Co

nfi
de
nti
al - Certification Exams
Ora Oracle Cloud Infrastructure 2025 Architect Associate
cle Exam Number: 1Z0-1072-25
Res
tric Question 1Correct
ted Which THREE capabilities are available with the Oracle Cloud
Infrastructure (OCI) DNS service?
Creating and managing Web Application Firewall (WAF) rules

Explanation

Creating and managing Web Application Firewall (WAF) rules is not a

capability of the Oracle Cloud Infrastructure (OCI) DNS service. WAF rules
are used for protecting web applications from common security threats,
while DNS service focuses on domain name resolution.
Creating and managing Identity Access Management (IAM)
policies

Explanation

Creating and managing Identity Access Management (IAM) policies is not

a capability of the Oracle Cloud Infrastructure (OCI) DNS service. IAM
policies are used to manage access to OCI resources, while DNS service
focuses on managing domain names and their associated IP addresses.
Creating and managing security lists

Explanation

Creating and managing security lists is not a capability of the Oracle Cloud
Infrastructure (OCI) DNS service. Security lists are used for defining
network security rules in OCI, while DNS service is specifically for
managing domain names and IP addresses.
Your selection is correct
Creating and managing zones

Explanation

Creating and managing zones is a capability of the Oracle Cloud

Infrastructure (OCI) DNS service. Zones are used to define the scope of
DNS resolution for a domain and manage the records within that zone.
Your selection is correct
Creating and managing records

Explanation
Co
nfi Creating and managing records is a capability of the Oracle Cloud
de Infrastructure (OCI) DNS service. Records are used to map domain names
nti to IP addresses and define various DNS settings for a domain.
al - Your selection is correct
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Viewing all zones
Ora
cle Explanation
Res
tric Viewing all zones is a capability of the Oracle Cloud Infrastructure (OCI)
ted DNS service. This allows users to see all the zones that have been created
and manage them accordingly.
Question 2Incorrect
You plan to upload a large file (3 TiB) to Oracle Cloud Infrastructure (OCI)
Object Storage. You would like to minimize the impact of network failures
while uploading, and therefore you decide to use the multipart upload
capability.

Which TWO statements are true about performing a multipart upload

using the Multipart Upload API?

Your selection is incorrect

You do not need to split the object into parts. Object Storage
splits the object into parts and uploads all of the parts
automatically.

Explanation

This statement is incorrect. When performing a multipart upload using the

Multipart Upload API, you are responsible for splitting the object into parts
before uploading them. Object Storage does not automatically split the
object into parts for you.
Correct selection
While a multipart upload is still active, you can keep adding parts
as long as the total number is less than 10,000.

Explanation

This statement is correct because the Multipart Upload API allows you to
keep adding parts to an active multipart upload until the total number of
parts reaches 10,000. This flexibility is useful when dealing with large files
like the 3 TiB file in this scenario.
Your selection is correct
When you split the object into individual parts, each part can be
as large as 50 GIB.

Explanation

This statement is correct. When splitting the object into individual parts
Co for a multipart upload, each part can be as large as 50 GiB. This allows for
nfi efficient handling of large files and helps optimize the upload process.
de You do not have to commit the upload after you have uploaded all
nti the object parts.
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle This statement is incorrect. After uploading all the object parts in a
Res multipart upload, you must commit the upload to finalize the process.
tric Failing to commit the upload will result in the parts not being assembled
ted into the complete object.
Question 3Skipped
A client has reported they cannot access a file system even though their
IP address is allowed in the export options. Upon investigation, you realize
that a security list rule is blocking access to the mount target.

Which layer needs adjustment?

Correct answer
Network Security

Explanation

Network Security rules, such as security lists, control traffic flow in and out
of VCNs and subnets. In this case, adjusting the network security rules to
allow access to the mount target will resolve the issue.
Interface Export Options

Explanation

Interface Export Options are related to configuring file system exports, not
controlling network security rules. They determine which clients can
access the file system, but in this scenario, the issue lies with a security
list rule blocking access.
UNIX Security Layer

Explanation

The UNIX Security Layer is specific to the operating system level security
measures and does not directly impact network security rules within
Oracle Cloud Infrastructure. Adjusting the UNIX security layer would not
resolve the issue of a security list rule blocking access to the mount
target.
IAM Service

Explanation

IAM Service is responsible for managing user access to Oracle Cloud

Infrastructure resources and services. It does not directly control network
Co security rules or access to file systems.
nfi Question 4Skipped
de Which THREE protocols are supported by the Oracle Cloud Infrastructure
nti (OCI) private Network Load Balancers?
al - BGP
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle BGP (Border Gateway Protocol) is not supported by Oracle Cloud
Res Infrastructure (OCI) private Network Load Balancers. BGP is a routing
tric protocol used for exchanging routing information between different
ted networks, not for load balancing within a single network.
Correct selection
UDP

Explanation

UDP (User Datagram Protocol) is supported by Oracle Cloud Infrastructure

(OCI) private Network Load Balancers. It is a connectionless protocol that
is commonly used for streaming media, VoIP, and online gaming.
Correct selection
ICMP

Explanation

ICMP (Internet Control Message Protocol) is supported by Oracle Cloud

Infrastructure (OCI) private Network Load Balancers. ICMP is used for
network diagnostics and error reporting, making it essential for network
communication.
HTTP

Explanation

HTTP (Hypertext Transfer Protocol) is not supported by Oracle Cloud

Infrastructure (OCI) private Network Load Balancers. HTTP is a protocol
used for transmitting data over the internet and is typically handled by
web servers, not load balancers.
iSCSI

Explanation

iSCSI (Internet Small Computer System Interface) is not supported by

Oracle Cloud Infrastructure (OCI) private Network Load Balancers. iSCSI is
a protocol used for storage area networks, not for load balancing network
traffic.
Correct selection
TCP

Explanation

Co TCP (Transmission Control Protocol) is supported by Oracle Cloud

nfi Infrastructure (OCI) private Network Load Balancers. TCP is a connection-
de oriented protocol that ensures reliable data delivery between devices.
nti Question 5Skipped
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - You want a full-featured Identity-as-a-Service (IDaaS) solution that helps
Ora you manage workforce authentication and access to all of your Oracle and
cle non-Oracle applications, whether they are SaaS apps, on- premises
Res enterprise apps, or apps that are hosted in the cloud.
tric
ted Which IAM Identity Domain type should you create?

Oracle Apps Premium

Explanation

Oracle Apps Premium Identity Domain type is specifically tailored for

managing access to Oracle applications. While it may offer some level of
integration with Oracle applications, it may not provide the necessary
features to manage authentication and access to non-Oracle applications
across different environments.
Correct answer
Premium

Explanation

Premium Identity Domain type is the correct choice for a full-featured

Identity-as-a-Service solution that can help manage workforce
authentication and access to all Oracle and non-Oracle applications,
including SaaS apps, on-premises enterprise apps, and cloud-hosted apps.
It offers advanced features and capabilities to meet the requirements of
managing access across diverse application environments.
External User

Explanation

External User Identity Domain type is typically used for managing external
users who need access to specific resources or applications within your
organization. It is not designed for managing authentication and access to
a wide range of Oracle and non-Oracle applications across different
environments.
Free

Explanation

Free Identity Domain type is typically used for trial or basic accounts with
limited features and capabilities. It does not provide the full-featured
Identity-as-a-Service solution required to manage authentication and
access to a variety of applications.
Co Question 6Skipped
nfi You have a block volume created in the US West (Phoenix) region. You
de enabled Cross Region Replication for the volume and selected US West
nti (San Jose) as the destination region.
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Now, you would like to create a new volume from the volume replica in
Ora the US West (San Jose) region.
cle
Res What should you do?
tric
ted Initiate the replica.

Explanation

Initiating the replica is not the correct action to create a new volume from
the replica. Initiating the replica typically refers to starting the replication
process or updating the replica with the latest data.
No action required. By default, the replica is available as a block
volume.

Explanation

By default, enabling Cross Region Replication creates a replica of the

block volume in the specified destination region, but it does not
automatically make it available as a block volume. Additional steps are
required to create a new volume from the replica.
Trigger the replica.

Explanation

Triggering the replica does not create a new volume from the replica. It is
used to start the replication process or update the replica with the latest
data.
Correct answer
Activate the replica.

Explanation

Activating the replica is the correct action to create a new volume from
the replica. Activating the replica makes the replicated data available as a
block volume that can be used to create a new volume in the destination
region.
Question 7Skipped
A network administrator is setting up a Virtual Test Access Point (VTAP) to
monitor traffic from a virtual machine. The administrator needs to ensure
the mirrored traffic reaches the designated targe for analysis.

Which is an accurate description of the VTAP target requirements?

Co The VTAP target must be a network load balancer with a TCP

nfi listener on port 80, located in the same VCN as the VTAP source.
de
nti Explanation
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - While network load balancers can be used for specific networking
Ora purposes, such as distributing incoming traffic across multiple servers,
cle they are not typically used as VTAP targets for monitoring traffic from
Res virtual machines. Additionally, specifying a TCP listener on port 80 may
tric not be relevant for capturing mirrored traffic.
ted Correct answer
The VTAP target must be a network load balancer with a UDP
listener on port 4789, located in the same VCN as the VTAP
source.

Explanation

This is the correct choice because VTAP targets must be network load
balancers with a UDP listener on port 4789 to receive the mirrored traffic
for analysis. Placing the network load balancer in the same VCN as the
VTAP source ensures that the traffic is correctly routed for monitoring
purposes.
The VTAP target can be any load balancer within the same Virtual
Cloud Network (VCN).

Explanation

Load balancers are not typically used as VTAP targets for monitoring
traffic from virtual machines. They are more commonly used for
distributing incoming network traffic across multiple servers to ensure
high availability and reliability.
The VTAP target can be any resource within the same subnet as
the VTAP source.

Explanation

The VTAP target must be a network load balancer with specific listener
configurations to receive the mirrored traffic for analysis. Placing the
target in the same subnet as the VTAP source may not guarantee the
correct routing and delivery of the mirrored traffic for analysis.
Question 8Skipped
You are working on an OCI tenancy where different teams manage policies
within their respective compartments.

You notice that several compartments have policies granting the same
"manage virtual-network-family" permissions to a central
"NetworkAdmins" group.

Co
nfi
de
nti
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al -
Ora
cle
Res
tric
ted

What is the MOST efficient way to optimize these policies while

maintaining consistent access for "NetworkAdmins"?

Correct answer
Remove the redundant "manage virtual-network-family" policies
from the child compartments, relying on inheritance from the
parent compartment.

Explanation

By removing redundant policies from child compartments and relying on

inheritance from the parent compartment, you can streamline policy
management and ensure consistent access for "NetworkAdmins" without
the need to duplicate permissions across multiple compartments.
Implement a dynamic group membership system that
automatically adds "NetworkAdmins" to the relevant groups
within each compartment, eliminating the need for compartment-
specific policies.

Explanation

Implementing a dynamic group membership system may introduce

complexity and potential maintenance issues. It is more efficient to
remove redundant policies and utilize compartment inheritance for
consistent access control.
Replace all "manage virtual-network-family" policies with more
granular policies in each compartment, specifying only the
required "use" or "read" permissions for network resources.

Explanation

Replacing all policies with more granular permissions in each

Co compartment may result in increased policy management overhead and
nfi potential inconsistencies. Removing redundant policies and utilizing
de compartment inheritance provides a more streamlined and efficient
nti approach to maintaining access for "NetworkAdmins."
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Consolidate all "manage virtual-network-family" policies into a
Ora single statement attached to the root compartment, explicitly
cle listing each child compartment as a condition.
Res
tric Explanation
ted
While consolidating policies into a single statement at the root
compartment may seem like a centralized approach, it can lead to
difficulties in managing and updating permissions for individual
compartments. Removing redundant policies and relying on compartment
inheritance is a more efficient solution.
Question 9Skipped
You are managing Oracle Cloud Infrastructure (OCI) with several instances
and attached block volumes. To optimize performance and cost-efficiency,
you consider enabling the detached volume performance autotuning
feature in the Block Volume service.

What happens to the performance level of a volume when it is detached

from an instance?

The performance level is adjusted to Balanced.

Explanation

The performance level being adjusted to Balanced when a volume is

detached from an instance is not in line with the purpose of the detached
volume performance autotuning feature. The feature focuses on
optimizing cost-efficiency by adjusting performance levels based on usage
patterns and cost considerations.
The performance level remains unchanged.

Explanation

The performance level remaining unchanged when a volume is detached

from an instance is not the expected behavior with the detached volume
performance autotuning feature. The feature is designed to dynamically
adjust the performance level based on usage and cost considerations.
Correct answer
The performance level is adjusted to Lower Cost (0 VPUs/GB).

Explanation

When a volume is detached from an instance, the performance level is

adjusted to Lower Cost (0 VPUs/GB) as part of the detached volume
Co performance autotuning feature. This adjustment helps in reducing costs
nfi by allocating fewer resources to the detached volume while maintaining
de data availability.
nti The performance level is adjusted to Higher Performance.
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle The performance level being adjusted to Higher Performance when a
Res volume is detached from an instance is not accurate. The detached
tric volume performance autotuning feature in the Block Volume service aims
ted to optimize cost-efficiency, not necessarily increase performance levels.
Question 10Skipped
Which Traffic Management Steering Policy facilitates the distribution of
DNS traffic to specific endpoints based on the geographical location of end
users?
Correct answer
Geolocation Steering

Explanation

Geolocation Steering is the correct choice for distributing DNS traffic to

specific endpoints based on the geographical location of end users. It
allows for the customization of DNS responses based on the geographic
location of the end user, making it an effective method for directing
traffic.
Proximity Steering

Explanation

Proximity Steering directs traffic based on the proximity of the end user to
the available endpoints. While this can be useful for optimizing
performance based on distance, it does not take into account the
geographical location of the end users, so it is not the appropriate choice
for distributing DNS traffic based on location.
ASN Steering

Explanation

ASN Steering is used to direct traffic based on the Autonomous System

Number (ASN) of the end user's network. It does not consider the
geographical location of the end users, so it is not the correct choice for
distributing DNS traffic based on location.
IP Prefix Steering

Explanation

IP Prefix Steering directs traffic based on the IP address range or prefix of

the end user. It does not consider the geographical location of the end
users, so it is not the correct choice for distributing DNS traffic based on
Co location.
nfi Question 11Skipped
de Which statement is NOT correct regarding the Oracle Cloud Infrastructure
nti (OCI) File System snapshots?
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Before you can clone a file system, at least one snapshot must
Ora exist for the file system.
cle Correct answer
Res Even if nothing has changed within the file system since the last
tric snapshot was taken, a new snapshot consumes more storage.
ted Snapshots are accessible under the root directory of the file
system at .snapshot/name.
Snapshots are a consistent, point-in-time view of your file
systems.
Question 12Skipped
How can an organization securely grant a third-party application access to
specific OCI (Oracle Cloud Infrastructure) resources without compromising
security?
By sharing user credentials for an OCI administrator with the
application

Explanation

Sharing user credentials for an OCI administrator with the application is a

security risk as it can lead to unauthorized access and potential misuse of
resources. It is essential to avoid sharing credentials to maintain security
and accountability.
By creating an IAM policy granting full access to the tenancy and
assigning it to a dedicated user for the application

Explanation

Granting full access to the tenancy to a dedicated user for the application
is not a secure practice as it exposes all resources to potential risks. It
violates the principle of least privilege and increases the attack surface,
compromising security.
Correct answer
By implementing OAuth 2.0 with the application, allowing it to
obtain temporary tokens with limited permissions

Explanation

Implementing OAuth 2.0 with the application and allowing it to obtain

temporary tokens with limited permissions is a secure way to grant access
to specific OCI resources. OAuth 2.0 provides a secure and standardized
way for authorization and access control, ensuring that the application
only has the necessary permissions for its operations.
By configuring the application to utilize Instance Principal for
accessing OCI resources
Co
nfi Explanation
de
nti Configuring the application to utilize Instance Principal for accessing OCI
al - resources is a secure method as it allows the application to authenticate
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - itself securely without the need for user credentials. This approach follows
Ora the principle of least privilege and enhances security.
cle Question 13Skipped
Res An organization plans to create an identity domain in the US East
tric (Ashburn) region for a development team. However, some developers
ted might occasionally need access to resources in the Germany (Frankfurt)
region.

How can OCI IAM be configured to facilitate such cross-region access?

No additional configuration is needed; users can access resources

in all regions by default.

Explanation

By default, users do not have access to resources in all regions. Access

needs to be explicitly granted by the administrator through IAM policies to
ensure proper security and control over resources.
Identity domain replication must be enabled for the development
domain to allow access to other regions.

Explanation

Identity domain replication is not a requirement for accessing resources in

other regions. IAM policies and permissions are used to control access to
resources across regions, and replication of the identity domain is not
directly related to cross-region access.
The identity domain automatically replicates to the Germany
(Frankfurt) region.

Explanation

The identity domain does not automatically replicate to other regions.

Each region has its own set of resources and configurations that need to
be managed separately.
Correct answer
The administrator can grant users permissions to access specific
resources in the Germany (Frankfurt) region.

Explanation

The administrator can grant users specific permissions to access

resources in different regions. By assigning the necessary policies, users
can access resources in the Germany (Frankfurt) region when needed,
Co without compromising security.
nfi Question 14Skipped
de What is the primary function of the Network Path Analyzer (NPA) tool
nti provided by Oracle Cloud Infrastructure (OCI)?
al - Correct answer
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Collecting and analyzing network configuration to identify virtual
Ora network configuration issues impacting connectivity
cle
Res Explanation
tric
ted Collecting and analyzing network configuration to identify virtual network
configuration issues impacting connectivity is the primary function of the
Network Path Analyzer (NPA) tool provided by Oracle Cloud Infrastructure
(OCI). By analyzing network configuration, the NPA tool helps identify and
resolve issues that may impact connectivity within the virtual network.
Providing real-time monitoring of network traffic to detect
security threats and unauthorized access attempts

Explanation

Providing real-time monitoring of network traffic to detect security threats

and unauthorized access attempts is not the primary function of the
Network Path Analyzer (NPA) tool provided by Oracle Cloud Infrastructure
(OCI). The NPA tool is more focused on analyzing network configuration
rather than real-time monitoring of network traffic for security threats.
Sending actual traffic between source and destination to
diagnose connectivity issues

Explanation

Sending actual traffic between source and destination to diagnose

connectivity issues is not the primary function of the Network Path
Analyzer (NPA) tool provided by Oracle Cloud Infrastructure (OCI). The
NPA tool focuses on analyzing network configuration rather than actively
sending traffic.
Optimizing network performance by dynamically adjusting routing
paths based on traffic patterns

Explanation

Optimizing network performance by dynamically adjusting routing paths

based on traffic patterns is not the primary function of the Network Path
Analyzer (NPA) tool provided by Oracle Cloud Infrastructure (OCI). The
NPA tool is more focused on analyzing network configuration rather than
actively adjusting routing paths.
Question 15Skipped
A recently hired network administrator has been given the task of
removing SSH permissions from all compute instances in the company's
tenancy. She finds all Virtual Cloud Networks (VCNs) in the tenancy using
Co Tenancy Explorer.
nfi
de She removes port 22 from the Security Lists in all VCNs. After she
nti completes the task, the very first compute instance that she tests SSH
al - against, allows her to still SSH into it. Why is that?
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Correct answer
Ora The VNIC of that compute instance is attached to a Network
cle Security Group (NSG) that has a stateful ingress rule for all
Res protocols on source CIDR 0.0.0.0/0.
tric
ted Explanation

The Network Security Group (NSG) associated with the VNIC of the
compute instance has a stateful ingress rule for all protocols on source
CIDR 0.0.0.0/0, which overrides the Security Lists in the VCN. This rule
allows SSH access to the compute instance, explaining why the
administrator can still SSH into it.
The VNIC of that compute instance is attached to a Cluster
Network that has a stateful ingress rule for all protocols on
source CIDR 0.0.0.0/0.

Explanation

While the VNIC being attached to a Cluster Network with a stateful ingress
rule for all protocols on source CIDR 0.0.0.0/0 may allow traffic, the
Security Lists in the VCN should take precedence in controlling access to
the compute instance.
The VCN where that compute instance resides still has a route
rule that allows port 22.

Explanation

The route rule in the VCN that allows port 22 traffic would not impact the
SSH access to the compute instance if the Security Lists have been
updated to remove port 22. The Security Lists control the ingress and
egress traffic to the compute instance, not the route rules.
The VCN where that compute instance resides still has an Internet
Gateway.

Explanation

The presence of an Internet Gateway in the VCN allows traffic to and from
the internet. However, removing port 22 from the Security Lists should
prevent SSH access, regardless of the Internet Gateway.
Question 16Skipped
In the context of OCI IAM, which statement accurately describes
ephemeral principals?
Ephemeral principals represent long-lived service accounts used
by OCI services.
Co
nfi Explanation
de
nti
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Ephemeral principals are not long-lived service accounts used by OCI
Ora services. They are temporary credentials that are granted to resources for
cle specific tasks and are not meant for long-term use.
Res Ephemeral principals are another term for dynamic groups with
tric frequently changing membership.
ted
Explanation

Ephemeral principals are not synonymous with dynamic groups. Dynamic

groups are groups that automatically update their membership based on
defined rules, whereas ephemeral principals refer to temporary
credentials.
Correct answer
Ephemeral principals are temporary credentials granted to
resources for specific tasks.

Explanation

This statement accurately describes ephemeral principals. They are

temporary credentials that are granted to resources for specific tasks,
providing short-term access without the need for long-lived credentials.
Ephemeral principals are user accounts with limited lifespans for
short-term access.

Explanation

Ephemeral principals are not user accounts with limited lifespans. They
are temporary credentials granted to resources for specific tasks and are
not tied to user accounts.
Question 17Skipped
.Which TWO statements are NOT correct regarding the Oracle Cloud
Infrastructure (OCI) burstable instances?
Baseline utilization is a fraction of each CPU core, either 25% or
75%.

Explanation

Baseline utilization for burstable instances is not a fixed fraction of each

CPU core; it varies based on the instance type and configuration, typically
ranging from 5% to 20%.
If the instance's average CPU utilization over the past 24 hours is
below the baseline, the system allows it to burst above the
baseline.

Co Explanation
nfi
de Burstable instances are designed for scenarios where an instance is
nti typically idle or has low CPU utilization, allowing them to burst above the
al - baseline when needed.
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Correct selection
Ora Burstable instances cost less than regular instances with the
cle same total OCPU count.
Res
tric Explanation
ted
Burstable instances are not charged according to the baseline OCPU; they
are charged based on actual CPU utilization, including burstable
performance.
Correct selection
Burstable instances are designed for scenarios where an instance
is not typically idle and has high CPU utilization.

Explanation

If the instance's average CPU utilization over the past 24 hours is below
the baseline, the system does not allow it to burst above the baseline;
instead, it stays within the baseline limits.
Burstable instances are charged according to the baseline OCPU.

Explanation

Burstable instances actually cost more than regular instances with the
same total OCPU count due to the burstable nature of their performance
capabilities.
Question 18Skipped
You are using a custom application with third-party APIs to manage the
application and data hosted in an Oracle Cloud Infrastructure (OCI)
tenancy. Although your third-party APIs do not support OCI's signature-
based authentication, you want them to communicate with OCI resources.

Which authentication option should you use to ensure this?

OCI Username and Password

Explanation

OCI Username and Password authentication method is not suitable for this
scenario as it requires the third-party APIs to support OCI's signature-
based authentication, which is not the case. Using OCI Username and
Password would not allow the third-party APIs to communicate securely
with OCI resources without the necessary support for OCI's authentication
mechanism.
API Signing Key
Co
nfi Explanation
de
nti API Signing Key is used for generating and validating signatures for API
al - requests in OCI, but it is not the recommended authentication option for
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - third-party APIs that do not support OCI's signature-based authentication.
Ora Using API Signing Key would require the third-party APIs to implement
cle OCI's authentication mechanism, which is not compatible with the
Res scenario described.
tric SSH Key Pair with 2048-bit algorithm
ted
Explanation

SSH Key Pair with a 2048-bit algorithm is typically used for SSH access to
compute instances and is not the appropriate authentication option for
third-party APIs to communicate with OCI resources. This method is more
suitable for secure remote access to compute instances rather than API
communication with OCI services.
Correct answer
Auth Tokens

Explanation

Auth Tokens are the correct authentication option to use in this scenario
as they provide a secure way for third-party APIs to communicate with OCI
resources without needing to support OCI's signature-based
authentication. Auth Tokens can be generated and managed through the
OCI Console or API, allowing for secure access to OCI resources without
exposing sensitive credentials.
Question 19Skipped
What is the primary purpose of the Web Application Acceleration service
offered by Oracle Cloud Infrastructure (OCI)?
Improving the reliability of layer 7 HTTP load balancers by
implementing redundancy measures

Explanation

Improving the reliability of layer 7 HTTP load balancers by implementing

redundancy measures is not the primary purpose of the Web Application
Acceleration service. While reliability is important, the main goal of this
service is to enhance the performance of web applications.
Monitoring and analyzing HTTP traffic patterns to identify
potential security vulnerabilities

Explanation

Monitoring and analyzing HTTP traffic patterns to identify potential

security vulnerabilities is not the primary purpose of the Web Application
Acceleration service. This service focuses on optimizing and accelerating
Co web application performance rather than security analysis.
nfi Correct answer
de Speeding up traffic on layer 7 HTTP load balancers through
nti caching and compression techniques
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle Speeding up traffic on layer 7 HTTP load balancers through caching and
Res compression techniques is the primary purpose of the Web Application
tric Acceleration service offered by Oracle Cloud Infrastructure (OCI). By
ted utilizing caching and compression, this service aims to enhance the
performance of web applications by reducing latency and improving
overall user experience.
Encrypting HTTP traffic to ensure secure communication between
clients and servers

Explanation

Encrypting HTTP traffic to ensure secure communication between clients

and servers is not the primary purpose of the Web Application
Acceleration service. While security is crucial for web applications, this
service is specifically designed to improve the speed and performance of
HTTP traffic.
Question 20Skipped
You are responsible for creating and maintaining an enterprise application
that consists of multiple storage volumes across multiple compute
instances in Oracle Cloud Infrastructure (OCI).

The storage volumes include boot volumes and block volumes for your
data storage. You need to create a backup for the boot volumes that will
be done daily and a backup for the block volumes t will be done every
week.

How can you meet this requirement?

Group both boot volumes and block volumes in a volume group

and create volume group backups.

Explanation

Grouping both boot volumes and block volumes in a single volume group
and creating volume group backups would not allow for separate backup
schedules for boot volumes and block volumes. This approach does not
align with the requirement of daily backups for boot volumes and weekly
backups for block volumes.
Create clones of all boot volumes and block volumes one at a
time.

Explanation
Co
nfi Creating clones of all boot volumes and block volumes one at a time is not
de an efficient way to meet the requirement of daily backups for boot
nti volumes and weekly backups for block volumes. This approach would be
al - time-consuming and error-prone.
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Correct answer
Ora Create two volume groups for grouping boot volumes and block
cle volumes separately. Create two custom backup policies as per the
Res requirement.
tric
ted Explanation

Creating two volume groups for boot volumes and block volumes
separately allows for better organization and management. By creating
custom backup policies for each volume group, you can schedule daily
backups for boot volumes and weekly backups for block volumes, meeting
the specified requirement effectively.
Create on-demand full backups of block volumes, and create
custom images from the boot volumes. Use a function to run at a
specific time to start the backup process.

Explanation

Creating on-demand full backups of block volumes and custom images

from boot volumes, along with using a function to trigger the backup
process at a specific time, does not provide a structured and automated
approach to meet the daily and weekly backup requirements for boot and
block volumes. This method lacks the organization and consistency
needed for efficient backup management.
Question 21Skipped
You just got a last-minute request to create a set of instances in Oracle
Cloud Infrastructure (OCI). The configuration and installed software are
identical for every instance, and you already have a running instance in
your OCI tenancy.

Which image option allows you to achieve this task with the least amount
of effort?

Use Oracle-provided images and customize the installation using

a third-party tool.

Explanation

Using Oracle-provided images and customizing the installation with a

third-party tool would require additional time and effort to set up each
instance individually. It would not be the most efficient option for creating
multiple instances with identical configurations.
Select an image from the OCI Marketplace.

Co Explanation
nfi
de Selecting an image from the OCI Marketplace may not guarantee that the
nti image matches the exact configuration and software setup of the existing
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - instance. It could result in additional time spent customizing the new
Ora instances to match the desired configuration.
cle Correct answer
Res Create a custom image and use it as a template for the new
tric instances.
ted
Explanation

Creating a custom image based on the existing running instance and

using it as a template for new instances is the most efficient option in this
scenario. It allows you to quickly replicate the exact configuration and
software setup of the existing instance without the need for manual
customization on each new instance.
Bring your own image and use it as a template for the new
instances.

Explanation

Bringing your own image and using it as a template for new instances
could work, but it may involve additional steps to ensure the image is
properly configured and up to date. This method may not be the quickest
solution for creating multiple instances with the same configuration.
Question 22Skipped
By default, OCI IAM policies follow the principle of least privilege. What
does this principle mean in the context of policy creation?
Policies should be identical for all users within a tenancy.

Explanation

Policies being identical for all users within a tenancy would not follow the
principle of least privilege. The principle of least privilege states that each
user should have the minimum set of permissions required to perform
their tasks effectively, which may vary based on their role and
responsibilities.
Correct answer
Policies should provide only the minimum set of permissions
required for users to perform their tasks effectively.

Explanation

This choice correctly aligns with the principle of least privilege. By

providing users with only the minimum set of permissions required for
their tasks, organizations can reduce the risk of unauthorized access, limit
potential security vulnerabilities, and maintain a more secure
Co environment within OCI.
nfi Policies should be written in a complex and technical manner to
de enhance security.
nti
al - Explanation
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Writing policies in a complex and technical manner does not necessarily
Ora enhance security or align with the principle of least privilege. Policies
cle should be clear, concise, and focused on providing users with only the
Res permissions they need to fulfill their duties.
tric Policies should grant all possible permissions to simplify access
ted control.

Explanation

Granting all possible permissions to simplify access control goes against

the principle of least privilege. This approach increases the risk of
unauthorized access and potential security breaches by providing more
permissions than necessary to users.
Question 23Skipped
Which statement is true about File System Replication in Oracle Cloud
Infrastructure (OCI)?
You can replicate the data in one file system to another file
system only in the same region.

Explanation

This statement is incorrect. In OCI, you have the flexibility to replicate

data from one file system to another file system within the same region or
across different regions. This feature enables you to implement disaster
recovery strategies and ensure data availability in case of region-specific
failures.
You cannot specify a replication interval when you create the
replication resource.

Explanation

This statement is incorrect. When creating a replication resource in OCI,

you have the ability to specify a replication interval. This allows you to
control how frequently data is replicated from one file system to another.
Correct answer
You can replicate the data in one file system to another file
system in the same region or a different region.

Explanation

This statement is correct. Oracle Cloud Infrastructure (OCI) allows you to

replicate the data in one file system to another file system within the
same region or across different regions. This capability provides flexibility
for data management, disaster recovery, and high availability scenarios.
Co Only a file system that has been exported can be used as a target
nfi file system.
de
nti Explanation
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - This statement is incorrect. In Oracle Cloud Infrastructure (OCI), a file
Ora system does not need to be exported to be used as a target file system
cle for replication. Any file system can be selected as a target for replication,
Res regardless of whether it has been exported or not.
tric Question 24Skipped
ted Which statement is NOT true about the Oracle Cloud Infrastructure (OCI)
Object Storage service?
Correct answer
Object Storage resources can be shared across tenancies.

Explanation

Object Storage resources in OCI cannot be shared across tenancies. Each

tenancy in OCI has its own isolated Object Storage service, and resources
cannot be shared between tenancies.
Object Versioning is enabled at the namespace level.

Explanation

Object Versioning in OCI Object Storage is enabled at the bucket level, not
at the namespace level. It allows users to preserve, retrieve, and restore
every version of an object stored in a bucket.
Immutable option for data stored in Object Storage can be set via
retention rules.

Explanation

The Immutable option for data stored in OCI Object Storage can indeed be
set via retention rules. This feature ensures that once data is written, it
cannot be deleted or modified for a specified retention period, providing
data immutability and compliance capabilities.
Object lifecycle rules can be used to either archive or delete
objects.

Explanation

Object lifecycle rules in OCI Object Storage can be used to automate the
management of objects by defining actions to be taken based on specified
conditions. These rules can be used to archive or delete objects based on
criteria such as age, size, or custom metadata.
Question 25Skipped
In the context of Oracle Cloud Infrastructure (OCI) Compute service, which
statement about instance configurations and instance pools is true?
An instance pool can have multiple instance configurations
Co associated with it.
nfi
de Explanation
nti
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - An instance pool in OCI can have multiple instance configurations
Ora associated with it. This flexibility allows for different configurations to be
cle applied to instances within the same pool, catering to various workload
Res requirements and resource needs.
tric Correct answer
ted You can only delete an instance configuration if it is not
associated with any instance pool.

Explanation

In OCI, you can only delete an instance configuration if it is not currently

associated with any instance pool. Once an instance configuration is
linked to an instance pool, it cannot be deleted to maintain the integrity of
the pool's configuration.
You can delete an instance configuration if it is associated with
an instance pool.

Explanation

You cannot delete an instance configuration if it is associated with an

instance pool in Oracle Cloud Infrastructure (OCI). Instance configurations
are used as templates for creating instances within instance pools, so they
must remain intact as long as they are associated with a pool.
You cannot reuse the same instance configuration for multiple
instance pools.

Explanation

In OCI, you can reuse the same instance configuration for multiple
instance pools. Instance configurations serve as reusable templates for
creating instances, and they can be associated with multiple instance
pools to streamline the provisioning process.
Question 26Skipped
You have an instance running in Oracle Cloud Infrastructure (OCI) that
cannot be live-migrated during an infrastructure maintenance event. OCI
schedules a maintenance due date within 14 to 16 days and sends you a
notification.

What would happen if you choose not to proactively reboot the instance
before the scheduled maintenance due date?

Correct answer
The instance is either reboot migrated or rebuilt in place for you.

Co Explanation
nfi
de This choice is correct because if an instance cannot be live-migrated
nti during maintenance, OCI will either reboot migrate the instance to
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - another physical host or rebuild it in place to ensure the instance remains
Ora available and operational.
cle The instance will get terminated.
Res
tric Explanation
ted
This choice is incorrect because in OCI, instances are not automatically
terminated if they cannot be live-migrated during maintenance events.
OCI provides options to handle instances that cannot be live-migrated
without terminating them.
You will receive another notification to reboot within the next 7
days

Explanation

This choice is incorrect because OCI does not send notifications to reboot
instances within a specific timeframe if they cannot be live-migrated
during maintenance events. The options provided by OCI ensure the
instance's availability without requiring proactive reboots within a
specified timeframe.
You will receive another notification to reboot within the next 14
days.

Explanation

This choice is incorrect because OCI does not send notifications to reboot
instances within a specific timeframe if they cannot be live-migrated
during maintenance events. The options provided by OCI ensure the
instance's availability without requiring proactive reboots.
Question 27Skipped
A company has deployed a multitier application in Oracle Cloud
Infrastructure (OCI), with web servers in a public subnet and database
servers in a private subnet.

The database servers need to access data from OCI Object Storage, and
the company wants to ensure that this communication is secure and not
exposed to the public Internet.

Which OCI feature should be used?

Use a Local Peering Gateway to peer with the Object Storage

subnet.

Explanation
Co
nfi Using a Local Peering Gateway enables communication between two VCNs
de in the same region. While it can facilitate connectivity between different
nti VCNs, it is not the appropriate solution for accessing OCI Object Storage
al - securely from the private subnet.
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Correct answer
Ora Use a Service Gateway to establish a secure connection to Object
cle Storage.
Res
tric Explanation
ted
Using a Service Gateway is the correct choice in this scenario as it allows
private access from a VCN to OCI services like Object Storage without
exposing them to the public Internet. Service Gateways provide secure
and private connectivity to OCI services within the same region, making it
an ideal solution for accessing Object Storage from the private subnet
where the database servers are located.
Use a NAT Gateway to enable private access to Object Storage.

Explanation

Using a NAT Gateway allows instances in a private subnet to initiate

outbound connections to the Internet, but it does not provide direct
access to OCI Object Storage. NAT Gateways are more commonly used for
internet access for instances in private subnets, not for accessing specific
OCI services like Object Storage.
Use a VPN Gateway to create an encrypted tunnel to Object
Storage.

Explanation

Using a VPN Gateway would create an encrypted tunnel between the

private subnet where the database servers are located and OCI Object
Storage. However, VPN Gateways are typically used for secure
communication between on-premises networks and OCI, not for accessing
OCI services within the same cloud environment.
Question 28Skipped
You need to set up instance principals so that an application running on
an instance can call Oracle Cloud Infrastructure (OCI) public services,
without the need to configure user credentials or a configuration file.

A developer in your team has already configured the application built

using an OCI SDK to authenticate using the instance principal’s provider.

Which is NOT a necessary step to complete this set up?

Create a dynamic group with matching rules to specify which

instances can make API calls against services.

Co Explanation
nfi
de Creating a dynamic group with matching rules is a necessary step to
nti specify which instances are allowed to make API calls against services.
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - This ensures that only authorized instances within the dynamic group can
Ora access the required services.
cle Create a policy granting permissions to the dynamic group to
Res access services in your compartment or tenancy.
tric
ted Explanation

Creating a policy granting permissions to the dynamic group is essential

to ensure that the instances in the dynamic group have the necessary
permissions to access the required services within the compartment or
tenancy.
Correct answer
Generate Auth Tokens to enable instances in the dynamic group
to authenticate with APIs.

Explanation

Generating Auth Tokens is not a necessary step for setting up instance

principals. Instance principals use the instance's metadata service to
obtain temporary credentials, eliminating the need for explicit token
generation.
Deploy the application and the SDK to all the instances that
belong to the dynamic group.

Explanation

Deploying the application and the SDK to all instances in the dynamic
group is crucial for enabling the instances to authenticate using instance
principals and make API calls to OCI services without the need for user
credentials.
Question 29Skipped
Which Oracle Cloud Infrastructure (OCI) Identity and Access Management
(IAM) policy is invalid?
Allow dynamic-group 'Default'/'FrontEnd' to manage instance-
family in compartment Project-A
Allow group 'Default'/'A-Admins' to manage all-resources in
compartment Project-A
Allow any-user to inspect users in tenancy
Correct answer
Allow group 'Default'/'A-Developers' to create volumes in
compartment Project-A
Question 30Skipped
You are managing a complex environment consisting of compute
instances running Oracle Linux on Oracle Cloud Infrastructure (OCI). You
Co want to apply all the latest kernel security updates to all instances.
nfi
de Which OCI service would you use?
nti
al - Data Safe
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle Data Safe is a security service that helps you discover and protect
Res sensitive data in your Oracle databases. It is not related to managing
tric kernel security updates on compute instances running Oracle Linux.
ted Artifact Registry

Explanation

Artifact Registry is a service that allows you to store and manage

container images, Helm charts, and other artifacts. It is not specifically
designed for managing kernel security updates on compute instances
running Oracle Linux.
Container Registry

Explanation

Container Registry is a service that allows you to store and manage

Docker container images. While it is useful for container management, it
is not the appropriate service for applying kernel security updates to
compute instances running Oracle Linux.
Correct answer
OS Management Hub Service

Explanation

OS Management Hub Service is the correct choice for managing kernel

security updates on compute instances running Oracle Linux on OCI. It
provides centralized management and automation of operating system
updates, patches, and security configurations across multiple instances.
Question 31Skipped
You create a file system and then add a 1 GB file. You then take a
snapshot of the file system. After the hourly update cycle is complete, the
total meteredBytes shown by the File Storage service remains at 1 GB.
You then overwrite the first 0.5 GB of the file.

What would be the total meteredBytes shown by the File Storage service
after the hourly update cycle is complete?

Correct answer
1.5 GB

Explanation

Co Overwriting the first 0.5 GB of the file will increase the total meteredBytes
nfi shown by the File Storage service to 1.5 GB. The snapshot still includes
de the original 1 GB file size, and the additional 0.5 GB from the overwrite
nti will be added to the total meteredBytes.
al - 0.5 GB
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle If you overwrite the first 0.5 GB of the file, the total meteredBytes shown
Res by the File Storage service will not decrease to 0.5 GB. The snapshot still
tric includes the original 1 GB file size, so the total meteredBytes will not
ted decrease to 0.5 GB.
1 GB

Explanation

The total meteredBytes shown by the File Storage service will not remain
at 1 GB after overwriting the first 0.5 GB of the file. The snapshot still
includes the original 1 GB file size, so the total meteredBytes will not
remain at 1 GB.
2.5 GB

Explanation

Overwriting only a portion of the file does not increase the total
meteredBytes shown by the File Storage service to 2.5 GB. The snapshot
still includes the original 1 GB file size, so the total meteredBytes will not
increase to 2.5 GB.
Question 32Skipped
As a solution architect, you are showcasing the Oracle Cloud
Infrastructure (OCI) Object Storage feature about Object Versioning to a
customer.

Which statement is true regarding OCI Object Storage Versioning?

Object Versioning does not provide data protection against

accidental or malicious object update, overwrite, or deletion.

Explanation

This statement is incorrect. Object Versioning in OCI Object Storage

serves as a safeguard against accidental or malicious changes to objects.
By retaining previous versions of objects, versioning ensures data
protection and facilitates recovery in case of undesired alterations.
Correct answer
Object Versioning is disabled on a bucket by default.

Explanation

This statement is correct. By default, Object Versioning is not activated on

Co buckets in OCI Object Storage. If versioning functionality is needed for a
nfi particular bucket, it must be explicitly enabled.
de Objects are physically deleted from a bucket when Versioning is
nti enabled.
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle This statement is false. When Object Versioning is enabled on a bucket in
Res OCI Object Storage, objects are not permanently deleted. Instead, each
tric modification creates a new version, preserving the object's history and
ted preventing data loss.
A bucket that is Versioning-enabled can and will always have the
latest version of the object in the bucket.

Explanation

This statement is inaccurate. In OCI Object Storage, enabling versioning

for a bucket means that each time an object is modified, a new version is
created and stored alongside the previous versions. The bucket will
contain a history of object versions, not just the latest one.
Question 33Skipped
As a network architect you have been tasked with creating a fully
redundant connection from your on- premises data center to your Virtual
Cloud Network (VCN) in the us-ashburn-1 region.

Which TWO options will accomplish this requirement?

Correct selection
Configure two FastConnect virtual circuits to the us-ashburn-1
region and terminate them in diverse hardware on-premises.

Explanation

Configuring two FastConnect virtual circuits to the us-ashburn-1 region

and terminating them in diverse hardware on-premises ensures
redundancy at both the network level and the hardware level. This setup
minimizes the risk of a single point of failure and provides a highly
available connection to the VCN in the specified region.
Correct selection
Configure one FastConnect virtual circuit to the us-ashburn-1
region and a Site-to-Site VPN to the us-ashburn-1 region.

Explanation

Configuring one FastConnect virtual circuit to the us-ashburn-1 region and

a Site-to-Site VPN to the same region provides a fully redundant
connection by utilizing two different networking technologies. This setup
ensures that if one connection fails, the other can still maintain
connectivity.
Co Configure a Site-to-Site VPN from a single on-premises CPE.
nfi
de Explanation
nti
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Configuring a Site-to-Site VPN from a single on-premises CPE does not
Ora provide the level of redundancy required for a fully redundant connection.
cle A single VPN connection can introduce a single point of failure, which goes
Res against the goal of creating a fully redundant connection.
tric Configure one FastConnect virtual circuit to the us-ashburn-1
ted region and the second FastConnect virtual circuit to the us-
phoenix-1 region.

Explanation

Configuring one FastConnect virtual circuit to the us-ashburn-1 region and

the second FastConnect virtual circuit to the us-phoenix-1 region does not
provide a fully redundant connection to the us-ashburn-1 region
specifically. It introduces unnecessary complexity and does not meet the
requirement of a redundant connection to a specific region.
Question 34Skipped
Which TWO statements are TRUE about Private IP addresses in Oracle
Cloud Infrastructure (OCI)?
Correct selection
A private IP can have an optional public IP assigned to it if it
resides in a public subnet.

Explanation

A private IP address in Oracle Cloud Infrastructure can have an optional

public IP address assigned to it if it resides in a public subnet. This allows
the instance to communicate over the internet in addition to within the
VCN.
By default, the primary VNIC of an instance in a subnet has one
primary private IP address and one secondary private IP address.

Explanation

By default, the primary VNIC of an instance in a subnet has one primary

private IP address. While it is possible to assign multiple private IP
addresses to a VNIC, the primary private IP address is the main address
used for communication.
Each VNIC can only have one private IP address.

Explanation

Each VNIC in Oracle Cloud Infrastructure can have multiple private IP

addresses assigned to it. This allows for flexibility in networking
configurations and enables different types of communication within the
Co VCN.
nfi Correct selection
de By default, the primary VNIC of an instance in a subnet has one
nti primary private IP address.
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle By default, the primary VNIC of an instance in a subnet is assigned one
Res primary private IP address. This primary private IP address is used for
tric communication within the VCN and with other resources in the same
ted subnet.
Question 35Skipped
.You are backing up your on-premises data to the Oracle Cloud
Infrastructure (OCI) Object Storage Service.

Your requirements are:

1. Backups need to be retained for at least full 31 days.

2. Data should be accessible immediately if and when needed after

the backup.

Which OCI Object Storage tier is suitable for storing the backup to
minimize cost?

Correct answer
Standard tier

Explanation

The Standard tier in OCI Object Storage is suitable for storing backups
that need to be retained for at least 31 days and require immediate
accessibility when needed. It offers high performance, low latency, and
high durability, making it a cost-effective option for this scenario.
Infrequent Access tier

Explanation

The Infrequent Access tier in OCI Object Storage is suitable for data that is
accessed less frequently and needs to be retained for a longer duration at
a lower cost compared to the Standard tier. However, it may not offer
immediate access to backups, which is essential in this case where data
should be accessible immediately if needed after the backup.
Archive tier

Explanation

The Archive tier in OCI Object Storage is designed for data that is
accessed infrequently and needs to be retained for long periods at a lower
Co cost. While it can help minimize costs, it may not provide immediate
nfi access to backups when required, which is a key requirement in this
de scenario.
nti Auto-Tiering tier
al -
Ora Explanation
cle
Res
tric
ted
Co
nfi
de
nti
al - The Auto-Tiering tier in OCI Object Storage automatically moves data
Ora between Standard and Archive tiers based on access patterns. While it
cle can help optimize costs for data with varying access frequencies, it may
Res not guarantee immediate accessibility for backups when needed.
tric Question 36Skipped
ted Which TWO are key benefits of setting up Site-to-Site VPN on Oracle Cloud
Infrastructure (OCI)?
Correct selection
When setting up Site-to-Site VPN, OCI provisions redundant VPN
tunnels.

Explanation

One of the key benefits of setting up Site-to-Site VPN on OCI is that it

provisions redundant VPN tunnels, ensuring high availability and reliability
for the connection between on-premises networks and OCI resources.
Correct selection
When setting up Site-to-Site VPN, customers can configure it to
use static or dynamic routing (BGP).

Explanation

Setting up Site-to-Site VPN on OCI allows customers to configure the VPN

to use either static or dynamic routing (BGP), providing flexibility in how
routing decisions are made for the traffic between on-premises networks
and OCI resources.
When setting up Site-to-Site VPN, customers can expect
bandwidth above 2 Gbps.

Explanation

Bandwidth above 2 Gbps is not a guaranteed benefit of setting up Site-to-

Site VPN on OCI. The actual bandwidth capacity may vary depending on
the specific configuration and requirements of the VPN connection.
When setting up Site-to-Site VPN, it creates a private connection
that provides consistent network experience.

Explanation

Setting up Site-to-Site VPN on Oracle Cloud Infrastructure (OCI) creates a

private connection that ensures a consistent network experience by
securely connecting on-premises networks to OCI resources.
Question 37Skipped
Which statement is TRUE about restoring a volume from a block volume
Co backup in the Oracle Cloud Infrastructure (OCI) Block Volume service?
nfi You can restore a volume from any full volume backup but not
de from an incremental backup.
nti
al - Explanation
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - In OCI, you can restore a volume from both full and incremental backups.
Ora This allows for more granular control over the restoration process and the
cle ability to restore from the most recent backup available.
Res Correct answer
tric You can restore a block volume backup to a larger volume size.
ted
Explanation

One of the advantages of restoring a volume from a block volume backup

in OCI is the ability to restore it to a larger volume size if needed. This
flexibility allows for scaling up the volume size during the restoration
process.
You can restore only one volume from a manual block volume
backup.

Explanation

In OCI, you can restore multiple volumes from a manual block volume
backup, not just one volume. This provides flexibility in restoring multiple
volumes from the same backup.
You can only restore a volume to the same availability domain in
which the original block volume resides.

Explanation

Restoring a volume from a block volume backup in OCI allows you to

restore the volume to any availability domain within the same region, not
just the original availability domain where the volume resided.
Question 38Skipped
What are the two types of capture filters that can be created for network
monitoring?
Flow control capture filters and traffic capture filters

Explanation

Flow control capture filters and traffic capture filters are not standard
types of capture filters in Oracle Cloud Infrastructure. Flow control capture
filters do not exist in the context of network monitoring, and traffic
capture filters are not a recognized type of filter for capturing network
traffic in OCI.
VTAP capture filters and network capture filters

Explanation

Co VTAP capture filters are used specifically for capturing network traffic
nfi based on Virtual Network TAP configurations, while network capture filters
de are not a standard type of capture filter in Oracle Cloud Infrastructure. The
nti combination of VTAP capture filters and network capture filters is not a
al - valid option for network monitoring in OCI.
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Correct answer
Ora Flow log capture filters and VTAP capture filters
cle
Res Explanation
tric
ted Flow log capture filters are used to capture specific network traffic based
on defined criteria in flow logs, while VTAP capture filters are used to
capture network traffic based on Virtual Network TAP (VTAP)
configurations. These two types of capture filters provide different
methods for monitoring and analyzing network traffic in Oracle Cloud
Infrastructure.
Flow log capture filters and packet capture filters

Explanation

Flow log capture filters are used to capture specific network traffic based
on flow log criteria, while packet capture filters are not a standard type of
capture filter in Oracle Cloud Infrastructure. The combination of flow log
capture filters and packet capture filters is not a valid option for network
monitoring in OCI.
Question 39Skipped
You are in the process of migrating several legacy applications from on-
premises to Oracle Cloud Infrastructure (OCI). The current servers are
already virtualized. However, you notice that the version of CentOS
currently running does not align with any of the Oracle-provided compute
images.

How would you migrate your existing virtual server images to OCI?

Export your current image in the QED format and copy to an

Object Storage bucket. Import it as a custom image. Select
emulated mode to ensure compatibility with legacy drivers.

Explanation

Exporting the current image in the QED format and importing it as a

custom image in OCI while selecting emulated mode ensures compatibility
with legacy drivers. This approach allows for a smooth migration of the
existing virtual server images to OCI.
Export your current image in the VMDK format and copy to an
Object Storage bucket. Import it as a custom image. Select native
mode to ensure the best possible performance.

Explanation
Co
nfi Exporting the current image in the VMDK format and importing it as a
de custom image in OCI while selecting native mode may not be the best
nti option for ensuring compatibility with legacy drivers. It is crucial to choose
al - the right format and mode to maintain performance and functionality.
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Export your current image in the VDI format and copy to an
Ora Object Storage bucket. Import it as a custom image. Select native
cle mode to ensure the best possible performance.
Res
tric Explanation
ted
Exporting the current image in the VDI format and importing it as a
custom image in OCI while selecting native mode may not guarantee
compatibility with legacy drivers. It is important to ensure that the
migration process aligns with the existing setup to avoid any issues.
Correct answer
Export your current image in the QCOW2 format and copy to an
Object Storage bucket. Import it as a custom image. Select
emulated mode to ensure compatibility with legacy drivers.

Explanation

Exporting the current image in the QCOW2 format and importing it as a

custom image in OCI while selecting emulated mode ensures compatibility
with legacy drivers. This approach is the correct choice for migrating
existing virtual server images to OCI while maintaining compatibility and
performance.
Question 40Skipped
You want to run compute virtual machine (VM) instances in Oracle Cloud
Infrastructure (OCI). Your business unit has the following requirements
that need to be considered before you launch the VMs:

Requirement 1: Shared infrastructure should not be used to deploy

VMs.

Requirement 2: Meet node-based licensing requirements that require

you to license an entire server.

Which compute capacity type would you select to meet these

requirements?

Preemptible capacity

Explanation

Preemptible capacity in OCI provides discounted pricing for short-lived,

fault-tolerant workloads, but it does not ensure that the VM instances will
run on dedicated infrastructure to meet the requirement of not using
shared infrastructure.
Capacity reservation
Co
nfi
de Explanation
nti
al - Capacity reservation in OCI allows you to reserve a specific amount of
Ora compute capacity in advance, but it does not guarantee that the VM
cle
Res
tric
ted
Co
nfi
de
nti
al - instances will run on dedicated infrastructure to meet the requirement of
Ora not using shared infrastructure.
cle Correct answer
Res Dedicated host
tric
ted Explanation

Dedicated host capacity in OCI allows you to run VM instances on

dedicated physical servers, ensuring that shared infrastructure is not
used. This option aligns with the requirement of not using shared
infrastructure to deploy VMs and meets the node-based licensing
requirement by licensing an entire server.
On-demand capacity

Explanation

On-demand capacity in OCI allows you to launch VM instances on shared

infrastructure as needed, which does not align with the requirement of not
using shared infrastructure to deploy VMs.
Question 41Skipped
You are launching a new project in the US West (Phoenix) region. You
would like to reserve the compute capacity mentioned below so that the
capacity is available for your workloads when you need it.

10 VM. Standard2.2 Instances

6 VM. Standard. E4. Flex Instances

The project also requires you to be mindful about high availability and
place the instances in at least two Availability Domains.

At a bare minimum, how many capacity reservations would you create to

meet this requirement?

Correct answer
Two

Explanation

Creating two capacity reservations is the correct choice to meet the

requirement of placing instances in at least two Availability Domains. By
reserving capacity for the specified VM instances in two separate
reservations, you can ensure high availability and distribute the workload
across multiple Availability Domains.
Co Four
nfi
de Explanation
nti
al - Creating four capacity reservations would be excessive for the specified
Ora workload and high availability requirement. It is more efficient to create
cle
Res
tric
ted
Co
nfi
de
nti
al - two reservations to meet the minimum requirement of placing instances
Ora in at least two Availability Domains while reserving the necessary
cle compute capacity.
Res Three
tric
ted Explanation

Creating three capacity reservations would exceed the minimum

requirement specified in the question. While it's important to consider
high availability and distribute instances across multiple Availability
Domains, creating three reservations would be unnecessary and could
lead to resource fragmentation.
One

Explanation

Creating only one capacity reservation would not meet the requirement of
placing instances in at least two Availability Domains. High availability
considerations necessitate distributing instances across multiple
Availability Domains to ensure resilience against failures.
Question 42Skipped
As a network architect, you have deployed a public subnet on your Virtual
Cloud Network (VCN) with this security list.

You have also created a network security group (NSG) and assigned it to
your bastion host:

Co
nfi
de
nti
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - You have confirmed that routing is correct but when you SSH to the VM
Ora from your home over the internet, you are unable to connect.
cle
Res What could be the problem?
tric
ted User will be able to SSH to the VM from the Internet as SSH is
open on the NSG.

Explanation

This choice is incorrect because simply having SSH open on the NSG does
not guarantee that SSH traffic is allowed from the Internet. The security
list rules also need to permit SSH traffic for the connection to be
successful.
Internet traffic should be allowed only on the NSG.

Explanation

This choice is incorrect because allowing Internet traffic only on the NSG
does not guarantee that SSH traffic specifically is permitted. SSH traffic
needs to be explicitly allowed in both the security list and the NSG for the
connection to be successful.
Correct answer
SSH traffic is not allowed in the security list nor on the NSG from
the Internet.

Explanation

This choice is correct because if SSH traffic is not allowed in the security
list or the NSG from the Internet, the connection will not be established.
Both the security list and the NSG need to have rules allowing SSH traffic
for the connection to work.
Public subnet does not have a route rule to the Internet Gateway.

Explanation

This choice is incorrect because the inability to connect via SSH is not
related to the route rule to the Internet Gateway. The issue lies in the
security list and NSG configurations not allowing SSH traffic from the
Internet.
Question 43Skipped
You plan to launch a VM instance with the VM. Standard2.24 shape and
Oracle Linux 8 platform image.

Co You want to protect your VM instance from low-level threats, such as

nfi rootkits and bootkits that can infect the firmware and operating system
de and are difficult to detect.
nti
al - What should you do?
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Use in-transit encryption.
Ora
cle Explanation
Res
tric Using in-transit encryption is important for securing data while it is being
ted transmitted between systems, but it does not directly address the need to
protect your VM instance from low-level threats like rootkits and bootkits
that infect the firmware and operating system. In-transit encryption
focuses on data security during transmission rather than protecting the
underlying infrastructure from firmware-level threats.
Create a burstable instance.

Explanation

Creating a burstable instance does not directly address the need to

protect your VM instance from low-level threats like rootkits and bootkits.
Burstable instances are designed for workloads with variable CPU usage,
and they do not provide specific security measures against firmware or
operating system infections.
Use Vulnerability Scanning Service.

Explanation

Using Vulnerability Scanning Service can help identify and address

security vulnerabilities in your VM instance, but it does not specifically
protect against low-level threats like rootkits and bootkits that infect the
firmware and operating system. It focuses on identifying software
vulnerabilities rather than protecting against firmware-level threats.
Correct answer
Create a shielded instance.

Explanation

Creating a shielded instance is the correct choice to protect your VM

instance from low-level threats like rootkits and bootkits. Shielded
instances provide a secure and verifiable boot process by using Secure
Boot, which ensures that only trusted firmware and software components
are loaded during the boot process, reducing the risk of firmware and
operating system infections.
Question 44Skipped
Which statement is TRUE about delegating an existing domain to the
Oracle Cloud Infrastructure (OCI) DNS service?
Domains can be self-delegated to OCI DNS from its own service
portal.
Co
nfi Explanation
de
nti
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Domains cannot be self-delegated to OCI DNS from its own service portal.
Ora Domain delegation typically involves updating the domain's DNS settings
cle at the domain registrar, not within the service portal.
Res All domains can be retrieved to OCI DNS via DYN.
tric
ted Explanation

Domains cannot be retrieved to OCI DNS via DYN. DYN is a DNS service
provider, and while it may offer integrations with OCI DNS, it is not a
standard method for delegating domains to OCI DNS.
Domains can be delegated to OCI DNS from the OCI Marketplace.

Explanation

Domains cannot be delegated to OCI DNS from the OCI Marketplace. The
OCI Marketplace is a platform for buying and selling software solutions,
not for domain delegation.
Correct answer
Domains can be delegated to OCI DNS from the Domain
Registrar's self-service portal.

Explanation

Domains can be delegated to OCI DNS from the Domain Registrar's self-
service portal. This is the correct method for delegating a domain to OCI
DNS, as it involves updating the domain's DNS settings at the registrar.
Domains can be delegated to OCI DNS via FastConnect partners.

Explanation

Domains cannot be delegated to OCI DNS via FastConnect partners.

FastConnect is a service that provides private connectivity to OCI
resources, but it is not directly related to domain delegation to OCI DNS.
Question 45Skipped
Which is NOT a valid action within the Oracle Cloud Infrastructure (OCI)
Block Volume service?
Restoring from a volume backup to a larger volume.

Explanation

Restoring from a volume backup to a larger volume is a valid action within

the OCI Block Volume service. This feature enables users to recover data
from a backup and choose a larger volume size for the restored data.
Correct answer
Co Attaching a block volume to an instance in a different availability
nfi domain.
de
nti Explanation
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Attaching a block volume to an instance in a different availability domain
Ora is NOT a valid action within the OCI Block Volume service. Block volumes
cle can only be attached to instances within the same availability domain.
Res Cloning an existing volume to a new, larger volume.
tric
ted Explanation

Cloning an existing volume to a new, larger volume is a valid action within

the OCI Block Volume service. This allows users to create a duplicate of an
existing volume with the option to resize it to a larger size if needed.
Expanding an existing volume in place with offline resizing.

Explanation

Expanding an existing volume in place with offline resizing is a valid

action within the OCI Block Volume service. This feature allows users to
increase the size of an existing volume without losing data, although the
resizing process may require the volume to be offline temporarily.
Question 46Skipped
Which of the following is a valid RFC 1918 CIDR prefix that can be used for
creating an Oracle Cloud Infrastructure (OCI) Virtual Cloud Network (VCN)?
"172.16.0.0/12"

Explanation

"172.16.0.0/12" is a valid RFC 1918 CIDR prefix that falls within the
private IP address range specified in RFC 1918. It allows for a range of IP
addresses from 172.16.0.0 to 172.31.255.255, making it suitable for
creating an OCI VCN.
"192.268.0.0/24"

Explanation

"192.268.0.0/24" is not a valid RFC 1918 CIDR prefix as the second octet
value exceeds the range specified in RFC 1918 for private IP addresses. It
should be within the range of 0 to 255 for the second octet.
"10.0.0.0/8"

Explanation

"10.0.0.0/8" is a valid RFC 1918 CIDR prefix that falls within the private IP
address range specified in RFC 1918. It allows for a range of IP addresses
from 10.0.0.0 to 10.255.255.255, making it suitable for creating an OCI
VCN.
Co "189.215.154.89/32"
nfi
de Explanation
nti
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - "189.215.154.89/32" is not a valid RFC 1918 CIDR prefix as it does not fall
Ora within the private IP address range specified in RFC 1918. Additionally,
cle a /32 CIDR prefix represents a single IP address, which is not suitable for
Res defining a range of IP addresses for a VCN.
tric Correct answer
ted "192.168.0.0/16"

Explanation

"192.168.0.0/16" is a valid RFC 1918 CIDR prefix that falls within the
private IP address range specified in RFC 1918. It allows for a range of IP
addresses from 192.168.0.0 to 192.168.255.255, making it suitable for
creating an OCI VCN.
"0.0.0.0/0"

Explanation

"0.0.0.0/0" is not a valid RFC 1918 CIDR prefix for creating an OCI VCN.
This CIDR prefix represents the entire IPv4 address space, including public
and private IP addresses, and is not specific to the private IP address
range defined in RFC 1918.
Question 47Skipped
You want to create a policy to allow the NetworkAdmins group to manage
Virtual Cloud Network (VCN) in compartment C.

You want to attach this policy to the tenancy. The compartment hierarchy
is shown below.

Co Which policy statement can be used to accomplish this task?

nfi
de Allow group 'Default'/'NetworkAdmins to manage virtual-network-
nti family in compartment C
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle This policy statement targets compartment C but does not specify the
Res correct group ('NetworkAdmins') that needs the permission to manage the
tric VCN. It lacks the necessary detail to grant the required access to the
ted NetworkAdmins group in compartment C.
Correct answer
Allow group 'Default'/'NetworkAdmins' to manage virtual-
network-family in compartment A:B:C

Explanation

This policy statement correctly specifies the group 'NetworkAdmins' in

compartment C to manage the virtual-network-family resources. It follows
the correct compartment hierarchy of A:B:C and grants the necessary
permissions to the specified group in the desired compartment.
Allow group 'Default'/'NetworkAdmins to manage virtual-network-
family in compartment B:C

Explanation

This policy statement incorrectly targets compartment B:C instead of just

compartment C where the NetworkAdmins group needs to manage the
VCN. It includes an unnecessary additional compartment in the hierarchy,
which does not align with the specified task.
Allow group 'Default'/'NetworkAdmins to manage virtual-network-
family in tenancy

Explanation

This policy statement incorrectly targets the entire tenancy instead of the
specific compartment C where the NetworkAdmins group needs to
manage the VCN. It does not adhere to the requirement of attaching the
policy to compartment C for the specified group.
Question 48Skipped
Company XYZ is spending $300,000.00 USD per month in egress fees for
7 Petabytes (1 Petabyte = 1000 Terabytes) that they consume for
Outbound Data Transfer in North America with their current cloud
provider.

The company is seeking to lower that expense considerably without

reducing consumption. You propose migration to OCI because the
Gigabyte Outbound Data Transfer in North America costs just $0.0085
USD per month.
Co
nfi With OCI, how much will they spend per month for 7 Petabytes of
de Outbound Data Transfer? (1 Terabyte = 1000 Gigabytes)
nti
al - "$59,415.00"
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle The calculated cost of $59,415.00 USD for 7 Petabytes of Outbound Data
Res Transfer with OCI is slightly off. The correct calculation based on the
tric pricing of $0.0085 USD per Gigabyte would result in a monthly cost of
ted $59,500.00 USD.
Correct answer
"$59,500.00"

Explanation

With OCI's pricing of $0.0085 USD per Gigabyte for Outbound Data
Transfer in North America, the cost for 7 Petabytes (1 Petabyte = 1000
Terabytes) would be significantly lower compared to the current provider.
The calculation for this would result in a monthly cost of $59,500.00 USD.
"$150,000.00"

Explanation

The proposed cost of $150,000.00 USD per month for 7 Petabytes of

Outbound Data Transfer with OCI is not accurate. With the pricing of
$0.0085 USD per Gigabyte, the total cost would be significantly lower than
$150,000.00 USD.
"$0.00" (free with OCI)

Explanation

While OCI does offer competitive pricing for Outbound Data Transfer, it is
not entirely free. The cost per Gigabyte is $0.0085 USD, so for 7 Petabytes
of data transfer, there would still be a cost associated with it, which is not
zero.
Question 49Skipped
A company accidentally moved a critical database instance to a different
compartment within their OCI tenancy. The existing IAM policies were
previously mapped to the database's original compartment and granted
access to authorized users.

How will this impact user access to the database?

Compartments prevent resource movement; once a resource is

placed in a compartment, it cannot be moved.

Explanation

Co Compartments in OCI do allow resources to be moved between

nfi compartments, so it is possible for a critical database instance to be
de accidentally moved to a different compartment within the tenancy.
nti Correct answer
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Existing IAM policies will continue to function normally,
Ora regardless of the compartment move.
cle
Res Explanation
tric
ted IAM policies in OCI are not tied to the specific compartment where a
resource is located. As long as the IAM policies granting access to the
database instance were correctly configured before the compartment
move, authorized users will continue to have access to the database.
Access to the database will be immediately revoked for all
authorized users due to the compartment change.

Explanation

Access to resources in OCI is controlled by IAM policies, not by the

compartment where the resource is located. Therefore, moving the
database instance to a different compartment will not immediately revoke
access for authorized users.
Compartments are not covered by IAM policies; they only apply to
resources.

Explanation

Compartments in OCI are used for organizing and managing resources,

while IAM policies control access to those resources. IAM policies are
applied at the resource level, not at the compartment level, so moving a
resource to a different compartment does not affect the IAM policies
associated with it.
Question 50Skipped
.You have objects stored in an OCI Object Storage bucket that you want to
share with a partner company. You decide to use pre-authenticated
requests to grant access to the objects.

Which statement is true about pre-authenticated requests?

You cannot edit a pre-authenticated request.

Explanation

Pre-authenticated requests can be edited to change the expiration time or

access permissions, so it is possible to modify the details of a request
after it has been created. This flexibility allows you to adjust the access
parameters as needed without creating a new request.
You need to provide your OCI credentials to the partner company.
Co
nfi Explanation
de
nti You do not need to provide your OCI credentials to the partner company
al - when using pre-authenticated requests. These requests generate a unique
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - URL that can be shared with the partner company to grant them
Ora temporary access to the specified objects without revealing your
cle credentials.
Res Correct answer
tric Deleting a pre-authenticated request does not revoke user access
ted to the associated bucket or object.

Explanation

Deleting a pre-authenticated request does not revoke user access to the

associated bucket or object. Once a pre-authenticated request is created
and shared with the partner company, they can access the objects until
the expiration time set for the request, regardless of whether the request
is deleted or not.
Pre-authenticated requests can be used to delete buckets or
objects.

Explanation

Pre-authenticated requests are used to grant temporary access to specific

objects in an OCI Object Storage bucket. They do not have the capability
to delete entire buckets or objects. The purpose of these requests is to
provide controlled access to individual objects for a specified period, not
to perform deletion operations.
Question 51Skipped
When compared to IAM policies, what is a KEY advantage of utilizing
administrator roles for access control within OCI IAM identity domains?
Provide granular control over user access to specific
compartments within the domain

Explanation

Administrator roles provide high-level, overarching control over user

access within the domain but may not offer the same level of granular
control as IAM policies. IAM policies allow for more detailed and specific
control over user access to individual compartments and resources within
the domain.
Correct answer
Can be used to grant access to resources outside of the
associated identity domain

Explanation

One key advantage of utilizing administrator roles is that they can be used
Co to grant access to resources outside of the associated identity domain.
nfi This flexibility allows for more comprehensive access control across
de different resources and services within OCI.
nti Offer a wider range of permission combinations than IAM policies
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle Administrator roles do not necessarily offer a wider range of permission
Res combinations than IAM policies. IAM policies can be customized to define
tric specific permissions and access levels for different users, groups, and
ted resources within the identity domain.
Simplify access management by eliminating the need for complex
policy creation

Explanation

While administrator roles can simplify access management to some

extent, they do not eliminate the need for complex policy creation
entirely. IAM policies are still necessary for defining specific access rules
and restrictions within the identity domain.
Question 52Skipped
As a network architect, you have been tasked with creating a fully
redundant connection from your on-premises data center to your Virtual
Cloud Network (VCN) in the us-ashburn-1 region.

Which TWO options will accomplish this requirement?

Correct selection
Configure two FastConnect virtual circuits to the us-ashburn-1
region and terminate them in diverse hardware on-premises.

Explanation

Configuring two FastConnect virtual circuits to the us-ashburn-1 region

and terminating them in diverse hardware on-premises ensures
redundancy by having multiple physical connections. This setup provides
failover capabilities in case one connection or hardware fails.
Configure one FastConnect virtual circuit to the us-ashburn-1
region and the second FastConnect virtual circuit to the us-
phoenix-1 region.

Explanation

Configuring one FastConnect virtual circuit to a different region (us-

phoenix-1) does not provide redundancy for the connection to the us-
ashburn-1 region. Redundancy requires multiple connections terminating
in the same region.
Correct selection
Configure one FastConnect virtual circuit to the us-ashburn-1
Co region and a Site-to-Site VPN to the us-ashburn-1 region.
nfi
de Explanation
nti
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Configuring one FastConnect virtual circuit to the us-ashburn-1 region and
Ora a Site-to-Site VPN to the same region provides redundancy by having both
cle a dedicated private connection (FastConnect) and a VPN connection. This
Res setup ensures connectivity even if one of the connections fails.
tric Configure a Site-to-Site VPN from a single on-premises CPE.
ted
Explanation

Configuring a Site-to-Site VPN from a single on-premises CPE does not

provide the level of redundancy required for a fully redundant connection.
A single VPN connection can be a single point of failure.
Question 53Skipped
You created a virtual cloud network (VCN) with three private subnets. Two
of the subnets contain application servers and the third subnet contains a
DB System. The application requires a shared file system, therefore you
have provisioned one using the file storage service (FSS).

You have also created the corresponding mount target in one of the
application subnets. The VCN security lists are properly configured so that
the application servers can access FSS. The security team changed the
settings for the DB System to have read-only access to the file system.
However when they test it, they are unable to access FSS.

How would you allow access to FSS?

Modify the security list associated with the subnet where the
mount target resides. Change the ingress rules corresponding to
the DB System subnet to be stateless.

Explanation

Modifying the security list associated with the subnet where the mount
target resides and changing the ingress rules for the DB System subnet to
be stateless would not necessarily resolve the access issue for the DB
System needing read-only access to the file system.
Create an instance principal for the DB System. Write an Identity
and Access Management (IAM) policy that allows the instance
principal read-only access to the file storage service.

Explanation

Creating an instance principal for the DB System and writing an IAM policy
that allows read-only access to the file storage service would grant the
necessary permissions for the DB System to access the FSS.
Co Correct answer
nfi Create an NFS export option that allows READ_ONLY access where
de the source is the CIDR range of the DB System subnet.
nti
al - Explanation
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Creating an NFS export option that allows READ_ONLY access with the
Ora source set to the CIDR range of the DB System subnet would specifically
cle grant read-only access to the DB System to the file system, resolving the
Res access issue.
tric Modify the security list associated with the subnet where the
ted mount target resides. Change the ingress rules corresponding to
the DB System subnet to be stateful.

Explanation

Modifying the security list associated with the subnet where the mount
target resides and changing the ingress rules for the DB System subnet to
be stateful may not directly address the access issue related to the DB
System needing read-only access to the file system.
Question 54Skipped
As a cloud infrastructure manager at a multinational company, you're
tasked with optimizing data transfer and backup strategies across
different regions on Oracle Cloud Infrastructure (OCI). You decide to utilize
the Inter-Region Latency dashboard provided by OCI to gain insights into
latency between regions.

Why is the OCI Inter-Region Latency dashboard useful for your task?

Correct answer
It offers a current and historical view of latency snapshots,
enabling you to analyze up to a 30-day history.

Explanation

The Inter-Region Latency dashboard is useful for optimizing data transfer

and backup strategies as it offers both current and historical views of
latency snapshots. This historical data can enable you to analyze trends
and patterns over a 30-day period, helping in making informed decisions
for optimizing data transfer strategies.
It focuses solely on latency within your own tenancy ensuring
accurate monitoring of data transfer.

Explanation

The Inter-Region Latency dashboard does not focus solely on latency

within your own tenancy but rather provides insights into latency between
different regions on OCI, regardless of the tenant. This broader view can
help in optimizing data transfer and backup strategies across regions.
It's designed for troubleshooting latency issues within your
Co specific applications, providing targeted insights for optimizing
nfi performance.
de
nti Explanation
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - The Inter-Region Latency dashboard is not designed for troubleshooting
Ora latency issues within specific applications but rather provides a broader
cle view of latency between regions, which can be valuable for optimizing
Res data transfer and backup strategies at a higher level.
tric It provides real-time data specific to your tenancy's workloads.
ted
Explanation

While the Inter-Region Latency dashboard may provide real-time data, its
main purpose is to offer insights into latency between regions rather than
focusing solely on your tenancy's workloads. This broader perspective can
help in optimizing data transfer and backup strategies across different
regions.
Question 55Skipped
Which TWO statements about the Oracle Cloud Infrastructure (OCI) File
Storage Service are accurate?
Communication with file systems in a mount target is encrypted
via HTTPS.

Explanation

This statement is incorrect as communication with file systems in a mount

target is encrypted using the NFSv4.1 protocol, not HTTPS.
Correct selection
Customer can encrypt data in their file system using their own
Vault encryption key.

Explanation

This statement is accurate as customers have the option to encrypt data

in their file system using their own Vault encryption key, providing an
additional layer of security and control over their data.
Mount targets use Oracle-managed keys by default.

Explanation

This statement is incorrect as mount targets in the OCI File Storage

Service also use Oracle-managed keys by default for encryption, not
customer-managed keys.
Correct selection
File systems use Oracle-managed keys by default.

Explanation

Co This statement is accurate as file systems in the OCI File Storage Service
nfi use Oracle-managed keys by default for encryption, ensuring data
de security and compliance with industry standards.
nti Customer can encrypt the communication to a mount target via
al - export options.
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle This statement is incorrect as the communication to a mount target is
Res encrypted using the NFSv4.1 protocol, and encryption via export options
tric is not a feature of the OCI File Storage Service.
ted Question 56Skipped
You can attach resources to a Dynamic Routing Gateway (DRG). Select
THREE of these resources.
Correct selection
IPSec Tunnel

Explanation

IPSec Tunnels can be attached to a Dynamic Routing Gateway (DRG) to

establish secure communication between on-premises networks and
resources within Oracle Cloud Infrastructure.
Correct selection
Virtual Circuits

Explanation

Virtual Circuits can be attached to a Dynamic Routing Gateway (DRG) to

establish private connectivity between on-premises networks and
resources within Oracle Cloud Infrastructure.
Local Peering Connection

Explanation

Local Peering Connections are not attached to a Dynamic Routing

Gateway (DRG). They are used to establish private connectivity between
VCNs within the same region.
VNIC

Explanation

Virtual Network Interface Cards (VNICs) are not directly attached to a

Dynamic Routing Gateway (DRG). They are used to connect instances to a
VCN (Virtual Cloud Network) within Oracle Cloud Infrastructure.
Correct selection
Remote Peering Connections

Explanation

Remote Peering Connections can be attached to a Dynamic Routing

Co Gateway (DRG) to establish private connectivity between VCNs in different
nfi regions within Oracle Cloud Infrastructure.
de Subnet
nti
al - Explanation
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Subnets can be attached to a Dynamic Routing Gateway (DRG) to enable
Ora communication between the resources within the subnet and the
cle resources connected to the DRG.
Res Question 57Skipped
tric Which components are required at a high level for establishing remote
ted peering between two Virtual Cloud Networks (VCNs) in Oracle Cloud
Infrastructure (OCI)?
Two VCNs with nonoverlapping CIDRS in the same region, a
dynamic routing gateway (DRG) attached to each VCN, and a
direct connection between the DRGs

Explanation

This choice describes a scenario where two VCNs with nonoverlapping

CIDRs are in the same region, which is not suitable for establishing remote
peering between VCNs in different regions. Additionally, it mentions a
direct connection between the DRGs, which is not the correct approach for
remote peering.
Correct answer
Two VCNS with nonoverlapping CIDRS in different regions, a
dynamic routing gateway (DRG) attached to each VCN, a remote
peering connection (RPC) on each DRG, and a connection
established between the RPCs

Explanation

This choice correctly outlines the components required for establishing

remote peering between two VCNs in different regions. It includes two
VCNs with nonoverlapping CIDRs, a dynamic routing gateway (DRG)
attached to each VCN, a remote peering connection (RPC) on each DRG,
and a connection established between the RPCs, which is the correct
setup for remote peering in Oracle Cloud Infrastructure (OCI).
Two VCNs with overlapping CIDRS in different regions, a virtual
private network (VPN) gateway attached to each VCN, and a
direct connection between the VPN gateways

Explanation

This choice suggests using two VCNs with overlapping CIDRs in different
regions, which is not a valid configuration for establishing remote peering.
Additionally, using VPN gateways instead of DRGs and direct connections
between them does not align with the correct setup for remote peering.
A single VCN with nonoverlapping CIDRS in each region, a
dynamic routing gateway (DRG) attached to each VCN, and a
Co direct connection between the DRGS
nfi
de Explanation
nti
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - This choice describes a scenario where a single VCN with nonoverlapping
Ora CIDRs in each region is connected to a dynamic routing gateway (DRG) in
cle each VCN. However, it does not mention the direct connection between
Res the DRGs, which is essential for establishing remote peering between the
tric VCNs.
ted Question 58Skipped
You have three compartments: Projecta, ProjectB, and ProjectC. For each
compartment, there is an admin group set up: A-Admins, B-Admins, and
C-Admins.

Each admin group has full access over their respective compartments as
shown in the graphic below.

Your organization has set up a tag namespace, EmployeeGroup. Role and

all your admin groups are tagged with a value of "Admin".

You want to set up a Test compartment for members of the three projects
to share. You also need to provide admin access to all three of your
existing admin groups.

Which policy would you write to accomplish this task?

Co
nfi Allow group any-group to manage all-resources in compartment
de Test where
nti request.principal.group.tag.EmployeeGroup.Role="Admin"
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle The "any-group" syntax is not valid in Oracle Cloud Infrastructure policies.
Res It should be a specific group name like A-Admins, B-Admins, or C-Admins.
tric Allow dynamic-group to manage all-resources in compartment
ted Test where
request.principal.group.tag.EmployeeGroup.Role="Admin"

Explanation

The "dynamic-group" syntax is not applicable in this scenario as dynamic

groups are used for defining groups based on matching rules, not for
specifying existing group names like A-Admins, B-Admins, or C-Admins.
Correct answer
Allow any-user to manage all-resources in compartment Test
where request.principal.group.tag.EmployeeGroup.Role='Admin"

Explanation

This policy correctly allows any user to manage all resources in the Test
compartment where the user's group is tagged with
EmployeeGroup.Role='Admin'. This ensures that all users belonging to the
A-Admins, B-Admins, and C-Admins groups will have admin access to the
Test compartment.
Allow all-group to manage all-resources in compartment Test
where request.principal.group.tag.EmployeeGroup.Role="Admin"

Explanation

This policy specifies "all-group" which is not a valid group identifier in

Oracle Cloud Infrastructure. It should be a specific group name like A-
Admins, B-Admins, or C-Admins.
Question 59Skipped
Which statement accurately describes the key features and benefits of
OCI Confidential Computing?
It optimizes network performance and reduces latency through
advanced routing algorithms and caching mechanisms.

Explanation

This statement is incorrect as it does not accurately describe the key

features and benefits of OCI Confidential Computing. Confidential
Computing focuses on encrypting and isolating data and applications to
prevent unauthorized access, rather than optimizing network performance
Co or reducing latency.
nfi It enables users to securely store and retrieve data by using
de distributed file systems, ensuring high availability and fault
nti tolerance.
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - Explanation
Ora
cle This statement is incorrect as it does not accurately describe the key
Res features and benefits of OCI Confidential Computing. Distributed file
tric systems and high availability are important aspects of cloud storage, but
ted they are not the main focus of Confidential Computing, which is more
about data encryption and isolation.
Correct answer
It encrypts and isolates in-use data and the applications
processing that data, thereby preventing unauthorized access or
modification.

Explanation

This statement is correct as it accurately describes one of the key features

and benefits of OCI Confidential Computing. It encrypts and isolates in-use
data and the applications processing that data, ensuring that
unauthorized access or modification is prevented.
It provides automatic scalability and load balancing capabilities,
which allow seamless integration with other cloud providers.

Explanation

This statement is incorrect as it does not accurately describe the key

features and benefits of OCI Confidential Computing. While scalability and
load balancing are important features of cloud services, they are not the
primary focus of Confidential Computing, which is more about data
security and privacy.
Question 60Skipped
As a network engineer responsible for managing the virtual network
infrastructure on Oracle Cloud Infrastructure (OCI) for your organization,
you decide to utilize the Network Visualizer tool provided by OCI.

Why is the Network Visualizer tool valuable for managing virtual network
infrastructure on OCI?

It provides detailed information about the physical network

components.

Explanation

The Network Visualizer tool does not provide detailed information about
physical network components. It focuses on visualizing the virtual network
infrastructure within OCI, rather than physical network components.
Co It generates automated reports on network performance metrics,
nfi facilitating decision-making for optimizing network resources and
de bandwidth allocation.
nti
al - Explanation
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - The Network Visualizer tool does not generate automated reports on
Ora network performance metrics. Its primary function is to visualize the
cle virtual network topology within OCI, rather than providing performance
Res metrics or reports.
tric Correct answer
ted It visualizes the topology of all VCNS in a selected region and
tenancy, allowing for a concise understanding of their
relationships and connections.

Explanation

The Network Visualizer tool in OCI is valuable as it provides a visual

representation of the topology of all Virtual Cloud Networks (VCNs) within
a selected region and tenancy. This visualization helps network engineers
to quickly understand the relationships and connections between different
VCNs, making it easier to manage and troubleshoot the virtual network
infrastructure.
It offers real-time monitoring of network traffic, enabling
proactive identification of security threats and unauthorized
access attempts.

Explanation

The Network Visualizer tool does not offer real-time monitoring of network
traffic. Its main purpose is to provide a visual representation of the virtual
network infrastructure, rather than monitoring network traffic for security
threats or unauthorized access attempts.
Question 61Skipped
A financial firm is designing an application architecture for its online
trading platform that should have high availability and fault tolerance.

Their solutions architect configured the application to use an Oracle Cloud

Infrastructure (OCI) Object Storage bucket located in the US West (us-
phoenix-1) region to store large amounts of financial data. The stored
financial data in the bucket should not be impacted even if there is an
outage in one of the Availability Domains or a complete region.

What should the architect do to avoid any costly service disruptions and
ensure data durability?

Correct answer
Create a replication policy to send data to a different bucket in
another OCI region.

Co Explanation
nfi
de Creating a replication policy to send data to a different bucket in another
nti OCI region ensures data durability and availability even in the event of
al -
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - outages in the current region. This approach provides fault tolerance and
Ora high availability by replicating the data to a separate location.
cle Create a new Object Storage bucket in another region and
Res configure recycle policy to move data every 5 days.
tric
ted Explanation

Creating a new Object Storage bucket in another region and configuring a

recycle policy to move data every 5 days does not provide immediate
data redundancy and protection against outages. It introduces a delay in
data replication and may not ensure continuous availability of the
financial data.
Copy the Object Storage bucket to a block volume.

Explanation

Copying the Object Storage bucket to a block volume does not provide the
necessary redundancy and fault tolerance required for high availability
and data durability. Block volumes are not designed for storing large
amounts of data like Object Storage buckets and do not offer the same
level of resilience against outages.
Create a lifecycle policy to regularly send data from the Standard
to Archive storage.

Explanation

Creating a lifecycle policy to move data from Standard to Archive storage

does not address the requirement for high availability and fault tolerance
in case of outages in Availability Domains or regions. It focuses on cost
optimization and data management rather than ensuring data durability
during service disruptions.
Question 62Skipped
A large organization is using Oracle Cloud Infrastructure (OCI) and has
implemented a complex compartment structure.

They have a root compartment, with multiple nested compartments for

vario projects, teams, and environments. A new virtual machine is created
for a specific project in a development sub-compartment.

Which statement is INCORRECT regarding the virtual machine in this

scenario?

The virtual machine can interact with resources such as a Virtual

Cloud Network (VCN) in a different compartment.
Co
nfi Explanation
de
nti In OCI, resources like virtual machines can interact with resources in
al - different compartments as long as the necessary network configurations
Ora
cle
Res
tric
ted
Co
nfi
de
nti
al - and security rules are in place. This allows for flexibility and collaboration
Ora across different projects and teams within the organization.
cle If necessary, the virtual machine can be moved to a different
Res compartment within the tenancy.
tric
ted Explanation

In OCI, if necessary, a virtual machine can be moved to a different

compartment within the tenancy. This can be done to reorganize
resources, adjust access controls, or align with changes in project
structures or team responsibilities.
The virtual machine is associated with a specific compartment,
and it cannot simultaneously exist in any other compartment.

Explanation

In OCI, a resource like a virtual machine is associated with a specific

compartment, and it cannot exist in multiple compartments
simultaneously. This compartmentalization helps in organizing and
securing resources within the tenancy.
Correct answer
Access to the virtual machine is only controlled by policies
attached to the root compartment.

Explanation

Access to a virtual machine in OCI is controlled by policies attached to the

compartment where the virtual machine resides, not just the root
compartment. Each compartment can have its own set of policies that
define who can access the resources within that compartment.

Co
nfi
de
nti
al -
Ora
cle
Res
tric
ted