OCI Architect Associate Certification – 1Z0-

932 Exam
Study notes prepared by Watsh Rajneesh
Based on -
https://learn.oracle.com/education/downloads/OracleCloudInfrastructurestudyguide.pdf

Table of Contents
SYLLABUS ............................................................................................................................................................... 1
IAM ........................................................................................................................................................................ 2
NETWORK .............................................................................................................................................................. 3
CONNECTIVITY ....................................................................................................................................................... 4
COMPUTE .............................................................................................................................................................. 7
BLOCK VOLUME ..................................................................................................................................................... 9
FILE STORAGE SERVICE ......................................................................................................................................... 10
OBJECT STORAGE ................................................................................................................................................. 11
LOAD BALANCER .................................................................................................................................................. 11
DATABASE............................................................................................................................................................ 13
AUTONOMOUS DATABASE .................................................................................................................................. 17
EDGE SERVICES .................................................................................................................................................... 18

Syllabus
1. https://cloud.oracle.com/iaas/training - Foundation and Advanced
2. OCI Level 100 videos - https://youtu.be/UboBygcEcsc
3. Practice Exam - http://oukc.oracle.com/static12/opn/login/?t=checkusercookies|r=-
1|c=2164389233
4. OCI Level 200 videos (optional) - https://youtu.be/f6921B2hXw0
5. Whitepapers -
https://docs.cloud.oracle.com/iaas/Content/General/Reference/aqswhitepapers.htm
6. Security Best Practice -
https://docs.cloud.oracle.com/iaas/Content/Security/Reference/configuration_security.
htm
IAM
Identity and Access Management (IAM)
• Apply core Identity and Access Management (IAM) component
• Describe resource location
• Design federation with various identity providers
• Apply IAM, governance, and security best practices

1. Number of nested compartments – 6 max.

2. Compartments cannot be deleted.
3. Policies are inherited in child compartments from parent.
4. Principals
a. IAM users – root user (first user created by default with tenancy and cannot be
deleted)
b. Instance principal – can call OCI API without requiring API signing key pair as they
are added to dynamic groups which grant privilege to instances created in the
identified compartment to make API calls.
c. Service principal
5. User has no permission unless added to a group and group will have permissions
granted to it by policies.
6. User can be member of multiple groups.
7. Policy example:

allow group <group_name> to <verb> <resource-type> in tenancy

<tenancy_name>

allow group <group_name> to <verb> <resource-type> in compartment

<compartment_name> [where <conditions>]

E.g. Allow group ProjectA_Admins to manage all-resources in compartment

ProjectA_compartment

8. Policy verbs:
a. Inspect – read w/o user-specified metadata
b. Read – read w/ user specified metadata
c. Use – use the resource but no create/delete
d. Manage – all privilege
9. Resource families:
a. All-resources
b. Database-family
 c. Instance-family
d. Object-family
e. Virtual-network-family
f. Volume-family
10. Each resource family also has individual resource identifiers (like objects, buckets in
object-family) so granular specific policies can be defined for each resource as needed.

Network
Network
7. Apply design concepts related to VCN components
8. Describe Public and Private IP addresses and virtual NICs
9. Apply VCN connectivity options
10. Understand remote network connectivity
11. Apply OCI Load Balancer concepts
12. Understand OCI Edge services
13. Apply OCI networking best practices

11. Max VCN CIDR range supported in OCI is /16 and min is /30.
12. Route tables determine what traffic can be routed out of VCN.
13. Private subnets are recommended to have individual route tables
14. All hosts in a VCN can route to other hosts within that VCN (no route table is required)
15. North-south traffic – traffic in/out of VCN
16. East-west traffic – traffic within VCN across subnets
17. By default instances within same subnet also cannot communicate with each other –
user must whitelist traffic even between instances within same subnet. This is
“Whitelist model” of security that OCI has.
18. Gateways -
a. Internet gateway – to allow traffic to/from internet to public subnet.
b. NAT Gateway – if we want to allow instances in private subnet to download
patches from public internet
c. Service Gateway – for allowing backups in private subnet to OCI object storage
service without going through public internet. More efficient to use than NAT
Gateway for such usecase.
d. DRG – Dynamic Routing Gateway - for allowing traffic between on-prem and
private subnet in cloud.
e. LPG – Local peering gateway between VCNs within same region.
f. RPG – Remote peering gateway between VCNs across regions.
19. DNS:
a. Internet and VCN resolver (default) – 169.254.169.254
b. Custom resolver
c. Instance FQDN - <hostname>.<subnet dns label>.<vcn dns label>.oraclevcn.com
=> resolves to instance private ip.
d. Private Pool – domain names + zones
 e. Types of records supported in OCI:
i. A (Address Record)

ii. AAAA (IPv6 Address Record)

iii. CNAME (Canonical Name record)

iv. MX (Mail Exchange Record)

v. TXT (Text Record)

vi. PTR (Pointer Record)

vii. SOA (State of Authority Record)

viii. SRV (Service Locator)

ix. MS (Name Server Record)

f. OCI DNS can become either a primary or secondary DNS server.
g. Max 1000 zones per tenant
20. Every vNIC can have 1 primary private IP and additional 31 secondary private IPs.
a. Possible to move secondary private IP from vNIC on instance 1 to vNIC on
instance 2 provided both vNICs are in same subnet. This is typically used for
planned fail-over scenarios where instance 1’s vNIC private ip is moved to
instance 2’s vNIC in the same subnet before instance 1 is brought down.
b. Every vNIC may optionally have a primary public IP assigned to it and 31
secondary public IPs (corresponding to each secondary private IP).
21. Public IPs are assigned to:
a. Instances (optionally)
b. Public load balancer
c. DRG
d. NAT Gateways
22. Public IPs can be:
a. Ephemeral – only 1 per vNIC (corresponding to primary private IP)
b. Reserved IP – max 32 per vNIC (can exist even after instance is terminated and
re-assigned to a different instance)

Connectivity
23. Public Internet:
a. Internet Gateway/NAT Gateway
b. Reserved or ephemeral IPs
c. Internet Data out pricing (first 10 TB is free)
24. VPN:
a. IPSec auth and encryption
b. 2 options: OCI managed VPN service (free) or software VPN running on OCI
compute instance.
 c. No SLA
d. Bandwidth is typically < 250Mbps
e. Steps to setup VPN based connectivity from on-prem to OCI:
i. Create VCN and DRG
ii. Update routing in your VCN to use the DRG for the non-overlapping IP
address range or CIDR for on-prem network
iii. Create CPE object and provide on-prem router’s public IP to it
iv. From DRG create IPsec connection to CPE object and configure static
route in DRG.
v. VPN IPsec service provides a connection between a customer’s on
premises network and Oracle Cloud Infrastructure Virtual Cloud
Network (VCN). It consists of multiple redundant IPsec tunnels that use
static routes to route traffic. IPsec tunnels connect Dynamic Routing
Gateway (DRG) and Customer Premises Equipment (CPE) that are
created and attached to the VCN. By default, three IPsec tunnels, one
per Availability Domain are created on Oracle Cloud Infrastructure. This
provides redundancy if there are tunnel failures. Oracle recommends
configuring the on premises router to support all of the IPsec tunnels in
case one of the tunnels fail. Each tunnel has configuration information
(that is, Oracle Cloud Infrastructure DRG-external IP address and pre-
shared key for authentication) that are configured on the on premises
router.

vi. VPN HA:

1. 3 tunnels (one per AD)
2. Route traffic to multiple CPEs (with 3 tunnels per CPE).
f.
25. Fast connect: FastConnect provides an easy, elastic, and economical way to create a
dedicated and private connection with higher bandwidth options, and a more reliable
and consistent networking experience when compared to internet-based connections
a. Private connection
b. High throughput/ low latency
c. 1 Gbps and 10 Gbps bandwidth
d. SLA of 99.9% availability
e. Service Providers: Megaport, Equinix, Verizon SCI etc.
f. Usage scenarios:
i. Private peering:
1. Connect to instances in OCI VCN or OCI DB say needs to access on-
prem DNS service
2. Requires DRG to route traffic
ii. Public peering:
1. Connect to OCI Object storage service, ATP DB from on-prem
instances.
 2. No DRG needed in this case as services are accessed over public
internet.
g. Redundancy or HA:
i. Provisions redundant FastConnect virtual circuits in 2 different ADs
(preferably using different service providers for FastConnect virtual
circuit for even higher HA)

Public peering – needed to access OCI console or OCI Cloud storage

Private peering – if DB in OCI needs to access on-prem DNS – uses DRG to connect (has dynamic
routing)

VPN only allows static routing via DRG.

 26. Security rules – by default they are stateful – so response traffic to an ingress stateful
rule is automatically allowed. Stateless security rules – by default don’t allow response
traffic and one needs to create a corresponding egress rule to allow response traffic.
27. Local VCN Peering – peering of VCNs in same region. Requires non-overlapping CIDRs for
the peered VCNs. Peering done via LPG (Local Peering Gateway).

Compute
Compute
• Understand compute and sizing
• Troubleshoot options using console connections and boot volume
• Architect High Availability and Disaster Recovery solutions
• Describe image options

28. Bare Metal – Single tenant model

a. Performance intensive workload
b. Workloads that are not virtualized
c. Workloads that require a certain type of hypervisor
d. BYOL workloads
e. Types:
i. Standard Intel 1-52 cores
ii. Standard AMD EPYC 1-64 cores – cheaper with $0.03/cpu-hr
iii. Dense I/O – uses local NVMe storage – billing continues even when
instance is in stopped state.
iv. GPU
29. VM – Multi tenant model
a. Types:
i. Standard Intel x86 1-64 cores
ii. Standard AMD EPYC 1-64 cores
iii. Dense I/O – local NVMe storage
30. Boot volume cannot be more than 300 G
31. Custom images modes –
a. Emulation mode – emulated NIC. Block boot. Legacy BIOS
b. Native mode – max performance with modern OS. Uses native guest OS drivers.
c. Paravirtualized mode – hypervisor drivers used to emulate storage as local disks
instead of using say iscsi drivers from the guest OS.
32. To use any hypervisor that customer wants – they should use Bare Metal instances and
they can install any OS and hypervisor they want.
33. BYOI – bring your own image – images in QCOW2 and VMDK formats can be run in
emulation mode.
34. We can change the shape of an existing compute instance by resizing its boot volume.
35. Custom images are stored in cloud storage. There is no cost for the storage. There can
be max 25 custom images per compartment.
36. Boot volume is exported with custom image.
37. Boot volume can be manually backed up or cloned.
38. Boot volume backup can also be used to launch an instance however sometimes this
may cause an issue as the backups of boot volume are crash-consistent backups as the
backup of boot volume can be taken while instance is running.
39. Export of custom image requires instance to be shutdown.
40. Instance configurations – create configuration of OS image, shape, network resources,
AD placement, subnets etc to use when launching instances. Create once and reuse the
same config to launch multiple instances.
41. Instance pools – create pool of multiple instances based off same instance configuration
within same region.
42. Auto-scale instance configurations – can be setup if monitoring is enabled.
43. 1 pool uses 1 instance config.
44. 1 instance config can be used for multiple pools.
45. Instance lifecycle:
a. Start
b. Stop
c. Reboot
d. Terminate
i. Boot volume can be retained
46. Billing –
a. Standard VM and BM – billing pauses on stop
b. High I/O BM and dense I/O VM/BM instances – billing continues on stop as they
have local NVMe storage being used for boot volume.
Block Volume
Storage
• Understand OCI Storage options
• Designing storage solutions for applications and database

47. Uses ISCSI network storage. Requires:

a. IP address and port
b. Volume iqn
c. CHAP username/password (optional)
48. Create/Attach/Move/Backup supported
49. Sizes: 50G to 2TB (in 1GB increments)
50. Max 32 volumes per instance.
51. NVMe SSD local storage available in Dense I/O instances – are transient storage to be
used for caching but persist across reboots. They are meant for data intensive
applications – big data etc.
52. Paravirtualized (only supported for VM type instances as it requires hypervisor drivers)
53. ISCSI – supported in both VM and BM type instances.
54. Access – read/write (default) or read/only
55. There are 3 copies of a block volume. When volume is detached and deleted then copies
are also deleted so delete operation cannot be undone.
56. Backup/Restore –
a. Data backed up manually or periodically based on policy to object storage.
b. Data can be restored to a volume of a different instance in a different AD within
same region.
57. Cloning – is like backup/restore but avoids use of object storage and is a direct disk to
disk deep copy of data. It can be done within same AD only. The operation is accepted
immediately but is run in background (lifecycle state changes from PROVISIONING to
AVAILABLE immediately). Typically takes 15 mins/TB of data to clone.
58. Volume group – can include block and boot volumes from across instances and different
compartments. Same backup policy can be applied for all volumes associated with the
same group.
59. Resize of block/boot volumes – from 50GB to 32TB. Cannot resize to a smaller size (not
supported).
a. Resize offline (stop instance and then resize a volume)
b. Restore from volume to a larger volume
c. Clone to a larger volume
60. Block volumes are AD specific – just like instances – we need to select AD when creating
a block volume.
61. Backup policies:
a. Bronze – monthly backups, retained for 12 months
b. Silver – weekly + Bronze, retained for 4 weeks
c. Gold – daily + Silver + Bronze, retained for 7 days
 62. Encryption of the data in volumes is done both at Rest and in transit. The default keys
used to encrypt data are Oracle provided. User can provide their own OCI KMS
encryption key while creating block volume.

File storage service

63. NFSv3 compatible
64. Limit: can store up to 8 exabyte
65. AD specific – like block volumes.
66. Network Lock Management for file locking
67. Data protection: Snapshots, up to 10,000 per file system
68. Security: 128 bit encryption for file system data
69. 100 file systems and 2 mount targets for AD per account
70. Cost: $0.0425 GB/month
71. Can create mount target in an AD but mount it from NFS clients in different ADs.
72. For HA: Take snapshot and use rsync to copy to another FSS in a different region.
Object storage
1. Object storage types – Standard and Archive.
2. Can use service gateways to access object storage service from OCI instance without
going out on public internet.
3. Features:
a. Cross-region copying
b. Multipart uploads
c. Pre-authenticated requests
d. Lifecycle rules
4. Can be used for:
a. Big data – HDFS connector provides support for Apache Spark and MapReduce to
store data in OCI object store.
b. Logs, images, videos, large datasets etc.
5. Provides strong consistency – data retrieved is always the most recent copy.
6. Data durability – data is repaired and encrypted automatically. Multiple copies kept
across Ads.
7. Supports user provided key-value metadata for objects.
8. Data at REST is encrypted with AES 256 encryption.
9. Components:
a. Objects = data + metadata
b. Buckets = container for objects
c. Namespace = 1 pre-assigned namespace per tenancy. Bucket names should be
unique within namespace (don’t need to be globally unique across tenancies like
in AWS).
10. 2 types: - once selected we cannot change the type.
a. Standard storage (HOT) – for frequently accessed data.
b. Archive storage (COLD) – minimum retention required is 90 days prior to access.
If you access within that duration you pay a penalty. Also time to first byte (TTFB)
is 4 hours to restore data from Archive storage.
 11. Object naming: /n/<namespace>/b/<bucket name>/o/<object name>
12. We can use object name as hierarchy – JCS/12.2.1.3/provisioning_cookbook.zip for eg.
This is then treated as a path within object storage and we can selectively delete say
files in parent or child prefixes in the path without impacting the rest of the files in child
or parent prefixes.
13. Cross region copy – copy objects across region requires giving permission to object
storage service in source region to be able to copy to destination region. For example –
allow service objectstorage-us-ashburn-1 to manage object-family in tenancy
a. Limitations:
i. Cannot do bulk copy
ii. Cannot copy from archive storage
14. Policy based archival or deletion of objects – requires giving permission to object
storage service in tenancy to manage object-family.
15. Lifecycle actions on objects at bucket or object name prefix level:
a. Delete
b. Archive
16. Buckets Accessibility – private or public
17. Buckets allow to change compartment after creation – this is the only such resource in
OCI that allows changing compartment.

Load Balancer
18. Load Balancing types:
a. Round robin (default)
b. Least connections –assigning weights to each server in backend set so traffic can
be routed more to server with more weight than other servers.
c. IP Hash – client/source ip in the packet is hashed to route the traffic to same
backend server (stickiness).
19. Can create virtual hostname for each listener.
a. One IP multiple virtual hostnames (one for each application for example)
configured in DNS server
b. One LB can serve multiple applications
20. Can create path routes to route traffic to the correct backend set without using multiple
listeners or load balancers.

Database
Database
• Describe OCI Database options
• Explain OCI Database Operations
• Architect HA and DR solutions
• Managing Autonomous Database

21. dbcli – CLI on VM or BM , run as root

a. Dbcli create-database -n crmdb -hm <password> -cl OLTP -s odb2
 b. Dbcli create-dbhome -v 12.1.0.2
22. cliadm update-dbcli – command to upgrade dbcli
23. Backing up DB to OCI Object storage requires:
a. DB’s archiving mode is set to ARCHIVELOG (default)
b. /u01 dir has enough free space to run backup
c. Can access the cloud storage endpoint from DB VM
24. Full backups are retained in object storage even after DB is deleted so they can be used
to recover DB.
25. Dataguard cannot be enabled for DB recovery process to begin. It needs to be disabled
prior to data recovery.
26. DB can be created from backup in object storage.
Autonomous Database
27. 2 workload types:
a. ATP (Transaction processing)
b. ADW (Data warehouse)
28. Provide secure SQL net connection only (uses TCP-secure). Need to download wallet zip
and use it to connect from client application.
29. Accessible via service gateway from instances in OCI private subnets.
30. Automatic backups taken. Manual backups can also be taken to OCI Cloud Storage.
31. Automatic patching and upgrade.
Edge Services
Practice Questions
`