the best linear
performance scale with 75 IOPS/GB up to a maximum of 35,000 IOPS per volume. Throughput
also scales at the highest rate at 600 KBPS/GB up to a maximum of 480 MBPS per volume. With
this option you are purchasing 20 VPUs per GB/month.
Reference:
https://docs.oracle.com/en-us/iaas/Content/Block/Concepts/
blockvolumeperformance.htm#Block_Volume_Elastic_Performance
Question 125
You have compartments C and D under the root compartment in your Oracle Cloud
Infrastructure (OCI) tenancy; compartment C contains a sub-compartment also named D. You
are trying to move this sub-compartment D to the parent compartment D like shown in the
picture, but the move fails.
You need to move all the compartments in the hierarchy to the new parent compartment.
You cannot move a subcompartment to another parent compartment.
Both parent and child compartments cannot have the same name.
Overall explanation
Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/
managingcompartments.htm, (restriction on moving compartments)
Question 126
Which three components can you configure in Oracle Infrastructure Identity and Access
Management? (Choose three.)
Groups
Users
Instances
Policies
VCNs
ABD
Overall explanation
References: https://cloud.oracle.com/governance/identity/faq
Question 127
A customer has launched a compute Instance in the Virtual Cloud Network (VCN), which has
an Internet gateway, a service gateway, a default security lists and a default route table.
Customer has opened up Port 22 in the security lists attached to the compute instance
subnet, however is still unable to connect to compute instances using ssh.
Modify the route table associated with the VCN subnet in which the instance resides. Add a
following route to the route table.
Modify the security list associated with the VCN subnet in which the instance resides. Add a
stateful egress rule to allow icmp traffic in addition to the port 22.
Modify the route table associated with the VCN subnet in which the instance resides. Add a
following route to the route table.
Modify the route table associated with the VCN subnet in which the instance resides. Add a
following route to the route table.
Overall explanation
You create an internet gateway in the context of a specific VCN. In other words, the internet
gateway is automatically attached to a VCN. However, you can disable and re-enable the
internet gateway at any time.
For traffic to flow between a subnet and an internet gateway, you must create a route rule
accordingly in the subnet's route table (for example, destination CIDR = 0.0.0.0/0 and target =
internet gateway). If the internet gateway is disabled, that means no traffic will flow to or from
the internet even if there's a route rule that enables that traffic.
For the purposes of access control, you must specify the compartment where you want the
internet gateway to reside. If you're not sure which compartment to use, put the internet
gateway in the same compartment as the cloud network.
Question 128
BeforeExam
You work for a health insurance company that stores a large number of patient health records
in an Oracle Cloud Infrastructure (OCI) Object Storage bucket named "HealthRecords".
Each record needs to be securely stored for a period of 5 years for regulatory compliance
purposes and cannot be modified, overwritten or deleted during this time period.
Create an OCI Object Storage Lifecycle Policies rule to archive objects in the HealthRecords
bucket for five years.
Create an OCI Object Storage time-bound Retention Rule on the HealthRecords bucket for five
years. Enable Retention Rule Lock on this bucket.
Enable encryption on the HealthRecords bucket using your own vault master encryption keys.
Overall explanation
Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/
usingretentionrules.htm
Question 129
An Oracle Cloud Infrastructure tenancy administrator is not able to delete a user in the
tenancy.
User needs to be deleted from federation Identity Provider (IdP) before deleting from IAM.
B
Overall explanation
Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/
managingusers.htm
Question 130
Compute instance
Compartment
Overall explanation
Reference: https://oracle-base.com/articles/vm/oracle-cloud-infrastructure-oci-create-a-
database-vm#
Question 131
Your company sells a service to photographers where their patrons can preview the photos
that they want to order prints. In order to avoid unauthorized copies, the sample photos have
lower resolution and are watermarked. The photos are processed after they are uploaded.
The process should be fast but not immediate. It creates the samples and sends them to
storage outside of the instances.
Which type of instance is ideal for a process like this: short lived and one that will keep the
cost low?
On-demand instances
Burstable instances
Spot instances
Preemptible instances
D
Overall explanation
Preemptible instances are designed for short-term usage. The capacity is reclaimed when it's
needed elsewhere. The capacity is not guaranteed for a minimum amount of time, so instances
can be reclaimed at any time. The benefit is that preemptible capacity costs less than on-
demand capacity. Therefore, for workloads that can be interrupted, preemptible capacity can
lower your costs.
Reference: https://docs.oracle.com/en-us/iaas/Content/Compute/Concepts/preemptible.htm
Question 132
Which OSI layer traffic is supported by the Oracle Cloud Infrastructure (OCI) Network Load
Balancer?
Layer 4 (Transport)
Layer 5 (Session)
Layer 7 (Application)
Overall explanation
OCI Flexible Load Balancer is a layer 4 (TCP) which supports features such as SSL termination
and advanced HTTP routing policies.
Reference: https://blogs.oracle.com/cloud-infrastructure/post/announcing-oracle-cloud-
infrastructure-flexible-network-load-balancer#
Question 133
Which is NOT a valid compute shape option within the Oracle Cloud Infrastructure (OCI)
compute service?
Container Instance.
Bare Metal.
Virtual Machine.
A
Overall explanation
Reference: https://docs.oracle.com/iaas/Content/Compute/References/computeshapes.htm
Question 134
Which database option in Oracle Cloud Infrastructure will provide you Oracle Active Data
Guard?
Standard Edition
Enterprise Edition
B
Overall explanation
Reference: https://docs.oracle.com/en/database/oracle/oracle-database/19/dblic/Licensing-
Information.html#GUID-0F9EB85D-4610-4EDF-89C2-4916A0E7AC87
Question 135
BeforeExam
What is a valid RFC 1918 CIDR prefix that can be used for creating an Oracle Cloud
Infrastructure Virtual Cloud Network?
8.8.8.8/8
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
189.215.154.89/32
0.0.0.0/0
D
Overall explanation
For your VCN, Oracle recommends using the private IP address ranges specified in RFC 1918 (the
RFC recommends 10.0/8 or 172.16/12 but Oracle doesn't support those sizes so use 10.0/16,
172.16/16, and 192.168/16). However, you can use a publicly routable range.
Reference: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/overview.htm#IPv4
Question 136
BeforeExam
Your company uses the Oracle Cloud Infrastructure (OCI) Object Storage service to share large
data sets with its data science team. The data science team consists of 20 people who work
from offices in Washington, D.C., and Tokyo. While working in these offices, employees are
assigned an IP address from the public IP range 129.146.31.0/27.
Which two steps should you take to ensure that the Object Storage bucket used in this
scenario was only accessible from these office locations? (Choose two.)
Set the bucket visibility to public and only share the URL with the data science team via email
Create a pre-authenticated request for each data set and only share with the data science
team via email
Write an IAM policy that includes the conditional statement where request.region =
129.146.31.0/27
AD
Overall explanation
A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or
IP addresses from VCNs within your tenancy. After you create the network source, you can
reference it in policy or in your tenancy's authentication settings to control access based on the
originating IP address.
Reference: https://docs.oracle.com/en-us/iaas/Content/Identity/Tasks/
managingnetworksources.htm
Question 137
You are about to upload a large log file (5 TIB size) to Oracle Cloud Infrastructure object
storage and have decided to use multipart upload capability for a more efficient and resilient
upload.
Which two statements are true about multipart upload? (Choose two.)
You do not have to commit the upload after you have uploaded all the object parts.
While a multipart upload is still active, you cannot add parts even if the total number of parts
is less than 10,000.
AC
Overall explanation
With multipart upload, you split the object you want to upload into individual parts. Individual
parts can be as large as 50 GiB. Decide what part number you want to use for each part. Part
numbers can range from 1 to 10,000. While a multipart upload is still active, you can keep
adding parts as long as the total number is less than 10,000.
Reference
: https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/usingmultipartuploads.htm
Question 138
You created a public subnet and an internet gateway in your virtual cloud network (VCN) of
Oracle Cloud Infrastructure. The public subnet has an associated route table and security list.
However, after creating several compute instances in the public subnet, none can reach the
Internet.
Which two are possible reasons for the connectivity issue? (Choose two.)
The route table has no default route for routing traffic to the internet gateway.
There is no stateful egress rule in the security list associated with the public subnet.
There is no stateful ingress rule in the security list associated with the public subnet.
Overall explanation
Reference: https://docs.oracle.com/en-us/iaas/Content/Network/Concepts/
securitylists.htm#Default
"Stateful egress: Allow all traffic. This allows instances to initiate traffic of any kind to any
destination. Notice that this means the instances with public IP addresses can talk to any
internet IP address if the VCN has a configured internet gateway. And because stateful security
rules use connection tracking, the response traffic is automatically allowed regardless of any
ingress rules. For more information, see Stateful Versus Stateless Rules." If the instance cannot
reach internet, it means that its default SL doesn't have a stateful egress rule (Even though
default security lists arrive with default stateful egress rule enabling All traffic for all ports rule).
Question 139
BeforeExam
In Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE), what does a Replica Set
do?
Overall explanation
Reference: https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/
Question 140
BeforeExam
You have an AI/ML application running on Oracle Cloud Infrastructure. You identified that the
application needs GPU and at least 20Gbps Network throughput.
The application is currently using a VM.Standard2.1 compute without any block storage
attached to it.
Which two options allow you to get your required performance for your application? (Choose
two.)
Clone your boot volume. Create a new compute instance with a VM Standard 2.8 shape and
select your cloned volume as the boot volume for your new instance.
Terminate the compute instance preserving the boot volume. Create a new compute instance
using the VM.Standard2.2 shape using the boot volume preserved, but no block volume
attached.
Terminate the compute instance preserving the boot volume. Create a new compute instance
using the VM.GPU3.4 shape using the boot volume preserved and use the NVMe devices to
host your application.
Terminate the compute instance preserving the boot volume. Create a new compute instance
using the BM.HPC2.36 shape using the boot volume preserved and use the NVMe devices to
host your application.
Terminate the compute instance preserving the boot volume. Create a new compute instance
using the BM.GPU2.2 shape using the boot volume preserved and attach a new block volume
to host your application.
CE
Overall explanation
Reference: https://docs.oracle.com/en-us/iaas/Content/Compute/References/
computeshapes.htm
Question 141
Which option is NOT a valid action within the Oracle Cloud Infrastructure (OCI) Block Volume
service?
Overall explanation
Reference: https://docs.oracle.com/en-us/iaas/Content/Block/Tasks/resizingavolume.htm
Question 142
BeforeExam
Overall explanation
Reference : https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/localVCNpeering.htm
Question 143
You have created a virtual cloud network (VCN) with three private subnets. Two of the
subnets contain application servers and the third subnet contains a DB System. The
application requires a shared file system so you have provisioned one using the file storage
service (FSS). You also created the corresponding mount target in one of the application
subnets. The VCN security lists are properly configured so that both application servers and
the DB System can access the file system. The security team determines that the DB System
should have read-only access to the file system.
Create an NFS export option that allows READ_ONLY access where the source is the CIDR
range of the DB System subnet.
Connect via SSH to one of the application servers where the file system has been mounted.
Use the Unix command chmod to change permissions on the file system directory, allowing
the database user read-only access.
Modify the security list associated with the subnet where the mount target resides. Change
the ingress rules corresponding to the DB System subnet to be stateless.
Create an instance principal for the DB System. Write an Identity and Access Management
(IAM) policy that allows the instance principal read-only access to the file storage service.
A
Question 144
You have hired a new employee to run reports from the Autonomous Data Warehouse (ADW)
and are not confident in their SQL writing ability.
Into which consumer group will you assign this individual to minimize the impact of their
code?
Lowest
Medium
Highest
High
Low
Low
Overall explanation
With HIGH consumer group it will allocate more resource and the process will be faster and in
case of any mistakes the impact will be more. So to minimize impact the consumer group should
be LOW.
Reference: https://docs.oracle.com/en/cloud/paas/autonomous-data-warehouse-cloud/user/
manage-service.html
Question 145
You have been notified of an application failure indicating that one or more of the Oracle
Cloud Infrastructure (OCI) resources have become unavailable. After scanning the Compute
and Database consoles, you notice that one of the DB Systems is missing.
What should you do to identify the reason for this missing resource?
Navigate to the Audit console and search the previous 24 hours for all DELETE request actions
to get a list of any resource that was deleted in the past 24 hours.
Navigate to the Audit console and search the previous 24 hours for all the GET request actions
to get a list of every event that occurred in the past 24 hours.
View the service limits associated with your account to ensure that you have not exceeded
the allowable number of DB Systems in your tenancy.
Create a serial console connection to the DB System that does not appear in the management
console. Connect to the serial console connection, and then review the system logs under
/var/log/messages.
A
Overall explanation
Reference:
https://docs.cloud.oracle.com/en-us/iaas/Content/GSG/Tasks/usingaudit.htm
Question 146
As a solution architect, you are showcasing the Oracle Cloud Infrastructure (OCI) Object
Storage feature about Object Versioning to a customer.
Object versioning does not provide data protection against accidental or malicious object
update, overwrite, or deletion.
A bucket that is versioning-enabled can have only and always will have a latest version of the
object in the bucket.
Overall explanation
Reference:
https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/usingversioning.htm
Overall explanation
Option: Object Versioning is disabled on a bucket by default: Each Object Storage bucket has
object versioning status of disabled, enabled, or suspended. By default, object versioning is
disabled on a bucket. Hence this option is CORRECT.
Object Versioning does not provide data protection against accidental or malicious object
update, overwrite, or deletion: Object versioning provides data protection against accidental or
malicious object update, overwrite, or deletion. For more info : Using Object Versioning
(oracle.com) Hence this option is INCORRECT.
Option: Objects are physically deleted from a bucket when versioning is enabled: No object is
physically deleted from a bucket that has versioning enabled until you take explicit action to do
so. Hence this option is INCORRECT.
Option: A bucket that is versioning-enabled can and will always have the latest version of the
object in the bucket: A bucket that is versioning-enabled can have many versions of an object.
There is always one latest version of the object and zero or more previous versions. Hence this
option is INCORRECT.
Question 147
BeforeExam
Your customer is using an Oracle Cloud Infrastructure (OCI) compartment named Production
that hosts several resources such as compute instances, DB
Systems and File Systems. Each resource in the Production compartment is tagged.
The customer's security team wants to restrict access to DB Systems to only the authorized
group of DBAs.
Tag Defaults
Cost-Tracking Tags
Overall explanation
Reference:
https://docs.cloud.oracle.com/en-us/iaas/Content/Tagging/Tasks/
managingaccesswithtags.htm#about
Question 148
Which statement is true about Data Guard implementation in Oracle Cloud Infrastructure
(OCI) bare metal and virtual machine database systems?
Primary and standby database versions and editions need not be identical.
Database systems need not be the same shape type (e.g., primary database can be a virtual
machine, and standby database a bare metal shape, and vice versa). -
A
Overall explanation
Both DB systems must be in the same compartment. The DB systems must be the same shape
type (for example, if the shape of the primary database is a virtual machine, then the shape of
the standby database can be any other virtual machine shape).
Reference: https://docs.cloud.oracle.com/en-us/iaas/Content/Database/Tasks/
usingdataguard.htm
Question 149
Which two choices are true for Oracle Autonomous Database with Shared Exadata
Infrastructure? (Choose two.)
Billing stops for both CPU and storage usage when autonomous database is stopped.
Overall explanation
When an Autonomous Database instance is stopped, the following details apply: Tools are no
longer able to connect to a stopped instance. Autonomous Database in-flight transactions and
queries are stopped. Autonomous Database CPU billing is halted. When you stop your
Autonomous Database, billing stops for CPU usage. Billing for storage continues when the
database is stopped
Reference: https://docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbmanaging.htm
Question 150
BeforeExam
You are managing a tier-1 OLTP application on an Autonomous Transaction Processing (ATP)
database. Your business needs to run hourly batch processes on this ATP database that may
consume more CPUs than what is available on the server.
How can you limit these batch processes to not interfere with the OLTP transactions?
Copy OLTP data into new tables in a new table space and run batch processes against these
new tables
ATP is designed for OLTP workload only; you should not run batch processes on ATP
Configure ATP resource management rules to manage runtime and IO consumption for the
consumer group of batch processes
D
Overall explanation
Reference: https://oracle-base.com/articles/misc/articles-misc
Question 151
Which two components cannot be deleted in your Oracle Cloud Infrastructure Virtual Cloud
Network? (Choose two.)
Service gateway
Routing gateway
Default subnet
BD
Overall explanation
Your VCN automatically comes with these default components: Default route table, with no
rules Default security list, with default rules Default set of DHCP options, with default values You
can't delete these default components.
Reference: https://www.oracle.com/a/ocom/docs/vcn-deployment-guide.pdf
Question 152
BeforeExam
You are working for a financial institution that is currently running two web applications in
Oracle Cloud Infrastructure (OCI). All resources were created in the root compartment.
Your manager asked you to deploy new resources to support a proof-of-concept (PoC) for
Oracle FlexCube. You must ensure that the FlexCube resources are secured and cannot be
affected by the team that manages the two web applications.
Which two tasks should you complete to ensure the required security of your resources?
(Choose two.)
Create a new compartment for the two web applications and move the existing resources into
the compartment. Deploy the FlexCube application into the root compartment. Create a new
policy in the root compartment that gives the FlexCube project team the ability to manage all
resources in the tenancy.
Create a new policy in the root compartment for the FlexCube project team. Assign a policy
statement that grants the FlexCube project team the ability to manage all resources in the
tenancy, where a specific tag key and tag value are present.
Create a Tag Default within the root compartment with a default value of $
{iam.principle.name} so that each new resource created is tagged with the name of the
person who created it. Create a new IAM policy that allows users to only modify resources
they created.
Create a new compartment for the two web applications and move the existing resources into
this compartment. Modify the existing policy for the team that manages these applications so
that the scope of access is defined as this new compartment.
Create a new compartment for the FlexCube application deployment. Create a policy in this
compartment for the project team that gives them the ability to manage all resources within
the scope of this compartment.
DE
Overall explanation
To ensure the required security of your resources the following tasks can be performed.
Create a new compartment for the two web applications and move the existing
resources into this compartment. Modify the existing policy for the team that manages
these applications so that the scope of access is defined as this new compartment.
Create a new compartment for the FlexCube application deployment. Create a policy in
this compartment for the project team that gives them the ability to manage all
resources within the scope of this compartment.
Question 152
BeforeExam
You developed a microservices based application that runs on Oracle Cloud Infrastructure
(OCI) Container Engine for Kubernetes (OKE). You want to provide access to this cluster to
other team members.
What should you do to provide access to this cluster using as fewest steps as possible?
Create a group in OCI Infrastructure Access Management (IAM). Create a policy to grant
access to the OKE cluster. Other team members should use OCI Cloud Shell to generate the
kubeconfig into their own cloud shell environment and access the cluster using kubectl from
cloud shell.
Create a group in OCI Infrastructure Access Management (IAM). Create a policy to grant
access to the OKE cluster. Create individual users and access token for each team member.
Other team members should use OCI Cloud Shell to generate the kubeconfig into their own
cloud shell environment and access the cluster using kubectl from cloud shell.
Create a group in OCI Infrastructure Access Management (IAM). Create a policy to grant
access to the OKE cluster. Create a cluster role and cluster role binding to provide access to
the cluster for each team member. Other team members should install oci cli and kubectl
locally on their laptop. Use the oci cli to generate the kubeconfig and use kubectl to access
the cluster.
Create a group in OCI Infrastructure Access Management (IAM). Create a policy to grant
access to the OKE cluster. Other team members should install oci cli and kubectl locally on
their laptop. Use the oci cli to generate the kubeconfig and use kubectl to access the cluster.
A
Overall explanation
Reference:
https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/
contengdownloadkubeconfigfile.htm
Question 153
A recently hired network administrator has been given the task of removing SSH permissions
from all compute instances in the company’s tenancy. She finds all Virtual Cloud Networks
(VCNs) in the tenancy using Tenancy Explorer. She removes port 22 from the Security Lists in
all VCNs. After she completes the task, the very first compute instance that she tests SSH
against, allows her to still SSH into it. Why is that?
The VNIC of that compute instance is attached to a Network Security Group (NSG) that has a
stateful ingress rule for all protocols on source CIDR 0.0.0.0/0.
The VCN where that compute instance resides still has a route rule that allows port 22.
The VCN where that compute instance resides still has an Internet Gateway.
The VNIC of that compute instance is attached to a Cluster Network that has a stateful ingress
rule for all protocols on source CIDR 0.0.0.0/0.
A
Overall explanation
The Networking service offers two virtual firewall features that both use security rules to control
traffic at the packet level. The two features are:
Security lists: The original virtual firewall feature from the Networking service.
You can use security lists alone, network security groups alone, or both together. It depends on
your particular security needs.
If you choose to use both security lists and network security groups, the set of rules that
applies to a given VNIC is the union of these items:
The security rules in the security lists associated with the VNIC's subnet
A packet in question is allowed if any rule in any of the relevant lists and groups allows the
traffic.
She removed port 22 from the Security Lists in all VCNs. But she forgot to check the Network
Security Group(NSG).
Hence "The VNIC of that compute instance is attached to a Network Security Group (NSG) that
has a stateful ingress rule for all protocols on source CIDR 0.0.0.0/0." is the correct answer.
Question 154
Which tool provides a diagram of the implemented topology of all Virtual Cloud Networks
(VCNs) in a selected region and tenancy?
Network Visualizer
Network Watcher
Traffic Analytics
B
Overall explanation
Your Oracle virtual network is composed of virtual cloud networks (VCNs), subnets, gateways,
and other resources. These entities are related and connected through routing that is often
complex. These resources can also have complex relationships with other Oracle Cloud
Infrastructure (OCI) services. The ability to have a concise picture of these entities and their
relationships is essential for understanding the design and operation of a virtual network.
The Network Visualizer provides a diagram of the implemented topology of all VCNs in a
selected region and tenancy.
Question 155
Beforexam
Which of the following Resources you can attach resources to a Dynamic Routing Gateway
(DRG). (Select Three)
Subnet
VNIC
IPSec Tunnel
Virtual Circuits
BEF
Overall explanation
A DRG acts as a virtual router, providing a path for traffic between your on-premises networks
and VCNs, and can also be used to route traffic between VCNs.
A DRG is a virtual router to which you can attach the following resources:
VCNs
Hence, Local Peering Connection, VNIC and Subnet are incorrect options and the remaining
three options( as discussed above) are Correct answers.
Reference : https://docs.oracle.com/en-u
Question 156
Company XYZ is spending $300,000.00 USD per month in egress fees for 7 Petabytes that they
consume for Outbound Data Transfer in North America with their current cloud provider. The
company is seeking to lower that expense considerably without reducing consumption. You
propose migration to OCI because the Gigabyte Outbound Data Transfer in North America
costs just $0.0085 USD per month. With OCI, how much will they spend per month for 7
Petabytes of Outbound Data Transfer? (1 Petabyte = 1000 Terabytes)
$150,000.00
$59,500.00
$59,415.00
D
Overall explanation
As the first 10TB is free, the revised number is 7000-10 = 6990 TB (6990*1000) GB = 6990000
GB
Question 157
You want to distribute DNS traffic to different endpoints based on the location of the end
user. Which Traffic Management Steering Policy would you use?
Geolocation
Failover
Load Balancer
IP Prefix
A
Overall explanation
GEOLOCATION STEERING
Geolocation steering policies distribute DNS traffic to different endpoints based on the location
of the end user. Customers can define geographic regions composed of originating continent,
countries or states/provinces (North America) and define a separate endpoint or set of
endpoints for each region.
FAILOVER
Failover policies allow you to prioritize the order in which you want answers served in a policy
(for example, Primary and Secondary). Oracle Cloud Infrastructure Health Checks monitors and
on-demand probes are leveraged to determine the health of answers in the policy. If the
Primary Answer is determined to be unhealthy, DNS traffic will automatically be steered to the
Secondary Answer.
LOAD BALANCER
Load Balancer policies allow distribution of traffic across multiple endpoints. Endpoints can be
assigned equal weights to distribute traffic evenly across the endpoints or custom weights may
be assigned for ratio load balancing. Oracle Cloud Infrastructure Health Checks monitors and
on-demand probes are leveraged to determine the health of the endpoint. DNS traffic will be
automatically distributed to the other endpoints, if an endpoint is determined to be unhealthy.
IP PREFIX STEERING
IP Prefix steering policies enable customers to steer DNS traffic based on the IP Prefix of the
originating query.
Question 158
Which are the TWO tools you would use for Logical migration?
RMAN
Data Guard
Data Pump
GoldenGate
CD
Question 158
You are using a custom application with third-party APIs to manage the application and data
hosted in an Oracle Cloud Infrastructure (OCI) tenancy. Although your third-party APIs do not
support OCI’s signature-based authentication, you want them to communicate with OCI
resources. Which authentication option should you use to ensure this?
Auth Tokens
Overall explanation
Auth tokens are Oracle-generated token strings that you can use to authenticate with third-
party APIs that do no support Oracle Cloud Infrastructure's signature-based authentication.
Auth tokens do not expire. Each user can have up to two auth tokens at a time.
Solution Overview
BeforeExam
A few Object Storage buckets in your Oracle Cloud Infrastructure (OCI) tenancy should remain
public, and yet you do not want the Cloud Guard service to detect these as problems.
Fix the base line by configuring Conditional Groups for the detector.
Resolve or remediate those problems and you should not see Cloud Guard triggering on these
resources ever again.
Cloud Guard will keep detecting it because a public bucket is a security risk.
AC
Overall explanation
A conditional group sets parameters that you specify, to limit the scope of situations for which
the violation of a detector rule actually triggers a problem.
Example: You have 10 Compute Instances. Two instances (Instance1 and Instance2) should be
public, so you don't want the "Instance is publicly accessible" rule to trigger problems on these
instances. You can use conditional groups to exclude these two instances, using either custom
lists or managed lists.
When you dismiss a problem, you're telling Cloud Guard to ignore this instance of the problem
for that resource, and simply ignore it if it happens in the future. Only the problem history of
the dismissed problem is updated.
When you mark a problem as resolved, you're telling Cloud Guard that it was in fact a problem,
but you've taken an action that handled it. If another instance of this same problem occurs, it's
detected again.
Question 160
Which statement is true about File System Replication in Oracle Cloud Infrastructure (OCI)?
You can replicate the data in one file system to another file system in the same region or a
different region.
You can replicate the data in one file system to another file system only in the same region.
You cannot specify a replication interval when you create the replication resource.
Only a file system that has been exported can be used as a target file system
A
Overall explanation
Cross-region replication for File Storage provides protection from regional outages, aids in
disaster recovery efforts, and addresses data redundancy compliance requirements.
You can replicate the data in one file system to another file system in the same region or a
different region.
REPLICATION INTERVAL: The frequency that the replication operation is performed. You
specify the interval when you create the replication resource.
Only a file system that has never been exported can be used as a target file system.
Question 161
You have objects stored in an OCI Object Storage bucket that you want to share with a partner
company. You decide to use pre-authenticated requests to grant access to the objects. Which
statement is true about pre-authenticated requests?
Deleting a pre-authenticated request does not revoke user access to the associated bucket or
object.
B
Overall explanation
Pre-authenticated requests provide a way to let users access a bucket or an object without
having their own credentials.
You can't edit a pre-authenticated request. If you want to change user access options or enable
object listing in response to changing requirements, you must create a new pre-authenticated
request.
You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage
workforce authentication and access to all of your Oracle and non-Oracle applications,
whether they are SaaS apps, on-premises enterprise apps, or apps that are hosted in the
cloud. Which IAM Identity Domain type should you create?
Premium
Free
External User
A
Overall explanation
Premium identity domains provide the full IAM feature set for employee and workforce use-
cases giving you enterprise-ready access management across hybrid IT environments. It gives
you support for all apps and services, and for unlimited third-party applications. If you are
standardizing on Oracle as your enterprise identity and access manager provider, this is the
identity domain type you want.
Use Case: You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage
workforce authentication and access to all of your Oracle and non-Oracle applications whether
they’re SaaS apps, on-premises enterprise apps, or apps that are hosted in the cloud.
Question 163
BeforeExam
Which TWO statements are TRUE about restoring a volume from a block volume backup in
the Oracle Cloud Infrastructure (OCI) Block Volume service?
You can restore a volume from any full volume backup but not from an incremental backup.
You can restore a volume to any availability domain within the same region where the backup is
stored.
You can restore only one volume from a manual block volume backup.
You can only restore a volume to the same availability domain in which the original block
volume resides.
BD
Overall explanation
You can restore a block volume backup to a larger volume size. You can only increase the size of
the volume, you cannot decrease the size. Hence the option "You can restore a block volume
backup to a larger volume size." is CORRECT.
You can restore a volume from any of your incremental or full volume backups. Both backup
types enable you to restore the full volume contents to the point-in-time snapshot of the
volume when the backup was taken. Hence the option "You can restore a volume from any full
volume backup but not from an incremental backup." is INCORRECT)
Backups are encrypted and stored in Oracle Cloud Infrastructure Object Storage, and can be
restored as new volumes to any availability domain within the same region they are stored.
Hence the option "You can restore a volume to any availability domain within the same region
where the backup is stored." is CORRECT and the option "You can only restore a volume to the
same availability domain in which the original block volume resides." is INCORRECT.
Manual backups do not expire, they are maintained until you delete them. You can restore
multiple new volumes from the backup later in the future. Hence the statement "You can
restore only one volume from a manual block volume backup." is INCORRECT.
Question 164
BeforeExam
In which two ways can Oracle Security Zones assist with the cloud security shared
responsibility model? (Select two)
Deny public access to Oracle Cloud Infrastructure resources, such as databases and object
storage buckets.
Overall explanation
In general, security zone policies align with the following core security principles.
All the required components for a resource in a security zone must also be located in the
same security zone. Resources that are not in a security zone might be vulnerable, and
resources in a different security zone might have a lower security posture.
For example, an instance (Compute) in a security zone can't use a boot volume that is
not in the same security zone.
Resources in a security zone must not be accessible from the public internet.
Data in a security zone is considered privileged and can't be copied outside of the
security zone because it might be less secure.
Resources in a security zone must use only configurations and templates approved by
Oracle.
Question 165
When defining a query for metric data in Monitoring, which field provides the time window
for aggregating metric data points plotted on the metric chart?
Statistic
Dimension
Interval
Namespace
C
Overall explanation
interval: The time window used to convert the set of raw data points.
statistic: The aggregation function applied to the set of raw data points.
metric namespace: Indicator of the resource , service, or application that emits the metric.
Question 166
Which statement accurately describes the key features and benefits of OCI Confidential
Computing?
It provides automatic scalability and load balancing capabilities, which allow seamless
integration with other cloud providers.
It enables users to securely store and retrieve data by using distributed file systems, ensuring
high availability and fault tolerance.
It optimizes network performance and reduces latency through advanced routing algorithms
and caching mechanisms.
It encrypts and isolates in-use data and the applications processing that data, thereby
preventing unauthorized access or modification.
D
Overall explanation
Confidential computing encrypts and isolates in-use data and the applications
processing that data.
Confidential instances are compute virtual machines (VMs) or bare metal instances
where both the data and the application processing the data are encrypted and
isolated while the application processes the data, preventing unauthorized access or
modification of either the data or the application.
Hence "It encrypts and isolates in-use data and the applications processing that data,
thereby preventing unauthorized access or modification." is the CORRECT answer.
Question 167
Which is NOT a valid option for an Oracle Cloud Infrastructure (OCI) compute shape?
Bare Metal
Virtual Machine
B
Overall explanation
A shape is a template that determines the number of OCPUs , amount of memory, and other
resources that are allocated to an instance. Oracle Cloud Infrastructure offers both bare metal
and virtual machine instances:
Bare metal: A bare metal compute instance gives you dedicated physical server access
for highest performance and strong isolation.
Hence the options Bare Metal & Virtual Machine are VALID and hence NOT the correct
answers.
Dedicated virtual machine hosts let you run Oracle Cloud Infrastructure Compute virtual
machine (VM) instances on dedicated servers that are a single tenant and not shared with other
customers. Use dedicated virtual machine hosts to meet compliance and regulatory
requirements for isolation that prevent you from using shared infrastructure. You can also use
dedicated virtual machine hosts to meet node-based or host-based licensing requirements that
require you to license an entire server.
Hence Dedicated virtual machine host is also a valid Compute Shape and hence NOT the
correct answer.
We are left with Exadata Virtual Machine. Oracle Exadata is a pre-configured combination of
hardware and software that provides an infrastructure for running Oracle Database. It consists
of a database layer and a storage layer connected through an InfiniBand network. It is NOT a
valid Compute shape and hence the CORRECT answer.
Question 168
You have a high-demand web application running on Oracle Cloud Infrastructure (OCI). Your
tenancy administrator has set up a schedule-based autoscaling policy on instance pool with
an initial size of 5 instances for the application.
Policy 1:
Execution time: 8:30 a.m. on every Monday through Friday, in every month, in every
year
Goal: A recurring weekly schedule. On all days of the week at 8.30 a.m., scale out the pool to
10 instances from the initial size of 5.
Goal: A one-time schedule with only one scaling out event. At 8:30 a.m., on December 31,
2021, scale the instance pool to 10 instances from 5.
Goal: A recurring daily schedule. On weekday mornings at 8.30 a.m., scale out to 10 instances.
Goal: A recurring monthly schedule. On all days of the month, set the initial pool size to 5
instances. At 8.30 a.m., on every day of the month, scale out to 10 instances.
C
Overall explanation
In this question, we should employ the elimination process to arrive at the correct answer.
It is clearly specified in the question that the Execution time is 8:30 a.m. on every Monday
through Friday, in every month, in every year. Please pay special attention to the words every
month and every year. It clearly means it is NOT a one time schedule and rather a recurring
schedule.
Hence the option "Goal: A one-time schedule with only one scaling out event. At 8:30 a.m., on
December 31, 2021, scale the instance pool to 10 instances from 5." can be eliminated.
Now please pat special attention to the words every Monday through Friday in the statement
"Execution time: 8:30 a.m. on every Monday through Friday, in every month, in every year" -->
It does not mean "all days of the week". Hence the option "Goal: A recurring weekly
schedule. On all days of the week at 8.30 a.m., scale out the pool to 10 instances from the
initial size of 5." can be eliminated.
On similar lines, the option "Goal: A recurring monthly schedule. On all days of the month, set
the initial pool size to 5 instances. At 8.30 a.m., on every day of the month, scale out to 10
instances. can be eliminated as the execution time is not intended to be on all the days of the
month.
Now, we are left with only one option "Goal: A recurring daily schedule. On weekday mornings
at 8.30 a.m., scale out to 10 instances." Let's understand why this is the CORRECT answer.
This option mentions weekday mornings -> This satisfies the execution time in policy (every
Monday through Friday).
Question 169
BeforeExam
Which TWO statements are NOT correct regarding the Oracle Cloud Infrastructure (OCI)
burstable instances? (Select two)
Burstable instances are designed for scenarios where an instance s not typically idle and has
high CPU utilization.
If the instance's average CPU utilization over the past 24 hours is below the baseline, the
system allows it to burst above the baseline.
Burstable instances cost less than regular instances with the same total OCPU count.
Overall explanation
Burstable instances are designed for scenarios where an instance is typically idle, or
has low CPU utilization with occasional spikes in usage.
When you create a burstable instance, you specify the total OCPU count (or CPU cores) and the
baseline CPU utilization. The baseline utilization is a fraction of each CPU core, either 12.5% or
50% (and NOT 75% as mentioned in one of the options)
1. Burstable instances are designed for scenarios where an instance is not typically idle and has
high CPU utilization.
Which statement is true regarding the run command feature in the Oracle Cloud
Infrastructure (OCI) Compute service?
The run command feature is not supported on compute instances that use the Windows
Server platform images.
You cannot run commands on an instance if the instance does not have SSH access or open
inbound ports.
The run command feature does not require any Oracle Cloud Agent plugins to be enabled and
running.
The maximum size for a script file that you upload directly to an instance in plain text is 4 KB.
D
Overall explanation
You can run commands on an instance even when the instance does not have SSH access or
open inbound ports.
The run command feature is supported on compute instances that use the following platform
images:
Oracle Linux
CentOS
Windows Server
The run command feature uses the Compute Instance Run Command plugin that is managed
by the Oracle Cloud Agent software.
The maximum size for a script file that you upload directly to an instance in plain text is 4 KB.
Hence the statement "The maximum size for a script file that you upload directly to an instance
in plain text is 4 KB." is Correct.
Question 171
In which TWO ways does Cloud Guard help improve the overall security posture for your
tenancy?
Prevents you from creating misconfigurations on your resources in Oracle Cloud Infrastructure
(OCI).
Masks sensitive data and monitors security controls on your Oracle databases.
Helps detect misconfigured resources, such as publicly accessible Object Storage buckets,
instances, and restricted ports on security lists.
CE
Overall explanation
Oracle Data Safe is a unified control center for your Oracle databases which helps you
understand the sensitivity of your data, evaluate risks to data, mask sensitive data, implement
and monitor security controls, assess user security, monitor user activity, and address data
security compliance requirements.
Hence Masks sensitive data and monitors security controls on your Oracle databases is
INCORRECT.
Oracle Cloud Infrastructure (OCI) Vault lets you to centrally manage and control use of keys and
secrets across a wide range of OCI services and applications.
Security Zones enforce security posture on OCI cloud compartments and prevent actions that
could weaken a customers’ security posture. Security Zone policies can be applied to various
cloud infrastructure types (network, compute, storage, database, etc.) to ensure cloud
resources stay secure and prevent security misconfigurations.
Hence Prevents you from creating misconfigurations on your resources in Oracle Cloud
Infrastructure (OCI) is incorrect.
Helps detect misconfigured resources, such as publicly accessible Object Storage buckets,
instances, and restricted ports on security lists.
Oracle Cloud Guard is an Oracle Cloud Infrastructure service that helps customers monitor,
identify, achieve, and maintain a strong security posture on Oracle Cloud.
Use the service to examine your Oracle Cloud Infrastructure resources for security weakness
related to configuration, and your operators and users for risky activities. Upon detection,
Cloud Guard can suggest, assist, or take corrective actions, based on your configuration.
Question 172
Beforeexam
Which is NOT a valid statement regarding the Oracle Cloud Infrastructure (OCI) Audit service?
Changes within the objects stored in an Object Storage bucket are collected as Audit logs.
Retention period for Audit logs is 365 days and it cannot be changed
Audit service can record REST API calls executed by a custom client.
B
Overall explanation
Changes within the objects stored in an Object Storage bucket are NOT collected as Audit logs.
Audit service automatically records calls to all supported Oracle Cloud Infrastructure public
application programming interface (API) endpoints as log events. Currently, all services support
logging by Audit. Object Storage service supports logging for bucket-related events, but NOT
for object-related events.
Log events recorded by the Audit service include API calls made by the Oracle Cloud
Infrastructure Console, Command Line Interface (CLI), Software Development Kits (SDK), your
own custom clients, or other Oracle Cloud Infrastructure services.
If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure
resources that your company owns, contact your administrator to set up a user ID for you. The
administrator can confirm which compartment or compartments you should be using. Audit
provides records of API operations performed against supported services as a list of log events.
The service logs events at both the tenant and compartment level.
By default, Audit logs are retained for 365 days. You can view the log retention period in
the tenancy details page.
Retention period is a tenancy-level setting. The value of the retention period setting affects all
regions and all compartments. The retention period cannot be changed.
Question 173
You need to implement automatic backups for your database system. You can easily check
“Enable Automatic Backup” in the web console. Before you do that though, you need to have
which of the following TWO prerequisites in place?
VCN configured with VPN for secure access to the Oracle Cloud Infrastructure (OCI) Object
Storage service
Overall explanation
The DB system requires access to the Oracle Cloud Infrastructure Object Storage
service, including connectivity to the applicable Swift endpoint for Object Storage.
You plan to launch a VM instance with the VM.Standard2.24 shape and Oracle Linux 8
platform image. You want to protect your VM instance from low-level threats, such as rootkits
and bootkits that can infect the firmware and operating system and are difficult to detect.
Overall explanation
Threats like rootkits and bootkits that have kernel-level privileges can infect the firmware and
operating system and are difficult to detect. Rootkits containing low-level malware allow an
attacker to perform the following tasks:
Bootkits are a type of rootkit that targets the boot code and can cause system instability and
inability to launch the operating system. These tactics are commonly used to perform
ransomware attacks.
Unfortunately, rootkits and bootkits are hard to detect because they activate even before the
operating system boots and can block antivirus and antimalware software, rendering them
ineffective. You can use Shielded instances, which protect virtual machines (VM) and bare
metal instances against these low-level threats.
BeforeExam
You are using the Oracle Cloud Infrastructure (OCI) Vault service to create and manage
Secrets. For your database password, you have created a secret and rotated the secret one
time. The secret versions are as follows:
-----------------------------------------
2 (latest) | Current
1 | Previous
You later realize that you have made a mistake in updating the secret content for version 2
and want to rollback to version 1.
From the version 1 menu on the OCI console, select "Promote to Current".
From the version 2 (latest) menu, select "Rollback" and select version 1 when given the
option.
Deprecate version 2 (latest). Create new Secret version 3. Create soft link from version 3 to
version 1.
Create a new secret version 3 and set to Pending. Copy the content of version 1 into version 3.
A
Overall explanation
Open the navigation menu, click Identity & Security, and then click Vault.
Under List Scope, in the Compartment list, click the name of the compartment that contains the
vault that has the secret that you want to update.
From the list of vaults in the compartment, click the vault name.
Click Secrets, and then click the name of the secret that you want to update to use a different
secret version. (If needed, first change the list scope to the compartment that contains the
secret.)
Make a different secret version the current secret version by doing one of the following:
Click Edit, click Current Version, and then click the version number you want to
promote. When you're ready, click Save Changes.
Under Secret Version List, locate the version number that you want to promote, click the
Actions icon (three dots) for that secret version, and then click Promote to Current. Confirm the
promotion by clicking Promote to Current.
Question 175
Backup and restore your TDE wallets from the source to the target database.
Place the database in the restricted mode so that no one accesses it during migration.
Overall explanation
Oracle Cloud databases provide fully automated backups that can be enabled by the click of a
button. However, the backups are stored in an Oracle-managed bucket. Hence, the automatic
backups can only be used to restore on the same database host or create a new database in the
same availability domain.
If you want to restore the database into another availability domain, OCI region, or on-premises,
you need access to the Object Storage bucket where the backup files reside. To do so, you can
create your own RMAN backup into a user-defined Object Storage bucket using:
dbcli utility for Database Cloud Service virtual and bare metal machines, bkup_api utility
for Exadata Cloud Service. Or,
Database Cloud Backup Module for virtual, bare metal, and Exadata machines. And for
on-premises Oracle databases as well.
Reference: Restore a TDE encrypted Cloud Database Backup to another Availability Domain, OCI
Region, or On-Premises – Database Heartbeat (database-heartbeat.com)
Question 176
BeforeExam
Your customer would run month-end jobs on their on-premises databases that would take
around 14 hours to complete and sometimes even fail due to overloaded database systems.
After a detailed evaluation, they migrated their database to Oracle Autonomous Data
Warehouse. They realized they could also move their analytics platform to Oracle Analytics
Cloud (OAC) and have their best of breed technology platforms meet their critical business
requirements.
After migrating their analytics platform, they want to use one consumer group for running
month-end jobs and another consumer group that can be used by the analytics team for
performing data analytics tasks everyday.
Use consumer group high for month-end jobs and consumer group medium for data analytics.
Use consumer group medium for month-end jobs and consumer group low for data analytics.
Use consumer group high for both month-end jobs and data analytics.
Use consumer group high for data analytics and consumer group low for month-end jobs.
A
Overall explanation
By default, the CPU/IO shares assigned to the consumer groups HIGH, MEDIUM, LOW are 4, 2,
and 1, respectively. With the default settings the consumer group HIGH will be able to use 4
times more CPU/IO resources compared to LOW and 2 times more CPU/IO resources
compared to MEDIUM, when needed.
The consumer group MEDIUM will be able to use 2 times more CPU/IO resources compared to
LOW, when needed.
Question 177
BeforeExam
You are a security administrator for your company's Oracle Cloud Infrastructure (OCI) tenancy.
Your storage administrator informs you that she cannot associate an encryption key from an
existing Vault to a new Object Storage bucket.
The Object Storage bucket policy lacks the necessary Access Control List (ACL).
The storage administrator forgot to select "Encrypt using Oracle managed keys" while creating
the bucket.
There is no Identity and Access Management (IAM) policy that allows the Object Storage
service to use the key.
D
Overall explanation
Instead of using an encryption key that Oracle manages, you can assign master encryption
keys that you manage to buckets.
Keys associated with buckets will not work unless you authorize Object Storage to use keys on
your behalf.
Additionally, you must also authorize users to delegate key usage to these services in the first
place.
Object Storage is a regional service, it has regional endpoints. As such, you must specify the
regional service name for each region where you’re using Object Storage with Vault
encryption.
You want to run compute virtual machine (VM) instances in Oracle Cloud Infrastructure (OCI).
Your business unit has the following requirements that need to be considered before you
launch the VMs:
Requirement 2: Meet node-based licensing requirements that require you to license an entire
server.
Which compute capacity type would you select to meet these requirements?
Dedicated host
Preemptible capacity
Capacity reservation
On-demand capacity
A
Overall explanation
The Oracle Cloud Infrastructure Compute service's dedicated virtual machine host feature gives
you the ability to run compute virtual machine (VM) instances on dedicated servers that are
a single tenant and not shared with other customers.
This feature lets you meet compliance and regulatory requirements for isolation that prevent
you from using shared infrastructure. You can also use this feature to meet node-based or
host-based licensing requirements that require you to license an entire server.
Question 179
You have a block volume created in the US West (Phoenix) region. You enabled Cross Region
Replication for the volume and selected US West (San Jose) as the destination region. Now,
you would like to create a new volume from the volume replica in the US West (San Jose)
region.
Overall explanation
To create a new volume from a volume replica, you need to activate the replica. The
activation process creates a new volume by cloning the replica.
Ensure that you are in correct destination region that contains the volume replica you want to
activate.
On the Activate Volume Replica, specify the settings for the new volume,
Click Create. The new volume will appear in the block volumes list, in the provisioning state.
Question 180
BeforeExam
You are responsible for creating and maintaining an enterprise application that consists of
multiple storage volumes across multiple compute instances in Oracle Cloud Infrastructure
(OCI).
The storage volumes include boot volumes and block volumes for your data storage. You need
to create a backup for the boot volumes that will be done daily and a backup for the block
volumes that will be done every six hours.
Create on-demand full backups of block volumes, and create custom images from the boot
volumes. Use a function to run at a specific time to start the backup process.
Create clones of all boot volumes and block volumes one at a time.
Group the boot volumes into a volume group and create a custom backup policy. Group the
block volumes and create a custom backup policy.
Group multiple storage volumes in a volume group and create volume group backups.
C
Overall explanation
Group multiple storage volumes in a volume group and create volume group
backups is incorrect as we have different custom schedule requirement - backup for boot
volumes to be done daily and backup of block volumes to be done every six hours. Hence one
Volume Group won't satisfy the requirement mentioned.
Create clones of all boot volumes and block volumes one at a time is incorrect as the question
is about backup and the answer talks about creating clones.
Create on-demand full backups of block volumes, and create custom images from the boot
volumes. Use a function to run at a specific time to start the backup process is incorrect as the
option doesn't talk about volume groups.
Question 181
Overall explanation
If one of the backend server goes down or gets disconnected, the load balancer stops sending
new connections to that unhealthy instance and will send the new connections to remaining
healthy backend endpoints
Question 182
Your DevOps team needs to interconnect the on-premises network to the Oracle Cloud
Infrastructure (OCI) resources, such as a managed database that resides in a private subnet.
They indicate that they have a low budget and their bandwidth requirements are minimal, so
you decide that a site-to-site VPN is the best option. They provide you with their router public
IP address. You need to create an object in OCI that represents this router. Which object
would you create?
Internet Gateway
IPSec Tunnel
Bastion Host
C
Overall explanation
At your end of Site-to-Site VPN is the actual device in your on-premises network (whether
hardware or software). The term customer-premises equipment (CPE) is commonly used in
some industries to refer to this type of on-premises equipment. When setting up the VPN, you
must create a virtual representation of the device. Oracle calls the virtual representation a CPE,
but this documentation typically uses the term CPE object to help distinguish the virtual
representation from the actual CPE device. The CPE object contains basic information about
your device that Oracle needs.
Question 183
Which TWO statements are TRUE about Public IP addresses in Oracle Cloud Infrastructure
(OCI)?
You must use OCI provided public IP addresses. You cannot bring your own IP addresses to
OCI.
You can assign a given instance multiple public IPs across one or more VNICs.
Overall explanation
Oracle Cloud Infrastructure allows you to Bring Your Own IP (BYOIP) address space to use with
resources in Oracle Cloud Infrastructure, in addition to using Oracle owned addresses. Bring
Your Own IP (oracle.com) . Hence option You must use OCI provided public IP addresses. You
cannot bring your own IP addresses to OCI is NOT TRUE.
Ephemeral: Think of it as temporary and existing for the lifetime of the instance.
Reserved: Think of it as persistent and existing beyond the lifetime of the instance it's
assigned to. You can unassign it and then reassign it to another instance whenever you
like. Exception: reserved public IPs on public load balancers
You can assign a public IP address to an instance to enable communication with the internet.
The instance is assigned a public IP address from the Oracle Cloud Infrastructure address pool.
The assignment is actually to a private IP object on the instance. The VNIC that the private IP is
assigned to must be in a public subnet. A given instance can have multiple secondary VNICs, and
a given VNIC can have multiple secondary private IPs. So you can assign a given instance
multiple public IPs across one or more VNICs if you like. Hence option You can assign a given
instance multiple public IPs across one or more VNICs is TRUE.
Option: By default, an instance in a public subnet has one primary public IP address: As
discussed earlier the instance is assigned a public IP address from the Oracle Cloud
Infrastructure address pool. The assignment is actually to a private IP object on the
instance. Therefore the option is NOT TRUE.
Question 184
You are responsible for deploying an application on Oracle Cloud Infrastructure (OCI). The
application is memory intensive and performs poorly if enough memory is not available. You
have created an instance pool of Linux compute instances in OCI to host the application and
defined Autoscaling Configuration for the instance pool. What should you do to ensure that
the instance pool autoscales to prevent poor application performance?
Configure the autoscaling policy to monitor memory usage and scale up the number of
instances when it meets the threshold.
Install OCI SDK on all compute instances and create a script that triggers the autoscaling event
if there is high memory usage.
Install the monitoring agent on all compute instances, which triggers the autoscaling group.
Configure the autoscaling policy to monitor CPU usage and scale up the number of instances
when it meets the threshold.
A
Overall explanation
When you configure an Autoscaling policy, you have the option to select Memory Utilization as
the performance metric (as shown in the screenshot below):
The question mentions that the application is memory intensive and performs poorly if enough
memory is not available.
You can directly eliminate Install OCI SDK on all compute instances and create a script that
triggers the autoscaling event if there is high memory usage and Install the monitoring agent
on all compute instances, which triggers the autoscaling group as these options do not
mention the use of auto scaling policy.
Now the remaining two options talk about autoscaling policy but the option "Configure the
autoscaling policy to monitor CPU usage and scale up the number of instances when it meets
the threshold." can be eliminated as the question is mentioning memory sensitive application
which performs poorly if enough memory is not available.
So the correct answer is Configure the autoscaling policy to monitor memory usage and scale
up the number of instances when it meets the threshold.
Question 185
You have three compartments: ProjectA, ProjectB, and ProjectC. For each compartment, there
is an admin group set up: A-Admins, B-Admins, and C-Admins.
Each admin group has full access over their respective compartments as shown in the graphic
below.
Your organization has set up a tag namespace, EmployeeGroup.Role and all your admin
groups are tagged with a value of 'Admin'.
You want to set up a Test compartment for members of the three projects to share. You also
need to provide admin access to all three of your existing admin groups.
Overall explanation
So the correct answer is Allow any-user to manage all-resources in compartment Test where
request.principal.group.tag.EmployeeGroup.Role='Admin'
Question 186
Which of the following statements is true about cloning a volume in the Oracle Cloud
Infrastructure (OCI) Block Volume service?
You can change the block volume size when cloning a volume.
Overall explanation
You can only create a clone for a volume within the same region, availability domain and tenant.
So the option You can clone a volume to another region is incorrect.
Creating a clone is faster than creating backup. Reference: See the comparison table of Backup
vs Clone here Cloning a Volume (oracle.com) Hence the option Creating a clone takes longer
than creating a backup of a volume is incorrect as well.
The option You need to detach a volume before cloning it is also Incorrect as per the below
statement from Oracle documentation :
"If the source volume is attached when a clone is created, you need to wait for the first clone
operation to complete from the source volume before creating additional clones. If the source
volume is detached, you can create up to ten clones from the same source volume
simultaneously"
This means irrespective of whether the volume is detached or attached, you can create clones.
The option You can change the block volume size when cloning a volume is CORRECT as you
can clone an existing volume to a new, larger volume. Since the clone is a copy of the source
volume it will be the same size as the source volume unless you specify a larger volume size
when you create the clone. (you have the option to specify a larger size).
Question 187
Which is NOT a valid Oracle Cloud Infrastructure (OCI) Virtual Cloud Network (VCN) approach?
Ensure not all IP addresses are allocated at once within a VCN or subnet; instead reserve
some IP addresses for future use.
Ensure VCN CIDR prefix overlaps with other VCNs in your tenancy or with your organizations
private IP network ranges.
Use OCI tags to tag VCN resources so that all resources follow organizational tagging/naming
conventions.
Private subnets should ideally have individual route tables to control the flow of traffic within
and outside of VCN.
B
Overall explanation
Private subnets should ideally have individual route tables to control the flow of traffic within
and outside of VCN: When you have a public subnet and a private subnet in your VCN (for an
example, see Scenario C: Public and Private Subnets with a VPN), you'll need to use different
route tables for the subnets because the route rules for the subnets need to be different. Hence
this is a VALID statement.
Use OCI tags to tag VCN resources so that all resources follow organizational tagging/naming
conventions: Oracle Cloud Infrastructure Tagging allows you to add metadata to resources,
which enables you to define keys and values and associate them with resources. You can use the
tags to organize and list resources based on your business needs. Hence this is a VALID
statement.
Ensure not all IP addresses are allocated at once within a VCN or subnet; instead reserve
some IP addresses for future use: This is one of the best practices to be adopted during the
VCN design/implementation phase. Hence this is a VALID statement.
Ensure VCN CIDR prefix overlaps with other VCNs in your tenancy or with your organizations
private IP network ranges.: If you intend to connect a VCN to your on-premise network or
another VCN, Oracle recommends that you ensure that the IP address ranges don’t overlap.
This is NOT a valid approach and hence it is the answer.
Question 188
Your company requires a highly available and low-latency connection between your on-
premises data center and OCI. Which connectivity option should you choose?
Site-to-Site VPN
Internet Gateway
Local Peering
B
Overall explanation
Here's why:
Site-to-Site VPN: While a VPN can provide connectivity, it may have higher latency and
lower bandwidth compared to FastConnect, especially for high-throughput applications.
Internet Gateway: Using the internet for connectivity can introduce latency and security
risks.
Local Peering: Local Peering is used to connect VCNs within the same region, not for
connecting to on-premises networks.
By choosing FastConnect with redundant connections, you can achieve the highest level of
availability, performance, and security for your on-premises to cloud connectivity.
Reference :
https://www.oracle.com/in/cloud/networking/fastconnec
https://docs.oracle.com/en-us/iaas/Content/Netwo
Question 189
You have multiple VCNs that need to communicate with each other and with your on-
premises network. Which component should you use as the central hub for routing traffic?
Internet Gateway
NAT Gateway
Service Gateway
Overall explanation
Here's why:
DRG as a Central Hub: The DRG acts as a central point for routing traffic between your
VCNs and on-premises network. It allows you to establish connections with other VCNs
(using Remote Peering) and on-premises networks (using IPSec VPN or FastConnect).
Role of DRG:
Centralized Routing: Provides a single point for managing and controlling traffic
flow within your entire cloud infrastructure.
Incorrect Options:
Internet Gateway: Primarily used for internet connectivity for subnets with
public IP addresses.
Service Gateway: Used for connecting to specific Oracle services like Object
Storage.
By using a DRG, you create a robust and scalable network architecture that supports efficient
and secure communication between your various network components.
Question 190
Which of the following is NOT a valid way to define a Dynamic Group in OCI?
By user attributes.
By IP address range.
By subscription status.
D
Overall explanation
Explanation:
While tags, user attributes, and IP address ranges can be used to define Dynamic Groups,
"subscription status" is not a valid criteria for defining a Dynamic Group in OCI.
Question 191
Policies only allow access; they cannot deny it. Instead there's an implicit deny, which means
by default, users can do nothing and have to be granted access through policies.
Overall explanation
Explanation:
Policies only allow access; they cannot deny it. Instead, there's an implicit deny, which means
by default, users can do nothing and have to be granted access through policies.
This is correct. OCI IAM policies do not explicitly include a "Deny" statement. Instead,
the default behavior is an implicit deny, meaning that unless access is explicitly granted
through an "Allow" policy, users cannot perform any actions on resources.
B) It is used to deny access to all resources by default. This is not the default behavior.
By default, access is typically restricted, and you need to explicitly grant permissions.
C) It is only applicable to root users. Deny rules can be applied to any user, group, or
service principal within the tenancy.
D) It is used to temporarily block access to a resource. While you can use deny rules to
temporarily block access, they are not specifically designed for temporary blocks.
Reference : https://docs.oracle.com/iaas/Content/Identity/Concepts/policies.htm
https://www.freecram.com/Oracle-certification/1Z0-1072-25-exam-questions.html#
Before Exam
You are backing up your on-premises data to the Oracle Cloud Infrastructure (OCI) Object
Storage Service.
2. Data should be accessible immediately if and when needed after the backup.
Which OCI Object Storage tier is suitable for storing the backup to minimize cost?
Archive tier
Standard tier
Auto-Tiering tier
B
Overall explanation
The Standard tier is the primary, default storage tier used for Object Storage service data. The
Standard storage tier is "hot" storage used for data that you need to access quickly,
immediately, and frequently. Data accessibility and performance justifies a higher price to store
data in the Standard tier. It does not satisfy the "minimum cost" requirement mentioned in the
question and hence is INCORRECT.
The Infrequent Access tier is "cool" storage used for data that you access infrequently, but that
must be available immediately when needed. Storage costs are lower than Standard. The
Infrequent Access tier has a minimum storage retention period and data retrieval fees. The
minimum storage retention period for the Infrequent Access tier is 31 days. This satisfies all
requirements mentioned in the question and hence this is the CORRECT ANSWER.
The Archive tier is the primary, default storage tier used for Archive Storage service data. The
Archive storage tier is "cold" storage used for data seldom or rarely accessed, but that must be
retained and preserved for long periods of time. Objects in the Archive tier must be restored
before they are available for access. It does not satisfy the "Data should be accessible
immediately if and when needed after the backup" requirement of the question and hence it is
INCORRECT.
Auto-Tiering monitors data access patterns and helps you reduce storage costs by automatically
moving objects larger than 1 MiB out of the Standard tier into the more cost-effective
Infrequent Access tier. This is not exactly an Object Storage tier and hence this is also
INCORRECT.
As a network architect you have deployed a public subnet on your Virtual Cloud Network
(VCN) with this security list:
You have also created a network security group (NSG) as shown in the table here, and
assigned it to your bastion host:
You have confirmed that routing is correct but when you SSH to the VM from your home over
the Internet you are unable to connect.
Public subnet does not have a route rule to the Internet Gateway.
User will be able to SSH to the VM from the Internet as SSH is open on the NSG.
SSH traffic is not allowed in the security list nor on the NSG from the Internet.
D
Overall explanation
If you look at the security list rules, port 22 (SSH) is not there on the Destination Port list.
Hence SSH traffic is not allowed from the internet.
If you look at the NSG, port 22 (SSH) does appear in the Destination Port list but the source is
not 0.0.0.0/0 (Internet) - look at CIDR range.
Hence SSH traffic is not allowed in the security list nor on the NSG from the Internet is the
CORRECT answer.
Which OCI networking feature enables customers to establish a private, high-bandwidth, and
low-latency connection between their on-premises data center and the OCI cloud
infrastructure?
Site-to-Site VPN
FastConnect
Remote Peering
C
Overall explanation
The OCI networking feature that enables customers to establish a private, high-bandwidth, and
low-latency connection between their on-premises data center and the OCI cloud infrastructure
is Oracle Cloud Infrastructure FastConnect.
FastConnect provides a dedicated private connection between your on-premises network and
Oracle Cloud Infrastructure (OCI). It offers higher-bandwidth options and a more reliable and
consistent networking experience compared to internet-based connections. With FastConnect,
you can establish a private connection with consistent latency and throughput, ensuring optimal
performance for your critical workloads.
3. Low latency: FastConnect provides a dedicated path between your on-premises network
and OCI, reducing latency and improving performance for latency-sensitive applications.
Overall, Oracle Cloud Infrastructure FastConnect is the preferred choice for establishing a
private, high-bandwidth, and low-latency connection between your on-premises data center
and the OCI cloud infrastructure.
Can a single DRG (Dynamic Routing Gateway) be associated with multiple VCNs?
Overall explanation
The correct answer is: (A) Yes, as long as the VCNs are in the same tenancy.
A single DRG can be associated with multiple VCNs in the same tenancy. This allows you
to connect and route traffic between those VCNs through the DRG.
There are no restrictions on the number of VCNs you can connect to a DRG within the same
tenancy, with a maximum limit of 300.
Reference :https://docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm
BeforeExam
Overall explanation
The OCI Console playground provides a user-friendly interface for interacting with Oracle's pre-
trained AI models and potentially your own custom models. This allows you to test different
models, refine prompts and parameters, and get a feel for their capabilities without needing to
write any code yourself.
Reference :https://docs.oracle.com/en-us/iaas/Content/generative-ai/home.htm
A media streaming service wants to reduce buffering times for its users.
How does OCI Web Application Acceleration help achieve this goal?
Overall explanation
Caching media content at edge locations reduces the distance data has to travel, thereby
reducing buffering times and improving the streaming experience.
Incorrect Options:
A) Compressing video files: This might help, but caching is more directly related to reducing
buffering times.
C) Increasing server processing power: This is not directly related to reducing buffering times.
D) Reducing the resolution of videos: This would degrade the user experience rather than
improve it.
Scenario: An organization is looking to optimize the delivery of static content such as images
and scripts on their website.
An organization is looking to optimize the delivery of static content such as images and scripts
on their website. Which OCI Web Application Acceleration feature should they utilize?
Database acceleration
API management
Overall explanation
Explanation: Static content caching is specifically designed to optimize the delivery of static
content like images and scripts by storing them closer to the user.
Incorrect Options:
A) Dynamic content caching: This is for dynamic content, not static content.
The correct answer is: B) By identifying and mitigating potential security risks in the network
path
Explanation:
1. Why B is Correct:
These insights are critical for ensuring that the network path is secure and
adheres to strict regulatory requirements like HIPAA.
By addressing these risks, the healthcare provider can create a secure, compliant
network path for transmitting sensitive patient data between OCI and their on-
premises systems.
A) By providing encryption for data at rest: Network Path Analyzer does not
handle encryption for data at rest; this is managed by OCI services like Block
Volumes or Object Storage using encryption keys.
It ensures secure network paths by detecting and mitigating risks that could lead to data
breaches or non-compliance.
By continuously monitoring and analyzing network paths, it helps maintain the security
posture required by HIPAA.
BeforeExam
A global logistics company is experiencing packet loss between their OCI instances and
remote offices. Which advanced feature of Network Path Analyzer can help pinpoint the
cause of packet loss?
Bandwidth allocation
Traffic shaping
Overall explanation
The correct answer is: B) Path visualization with packet loss metrics
Explanation:
1. Why B is Correct:
Path visualization with packet loss metrics is a key feature of the OCI Network
Path Analyzer. It provides a detailed view of the network path, showing each hop
from the source to the destination.
Using this information, the logistics company can identify the exact segment of
the network path where packet loss is occurring, whether it’s due to a faulty
network device, misconfigured router, or congestion.
A) Packet capture and analysis: While packet capture tools analyze individual
packets for troubleshooting, this is not a feature of the Network Path Analyzer.
Such analysis typically requires separate tools like Wireshark.
By correlating packet loss metrics with specific network hops, the logistics company can:
BeforeExam
A software development company needs to ensure that their development and production
environments in OCI have optimal network connectivity.
Automated deployment
Explanation:
1. Why A is Correct:
B) Code quality checks: Code quality checks focus on application code, not
network connectivity. These are handled by development tools or CI/CD systems.
D) User access controls: User access controls relate to permissions and identity
management, which are outside the scope of Network Path Analyzer's
functionality.
By diagnosing and optimizing the network path, it prevents issues like timeouts, high
latency, or communication failures, which are critical for development and production
workflows.
An educational institution is experiencing slow network performance during online exams
hosted on OCI. How can Network Path Analyzer help improve the performance?
Overall explanation
The correct answer is: B) By analyzing the network path for latency and congestion issues
Explanation:
1. Why B is Correct:
The Network Path Analyzer in OCI helps diagnose network performance issues
by analyzing the network path between users (e.g., students taking online exams)
and the OCI-hosted application.
It specifically identifies:
Packet loss: Loss of data packets during transmission, which affects the
user experience.
A) By increasing server capacity: While adding server resources can help with
processing power, it does not address network path issues like latency or
congestion, which are independent of server capacity.
BeforeExam
Which feature of Network Path Analyzer can help achieve this goal?
High availability configuration refers to the setup and configuration of resources in a way that ensures
minimal downtime and maximum uptime. While this is important for achieving high availability and
reliability, it is not a specific feature of Network Path Analyzer that directly contributes to this goal.
Explanation
Path redundancy analysis is a key feature of Network Path Analyzer that helps in ensuring high
availability and reliability of network services. By analyzing multiple paths for network traffic, the tool
can identify redundant paths that can be used as backups in case of failures, thus improving the overall
resilience of the network.
Explanation
Service level agreements (SLAs) are agreements between a service provider and a customer that define
the level of service expected. While SLAs are important for setting expectations and ensuring
accountability, they are not a feature of Network Path Analyzer that directly contributes to achieving
high availability and reliability of network services.
Explanation
User activity logs are records of actions performed by users within a system. While monitoring user
activity is important for security and compliance purposes, it is not a feature of Network Path Analyzer
that directly helps in achieving high availability and reliability of network services.
Overall explanation
Explanation: Path redundancy analysis helps ensure that there are multiple reliable network
paths available, enhancing the availability and reliability of network services.
Incorrect Options:
C) Service level agreements (SLAs): These are contractual terms, not diagnostic tools.
D) User activity logs: This is related to security, not network path analysis.
BeforeExam
How can you adjust the routes advertised to your on-premises network when using
FastConnect?
FastConnect allows you to control the routes advertised to your on-premises network through
route filtering settings. This enables you to customize which routes are propagated and ensure
only the desired traffic flows through the connection.
(B) By contacting Oracle support: While Oracle support can assist with troubleshooting
connectivity issues, adjusting route filtering is typically a user-configurable option.
(C) By creating additional virtual circuits: Creating additional virtual circuits won't
directly adjust the routes advertised on existing ones.
(D) By adjusting the VCN configuration: VCN configuration primarily affects routing
within the VCN itself, not the routes advertised to on-premises networks.
BeforeExam
Oracle Cloud Agent is a lightweight process that manages plugins running on compute
instances.
Bastion
Overall explanation
OS Management Service Agent Plugin: Manages updates and patches for the operating system
environment on the instance.
Bastion Plugin: Allows secure shell (SSH) connections to an instance without public IP addresses
using the Bastion service.
Compute Instance Run Command Plugin: Runs scripts within the instance to remotely
configure, manage, and troubleshoot the instance.
Live Migration Agent is NOT a valid Oracle Cloud Agent plugin name.
Reference: You can find the list of available plugins here : Managing Plugins with Oracle Cloud
Agent
In an Object Storage bucket you have two objects named ObjectA and ObjectB. ObjectA was
last modified six months ago and ObjectB was modified 14 months ago. You create a retention
rule and specify a duration of 1 year.
It prevents the modification or deletion of ObjectA for the next 12 months and prevents the
modification or deletion of ObjectB for the next 14 months.
It prevents the modification or deletion of ObjectA for the next 6 months and allows the
modification or deletion of ObjectB.
It prevents the modification or deletion of ObjectA and ObjectB for the next 12 months.
It prevents the modification or deletion of ObjectA for the next 6 months and prevents the
modification or deletion of ObjectB for the next 2 months
B
Overall explanation
It's important to understand retention duration for time-bound rules. Even though you are
creating retention rules for a bucket, the duration of a rule is applied to each object in the
bucket individually, and is based on the object's Last Modified timestamp.
In this scenario, you have two objects in the bucket, ObjectA and ObjectB.
ObjectA was last modified 6 months ago and ObjectB was last modified 14 months ago.
This rule prevents the modification or deletion of ObjectA for the next 6 months.
The rule allows the modification or deletion of ObjectB because the retention rule duration (1
year) is less that the object's Last Modified timestamp (14 months).
BeforeExam
Which TWO components are optional while creating the Monitoring Query Language (MQL)
expressions in the Oracle Cloud Infrastructure (OCI) Monitoring service? (Select two)
Grouping Function
Metric
Statistic
Dimensions
Interval
AD
Overall explanation
metric
interval
statistic
Internet Gateway
Route Tables
Security Lists
Overall explanation
B) Route Tables
Route Tables are the correct component to configure to ensure proper routing between subnets
within a VCN.
Here's why:
Route Tables: Define the routing rules for traffic within a VCN. By creating specific route
rules, you can control how traffic flows between subnets, directing it through the
appropriate gateways or other network components.
Incorrect Options:
Internet Gateway: Primarily used for internet connectivity for subnets with
public IP addresses.
Security Lists: Control ingress and egress traffic to and from instances within a
subnet. They don't directly control routing between subnets.
Network Security Groups: Similar to Security Lists, they control traffic flow at the
instance level, not between subnets.
By properly configuring Route Tables, you can ensure that network traffic within your VCN flows
efficiently and securely between different subnets according to your specific requirements.
BeforeExam
Which TWO predefined service names can you use when connecting to an Oracle Cloud
Infrastructure (OCI) Autonomous Data Warehouse?
TP for a connection service when you do not want to run with parallelism.
High for the highest level of resources to process each SQL statement.
TPUrgent for a connection service when you do want to run with parallelism.
Overall explanation
BeforeExam
Which TWO are key benefits of setting up Site-to-Site VPN on Oracle Cloud Infrastructure
(OCI)?
When setting up Site-to-Site VPN, customers can expect bandwidth above 2 Gbps.
When setting up Site-to-Site VPN, it creates a private connection that provides consistent
network experience.
When setting up Site-to-Site VPN, customers can configure it to use static or dynamic routing
(BGP).
Overall explanation
Oracle Cloud Infrastructure supports only the tunnel mode for IPSec VPNs. Each Oracle IPSec
connection consists of multiple redundant IPSec tunnels.
So the option When setting up Site-to-Site VPN, OCI provisions redundant VPN tunnels is
correct.
For a given tunnel, you can use either Border Gateway Protocol (BGP) dynamic routing or
static routing to route that tunnel's traffic.
Hence the option When setting up Site-to-Site VPN, customers can configure it to use static or
dynamic routing (BGP) is also correct.
Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private
connection between your data center and Oracle Cloud Infrastructure. FastConnect
provides higher-bandwidth options, and a more reliable and consistent networking experience
compared to internet-based connections.
Hence the options When setting up Site-to-Site VPN, it creates a private connection that
provides consistent network experience and When setting up Site-to-Site VPN, customers can
expect bandwidth above 2 Gbps are INCORRECT.
BeforeExam
Which Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) policy is
invalid?
Overall explanation
inspect
read
use
manage
For more details, see this : Policy Reference (without Identity Domains) (oracle.com)
If we look at the option : Allow group A-Developers to create volumes in compartment Project-
A, it has a verb create which is NOT a valid verb type. Hence it is invalid.
Which THREE capabilities are available with the Oracle Cloud Infrastructure (OCI) DNS
service?
Overall explanation
The Oracle Cloud Infrastructure Domain Name System (DNS) service lets you create and
manage your DNS zones.
You can create zones, add records to zones, and allow Oracle Cloud Infrastructure's edge
network to handle your domain's DNS queries. You can also list zones.
Hence Creating and managing zones, Creating and managing records and Viewing all zones are
the capabilities of DNS service and therefore the CORRECT ANSWERS.
WAF is a security service that helps protect applications from malicious and unwanted internet
traffic . By combining threat intelligence with consistent rule enforcement on Oracle Flexible
Load Balancer, Oracle Cloud Infrastructure Web Application Firewall strengthens defenses and
protects internet-facing application servers and internal applications. It is a security service.
Hence it is NOT the correct answer.
IAM Policy is a document that specifies who can access which Oracle Cloud Infrastructure
resources that your company has, and how. Nothing to do with DNS service. Hence it is NOT the
correct answer.
Security Lists: Act as virtual firewalls for your compute instances and other kinds of resources. A
security list consists of a set of ingress and egress security rules that apply to all the VNICs in any
subnet that the security list is associated with. Hence it is NOT the correct answer.
You have multiple applications running on a compute instance that generate a large amount
of log files. You are required to retain these log files retained for a total of 60 days; at least 15
days on the boot volume, and an additional 45 days in any location.
Which is the most cost-effective way to meet the 15-day boot volume retention requirement
and the 60-day total retention requirement?
Do not delete any logs but resize the boot volume of the instance every time additional space
is needed.
Create an Object Storage bucket and use a script that runs daily to move log files older than
15 days from the boot volume to the bucket. Create a lifecycle rule for the bucket to delete
any logs over 60 days old.
Terminate the instance while preserving the boot volume. Create a new instance from the
boot volume and select a DenseIO shape to take advantage of the local NVMe storage.
Attach a block volume and use a script that moves log files older than 15 days to the new
volume and deletes them completely after 60 days.
B
Overall explanation
The question mentions " most cost-effective way". Whenever you see this keyword you have to
directly think about Object Storage service.
Option: Attach a block volume and use a script that moves log files older than 15 days to the
new volume and deletes them completely after 60 days. - It is incorrect as the Block Volume
service costs more than Object Storage.
Option: Do not delete any logs but resize the boot volume of the instance every time additional
space is needed.- You can reject this option right away as using this option would increase the
cost. You want the log files to be retained for 60 days and this option doesn't talk about that.
It is incorrect.
Option: Terminate the instance while preserving the boot volume. Create a new instance from
the boot volume and select a DenseIO shape to take advantage of the local NVMe storage. - Not
at all a cost-effective option. This option too doesn't talk about the requirements mentioned
in the question.
Option: Create an Object Storage bucket and use a script that runs daily to move log files older
than 15 days from the boot volume to the bucket. Create a lifecycle rule for the bucket to delete
any logs over 60 days old. - This is the only option which talks about Object Storage service.
You can leverage lifecycle policy rules to delete the logs after 60 days. Object Storage service
is the most effective amongst all storage options in OCI- Object, Block and File Storage.
Which type of OCI compute instance is best suited for applications that require high
computational power and access to dedicated physical servers?
General-purpose instances
Memory-optimized instances
GPU-based instances
C
Overall explanation
Bare metal instances provide direct access to the underlying physical server hardware, offering
the highest levels of performance and isolation. They are ideal for applications that require high
computational power, such as high-performance computing (HPC), database workloads, and
real-time applications.
General-purpose instances: These instances are designed for a wide range of workloads,
but they may not provide the same level of performance as bare metal instances for
applications that require high computational power.
Memory-optimized instances: These instances are designed for workloads that require a
lot of memory, such as in-memory databases and big data processing. While they may
offer some performance benefits for these types of workloads, they are not as well-
suited for applications that require high computational power.
GPU-based instances: These instances are designed for workloads that require GPU
acceleration, such as machine learning and graphics processing. While they can provide
significant performance benefits for these types of workloads, they are not as well-
suited for applications that require high computational power on the CPU.
Therefore, for applications that demand high computational power and dedicated physical
server access, bare metal instances are the most suitable choice.
BeforeExam
You have a VCN with both public and private subnets. You need to deploy a bastion host to
allow secure SSH access to instances in the private subnet. Where should you deploy the
bastion host?
In both subnets
Here's why:
Bastion Host Purpose: A bastion host acts as a secure jump server. It resides in a public
subnet and allows you to establish a secure SSH connection from the internet to your
private subnets.
Security: By placing the bastion host in the public subnet, you create a single point of
entry for secure access to your private network. This enhances security by minimizing
the attack surface and allowing for centralized security controls.
Incorrect Options:
A) In the private subnet: Placing the bastion host in the private subnet would make it
inaccessible from the internet, defeating its purpose.
C) In both subnets: While it's possible to deploy the bastion host in both subnets, it's
generally not necessary and can introduce unnecessary complexity.
D) Outside the VCN: Deploying the bastion host outside the VCN would compromise the
security of your network and make it difficult to manage.
By deploying the bastion host in the public subnet, you establish a secure and controlled access
point to your private resources within the VCN.
You need to assign a public IP address to an instance in a private subnet for temporary
internet access. What is the best approach to achieve this?
Here's why:
NAT Gateway: A Network Address Translation (NAT) Gateway allows instances in private
subnets to communicate with the internet without exposing their private IP addresses
directly. This enhances security by hiding the internal IP addresses of your instances.
C) Move the instance to a public subnet: Moving the instance to a public subnet
would expose it directly to the internet, increasing security risks.
D) Use a Service Gateway: Service Gateways are primarily used for connecting to
other Oracle Cloud services like Object Storage, not for providing internet access
to instances in private subnets.
By using a NAT Gateway, you can provide temporary internet access to your instance in the
private subnet while maintaining the security and isolation of your private network.
optional
https://mylearn.oracle.com/ou/learning-path/become-an-oci-architect-associate-2025/147631
https://www.examtopics.com/exams/oracle/1z0-1072-23/view/
ABE
C
B
BD
B
BeforeExam
B
C
D
C
D
BC
AB
BD
CD
C
D
D
C
BD
CD
ADEF
D
A
AB
B
A
B
ACD
B
BeforeExam
CD
A
BC
BeforeExam
CD
BeforeExam
B
BeforeExam
D
D
BeforeExam
D
AB
D
BeforeExam
C
C
B
D
C
D
D
B
BeforeExam
BC
BeforeExam
A
B