Terms in this set (93)

1. Your company has been running several small applications in OCI and is planning a POC to
deploy PSFT. If your existing resources are being maintained In the root compartment, what is the
recommended approach for defining security for the upcoming POC ?

- Create a new tenancy tor the POC. Provision all new resources Into the root compartment. Grant
appropriate permissions to create and manage resources within the root compartment
- Provision all new resources Into the root compartment. Grant permissions that only allow for creation and
management of resources specific to the POC
- Create a new compartment for the POC and grant appropriate permissions to create and manage resources
within the compartment.
- Provision all new resources into the root compartment. Use defined tags to separate resources that belong
to different applications.

 Create a new compartment for the POC and grant appropriate permissions to create and manage
resources within the compartment.

Explanation
as per you already had existing resources are being maintained In the root compartment so is the
recommended approach for defining security for the upcoming POC to Create a new compartment for the
POC and grant appropriate permissions to create and manage resources within the compartment.

2. You have been tasked with creating one VCN each for 2 LOB apps. LOB A and LOB B will need
to communicate with each other. To ensure that you can utilize VCN peering, which network
CIDR ranges should be used?

- VCN A (10.0.0.0/16) and VCN B (10.1.0.0/16)

- VCN A (10.0.2.0/16) and VCN B (10.0.2.0/25)
- VCN A (10.0.0.0/16) and VCN B (10.0.16.0/24)
- VCN A (172.16.0.0/24) and VCN B (172.16.0.0/28)

 VCN A (10.0.0.0/16) and VCN B (10.1.0.0/16)

Explanation
VCN A (10.0.0.0/16) will use a range of IPS from 10.0.0.0 to 10.0.255.255 and VCN B (10.1.0.0/16) will
use a range of IPS from 10.1.0.0 to 10.1.255.255 so will not be any Overlap between 2 VCNs

3. Which service would you use if your big data workload required shared access and NFS-based
connectivity ?

- Block Volume
- Archive Storage
- Object Storage
- File Storage

 File Storage

Explanation
File Storage service is designed to meet the needs of applications and users that need an enterprise file
system across a wide range of use cases, including the following:
General Purpose File Storage: Access to an unlimited pool of file systems to manage growth of structured
and unstructured data.
Big Data and Analytics: Run analytic workloads and use shared file systems to store persistent data.
Lift and Shift of Enterprise Applications: Migrate existing Oracle applications that need NFS storage, such
as Oracle EBS and PSFT
Databases and Transactional Applications: Run test and development workloads with Oracle, MySQL, or
other databases.
Backups, Business Continuity, and Disaster Recovery: Host a secondary copy of relevant file systems from
on premises to the cloud for backup and disaster recovery purposes.
MicroServices and Docker: Deliver stateful persistence for containers. Easily scale as your container-based
environments grow.

4. You have hired a new employee to run reports from the ADW and are not confident in their SQL
writing ability. Into which consumer group will you assign this Individual to minimize the impact
of their code?

- Low
- Lowest
- Medium
- High
- Highest

- Low

Explanation
in ADW, The tnsnames.ora file provided with the credentials zip file contains three database service names
identifiable as high, medium, and low. The predefined service names provide different levels of performance
and concurrency for ADW.
• High - provides the highest level of resources to each SQL statement resulting in the highest performance,
but supports the fewest number of concurrent SQL statements. Any SQL statement in this service can use all
the CPU and IO resources in your database. The number of concurrent SQL statements that can be run in
this service is 3, this number is independent of the number of OCPUs in your database.
• MEDIUM - provides a lower level of resources to each SQL statement potentially resulting a lower level
of performance, but supports more concurrent SQL statements. Any SQL statement in this service can use
multiple CPU and IO resources in your database. The number of concurrent SQL statements that can be run
in this service depends on the number of OCPUs in your database.
• LOW - provides the least level of resources to each SQL statement, but supports the most number of
concurrent SQL statements. Any SQL statement in this service can use a single CPU and multiple IO
resources in your database. The number of concurrent SQL statements that can be run in this service can be
up to 300 times the number of OCPUs.
- The predefined service names provide different levels of performance and concurrency for Autonomous
DB
- Choose whichever database service offers the best balance of performance and concurrency.
- Use the low database service name. to minimize the impact of their SQLs to by low consumer group

5. You deployed a compute instance (VM.Standard2.16) to run a SQL database. After a few weeks,
you need to increase disk performance by using NVMe disks; the number of CPUs will not change.
As a first step you terminate the instance and preserve the boot volume.
What is the next step?
 - Create a new instance using a VM.DenseIO2.16 shape using the preserved boot volume and move the
SQL Database data to block volume
- Create a new instance using a VM.DenseIO2.8 shape using the preserved boot volume and move the
SQL Database data to NVMe disks
- Create a new instance using a VM.Standard1.16 shape using the preserved boot volume and move the
SQL Database data to NVMe disks
- Create a new instance using a VM.DenseIO2.16 shape using the preserved boot volume move the SQL
Database data to NVMe disks

- Create a new instance using a VM.DenseIO2.16 shape using the preserved boot volume move the SQL
Database data to NVMe disks

Explanation
to increase disk performance by using NVMe disks you can use Dense IO Shape also as the number of
CPUs will not change so we should VM.DenseIO2.16

6. You have provisioned an ATP database and logged into the ATP service console.
What are 3 abilities that can be performed from this service console?

- scale up/down the CPUs

- create ATP database users
- reset the admin password
- set resource management rules
- monitor database activity and SQL queries

- reset the admin password

- set resource management rules
- monitor database activity and SQL queries

Explanation
In ATP Service Console, the
• ACTIVITY screen - allows you to perform some basic monitor database activity and SQL queries. • •
ADMIN screen - allows you to perform some basic administration of the service, like reset the admin
password and set resource management rules

7. Where do you find the tnsnames.ora for your ADW database?

- You can download tnsnames.ora from OCI web console under ADW details page
- The tnsnames.ora file is included in credentials.zip file that you download from service console of ADW
- The ADW database will place the tnsnames.ora file in an object storage bucket
- You are automatically prompted to download the tnsnames.ora file upon creation of the ADW database

 The tnsnames.ora file is included in credentials.zip file that you download from service console of
ADW

Explanation
To download client credentials from the ATP Service Console:
- From the Service Console click the Administration link.
- Click Download Client Credentials (Wallet).
- On the Download Client Credentials (Wallet) page, enter a wallet password in the Password field and
confirm the password in the Confirm Password field. The password must be at least 8 characters long and
must include at least 1 letter and either 1 numeric character or 1 special character. This password protects
the downloaded Client Credentials wallet.
- Click Download to save the client security credentials zip file. By default the filename is:
Wallet_databasename.zip. You can save this file as any filename you want. You must protect this file to
prevent unauthorized database access.

8. Which statement is true regarding ATP?

- a database name cannot be used concurrently for both an ADW and an ATP database
- After terminating a database, the database name is available for immediate reuse
- a maximum of 8 cores can be enabled for an ATP database
- a maximum of 2 TB of storage can be enabled for an ATP database

- a database name cannot be used concurrently for both an ADW and an ATP database

Explanation
- the DB name must be unique among all ADW and Autonomous Databases in your tenancy in the same
region.
- Terminating an ATP db permanently deletes the instance and removes all automatic backups. You cannot
recover a terminated database.
- the max # of CPUs and maximum storage capacity that can be provisioned in Oracle Autonomous
Database In the current release up to 128 CPUs and 128TB can be provisioned from the cloud console.
Customers requiring more resources need to call their Oracle account team

9. Which two resources reside exclusively in a single availability domain?

- Compute instance
- Object Storage
- Groups
- Block Volume
- Web Application Firewall Policy

- Compute instance
- Block Volume

Explanation
Ad-Specific Resources
• DB Systems
• Ephemeral Public IPs
• instances - They can be attached only to volumes in the same AD.
• Subnets - When you create a subnet, you choose whether it is regional or specific to an AD. Oracle
recommends using regional subnets.
• Volumes - They can be attached only to an instance in the same availability domain.
10. Which 2 use Dynamic Routing Gateway (DRG) for connectivity?

- Remote VCN peering across region

- Oracle IPsec VPN
- Local VCN peering
- OCI FastConnect public peering

- Remote VCN peering across region

- Oracle IPsec VPN

Explanation
You use a DRG when connecting your existing on-premises network to your VCN with one (or both) of
these: (1) IPSec VPN (2) OCI FastConnect

You also use a DRG when peering a VCN with a VCN in a different region:
Remote VCN Peering (Across Regions)

11. You are running a mission-critical DB app in OCI. You take regular backups of your DB system
to OCI object storage. Recently, you notice a failed db backup status in the console.
What 2 steps can you take to determine the cause of the backup failure?

- Ensure the database archiving mode is set to NOARCHIVELOG

- Ensure that your database host can connect to the OCI object storage
- Restart the dcsagent program if it has a status of stop or waiting
- Make sure that the database is not active and running while the backup is in progress

- Ensure that your database host can connect to the OCI object storage
- Restart the dcsagent program if it has a status of stop or waiting

Explanation
Db backups can fail for various reasons. Typically, a backup fails because either the db host cannot access
the object store, or there are problems on the host or with the db configuration.
First - need to determine the problem
In the Console, a failed database backup either displays a status of Failed or hangs in the Backup in Progress
or Creating state. If the error message does not contain enough information to point you to a solution, you
can use the database CLI and log files to gather more data. Then, refer to the applicable section in this topic
for a solution.

12. Which statement is true about OCI FastConnect?

- For private peering, FastConnect extends your existing infrastructure to allow you to consume object
storage from your on-premises data center
- For private peering, FastConnect extends your existing infrastructure to a VCN
- For public peering, FastConnect extends your existing infrastructure to a VCN
- For public peering, a DRG must be configured and attached to the VCN

- For private peering, FastConnect extends your existing infrastructure to a VCN

Explanation - with FastConnect, you can choose to use private peering, public peering, or both.
• Private Peering: To extend your existing infrastructure into a VCN in OCI (for example, to implement a
hybrid cloud, or a lift and shift scenario). Communication across the connection is with IPv4 private
addresses (typically RFC 1918).
• Public Peering: To access public services in OCI without using the internet. For example, Object Storage,
the OCI and APIs, or public load balancers in your VCN. Communication across the connection is with IPv4
public IP addresses. Without FastConnect, the traffic destined for public IP addresses would be routed over
the internet.

13. Which 2 actions will occur when a back-end server that is registered with a backend set is marked
to drain connections?

- It disallows new connections to that backend server

- keeps the connections to that instance open and attempts to complete any in-flight requests
- redirects the requests to a user-defined error page.
- immediately closes all existing connections to that instance
- forcibly closes all connections to that instance after a timeout period

- It disallows new connections to that backend server

- keeps the connections to that instance open and attempts to complete any in-flight requests

Explanation
if you set the server's drain status to true, the load balancer stops forwarding new TCP connections and new
non-sticky HTTP requests to this backend server. This setting allows an administrator to take the server out
of rotation for maintenance purposes.

14. Which 2 statements are true about restoring a block volume from a manual or policy based block
volume backup?

- It can be restored as new volumes with different sizes from the backups
- It can be restored as a new volume to any AD across different regions
- It must be restored as a new volume to the same AD on which the original block volume backup
resides
- It can be restored as a new volume to any AD in the same region

- It can be restored as new volumes with different sizes from the backup
- It can be restored as a new volume to any AD in the same region

Explanation
When you restore the backup you select a name for the block volume and choose the availability domain in
which you want to restore it.You can restore a block volume backup to a larger volume size. To do this,
check Custom Block Volume Size (GB), and then specify the new size.

15. In what 2 ways does OCI File Storage service differ from OCI Object Storage and Block Volume
services?
• File storage mount target does not provide a private IP address, while the object storage bucket provides
one
• File Storage uses the Network File System (NFS) protocol, whereas block volume uses ISCSI (Small
Computer System Interface)
• Block volume service is NVMe based, while file storage service is not.
• You can move object storage buckets, block volumes and file storage mount targets between compartments

• File Storage uses the Network File System (NFS) protocol, whereas block volume uses ISCSI (Small
Computer System Interface)
• You can move object storage buckets, block volumes and file storage mount targets between compartments

Explanation
The mount target provides the IP address or DNS name that is used together with a unique export path to
mount the file system. You can move mount targets from one compartment to another.

16. You have been notified of an application failure indicating that one or more of the OCI resources
have become unavailable. After scanning the Compute and Database consoles, you notice that one
of the DD Systems is missing.
What would you do to identify the reason for this missing resource?

Navigate to the Audit console and search the previous 24 hours for all Delete actions to get a list of any
resource that was deleted in the past 24 hours
- Create a serial console connection to the DB System that does not appear in the management console.
Connect to the serial console connection, and then review the system logs under /var/log/messages
- View the service limits associated with your account to ensure that you have not exceeded the allowable
number of DB Systems in your tenancy
- Navigate to the Audit console and search the previous 24 hours for all List actions to get a list of every
event that occurred in the past 24 hours.

- Navigate to the Audit console and search the previous 24 hours for all Delete actions to get a list of any
resource that was deleted in the past 24 hours

Explanation
You can filter results by request actions to zero in on only the events with operations that interest you. For
example, say that you only want to know about instances that were deleted during a specific time frame.
Select a delete request action filter to see only the events with delete operations.

17. Which 2 statements are true about adding secondary VNICs to an existing compute instance?

- The primary and secondary VNIC association must be in the same AD

- You can assign an Ephemeral Public IP to a secondary VNIC
- You can remove the primary VNIC after the secondary VNIC's attachment is complete
- The primary and secondary VNIC association can be in different VCNs

- The primary and secondary VNIC association must be in the same availability domain
- The primary and secondary VNIC association can be in different VCNs

Explanation
Each secondary VNIC can be in a subnet in the same VCN as the primary VNIC, or in a different subnet that
is either in the same VCN or a different one. However, all the VNICs must be in the same availability
domain as the instance.Ephemeral Public IP To a VNIC's primary private IP only.

18. You are designing a high bandwidth, redundant connection between your data center and OCI.
While researching for OCI FastConnect locations, you notice that you are co-located with Oracle
at one of the Oracle FastConnect locations in the Ashburn region.
What is the recommended design in this scenario?

- Create a cross-connect group and have two or more cross-connects in that group. Create an IPsec VPN
connection on this group.
- Setup two IPsec connections between your data center and OCI Ashburn region. Create an OCI load
balancer to distribute the traffic across the two connections
- Create a cross-connect group and have at least two or more cross-connects in that group. Create at least
two or more virtual circuits in the group.
- Create a cross-connect group and have at least one cross-connect in that group. Create at least one
virtual circuit in the group.

- Create a cross-connect group and have at least two or more cross-connects in that group. Create at least
two or more virtual circuits in the group.

Explanation
You could have multiple private virtual circuits, for example, to isolate traffic from different parts of your
organization virtual circuit for 10.0.1.0/24; another for 172.16.0.0/16), or to provide redundancy.

19. You have created a VCN with 3 private subnets. 2 of the subnets contain application servers and
the 3rd subnet contains a DB System. The application requires a shared file system, so you have
provisioned one using the file storage service (FSS). You also created the corresponding mount
target in one of the application subnets. The VCN security lists are properly configured so that
both app servers and the DB System can access the file system. The security team determines that
the DB System should have read-only access to the file system.
What change would you make to satisfy this requirement?

- Create an NFS export option that allows READ_ONLY access where the source is the CIDR range of
the DB System subnet

- Connect via SSH to one of the application servers where the file system has been mounted. Use the
Unix command chmod to change permissions on the file system directory, allowing the database user
read-only access

- Modify the security list associated with the subnet where the mount target resides. Change the ingress
rules corresponding to the DB System subnet to be stateless.

- Create an instance principal for the DB System. Write an IAM policy that allows the instance principal
read-only access to the file storage service
  Create an NFS export option that allows READ_ONLY access where the source is the CIDR range
of the DB System subnet
Explanation
NFS export options enable you to create more granular access control than is possible using just security
list rules to limit VCN access. You can use NFS export options to specify access levels for IP addresses
or CIDR blocks connecting to file systems through exports in a mount target.

20. Which 2 OCI database services allow you to dynamically scale CPU and storage?

- bare metal DB system

- VM DB system
- ADW
- ATP

- ADW
- ATP

Explanation
- If a bare metal DB system requires more compute node processing power, you can scale up (increase) the
number of enabled CPU cores in the system without impacting the availability of that system but you can't
increase the storage
- If the original DB system VM shape uses a single node, running databases on the DB system nodes are
sequentially stopped and then restarted on the new shape so not dynamic

21. Your company has decided to move a few applications to OCI and you have been asked to design a
cloud-based DR solution. One of the requirements is to deploy the DR resources at least 300 miles
from the home OCI region and minimize the network latency.
What will be the recommended deployment?

- Deploy production and DR applications in the same VCN. Create production subnets in one AD, and
DR subnets in another AD.
- Deploy production and DR applications in 2 separate VCNs in different ADs within your home region,
and then use a VCN remote peering connection for connectivity
- Deploy production and DR applications in 2 separate VCNs, each in different regions. Connect them
using a VCN remote peering connection
Deploy production and DR apps in 2 separate VCNs, each in different regions, and then use VCN local
peering gateways for connectivity

- Deploy production and DR applications in 2 separate VCNs, each in different regions. Connect them using
a VCN remote peering connection

Explanation
Remote VCN peering is the process of connecting two VCNs in different regions The peering allows the
VCNs' resources to communicate using private IP addresses without routing the traffic over the internet or
through your on-prem network.

22. Which 2 statements are true about encryption on OCI?

- By default, object storage and block storage are encrypted at rest.

- A customer is responsible for data encryption in all services of OCI
- By default, DB Systems offers an encrypted database.
- By default, NVMe drives are encrypted but the block volume service is not
1. By default, object storage and block storage are encrypted at rest.
2. By default, DB Systems offers an encrypted database.

23. Which 2 options are available when setting up DNS for your bare metal and VM DB Systems?
• Internet and custom resolver
• Google DNS servers
• Custom resolver
• Internet and VCN resolver

• Custom resolver
• Internet and VCN resolver

Explanation
Choices for DNS in Your VCN
• Default Choice: Internet & VCN resolver
• Customer Resolver

24. You have multiple apps installed on a compute Instance and these apps generate a large amount of
log files. These log files must reside on the boot volume for a min of 15 days. Any files over 15 days
do not have to reside on boot volume but still must be retained for at least 60 days. The 60-day
retention requirement Is causing an Issue with available disk space. What are the TWO
recommended methods to provide additional boot volume space for this compute instance?

- Terminate the instance while preserving the boot volume. Create a new instance from the boot volume
and select a DenseIO shape to take advantage of local NVMe storage.
- Create an object storage bucket and use a script that runs daily to move log files older than 15 days to
the bucket
Create and attach a block volume to the compute instance and copy the log files
- Create a custom image and launch a new compute instance with a larger boot volume size
- Write a custom script to remove the log files on a daily basis and free up the space on the boot volume

- Create an object storage bucket and use a script that runs daily to move log files older than 15 days to the
bucket
- Create a custom image and launch a new compute instance with a larger boot volume size

Explanation
These log files must reside on the boot volume for a minimum of 15 days so you have to increase the boot
Volume.

25. You are designing a lab exercise for your team that has a large number of graphics with large file
sizes. The application becomes unresponsive if the graphics are embedded in the application. You
have uploaded the graphics to OCI and only added the URL in the application. You need to ensure
these graphics are accessible without requiring any authentication for an extended period of time.
How can you achieve these requirements?

- Create pre-authenticated requests (PAR) and specify 00:00:0000 as the expiration time.
- Make the object storage bucket private and all objects public and use the URL found in the Object
"Details"
- Make the object storage bucket public and use the URL found in the Object "Details"
- Create PARs and do not specify an expiration date
- Make the object storage bucket public and use the URL found in the Object "Details"

Explanation
Pre-authenticated requests provide a way to let you access a bucket or an object without having your own
credentials. For example, you can create a request that lets you upload backups to a bucket without owning
API keys.When you create a bucket, the bucket is considered a private bucket and the access to the bucket
and bucket contents requires authentication and authorization. However, Object Storage supports
anonymous, unauthenticated access to a bucket. You make a bucket public by enabling read access to the
bucket. Pre-authenticated requests have to select expiration date.

26. You are deploying a highly available web application in OCI and have decided to use a public load
balancer. The back end web servers will be distributed across all 3 ADs.
How many subnets should you create to deliver a secure, highly available application?

- 2 subnets in total; 1 regional private subnet to host your back-end web servers & 1 regional public
subnet to host your public load load balancer
- 3 subnets in total; 1 regional public subnet to host your back-end web servers and 2 AD specific private
subnets to host your private load toad balancer
- 1 subnet In total; 1 regional private subnet to host your back-end web servers and your public load
balancer.
- 2 subnets in total; 1 regional public subnet to host your back-end web servers and 1 regional private
subnet to host your public load load balancer

- 2 subnets in total; 1 regional private subnet to host your back-end web servers & 1 regional public subnet
to host your public load load balancer

Explanation
To accept traffic from the internet, you create a public load balancer. The service assigns it a public IP
address that serves as the entry point for incoming traffic. You can associate the public IP address with a
friendly DNS name through any DNS vendor.A public load balancer is regional in scope. If your region
includes multiple ADs, a public load balancer requires either a regional subnet (recommended) or two
availability domain-specific (AD-specific) subnets, each in a separate availability domain. With a regional
subnet, the Load Balancing service creates a primary load balancer and a standby load balancer, each in a
different availability domain, to ensure accessibility even during an availability domain outage. If you create
a load balancer in two AD-specific subnets, one subnet hosts the primary load balancer and the other hosts a
standby load balancer. If the primary load balancer fails, the public IP address switches to the secondary
load balancer. The service treats the two load balancers as equivalent and you cannot specify which one is
"primary".
- Whether you use regional or AD-specific subnets, each load balancer requires one private IP address from
its host subnet. The Load Balancing service supplies a floating public IP address to the primary load
balancer. The floating public IP address does not come from your backend subnets. You cannot specify a
private subnet for your public load balancer.
- The backend servers (Compute instances) associated with a backend set can exist anywhere, as long as the
associated network security groups (NSGs), security lists, and route tables allow the intended traffic flow.
- Oracle recommends that you create your load balancer in a regional subnet. Oracle recommends that you
distribute your backend servers across all availability domains within the region.

27. Which 2 statements about File Storage Service (FSS) are accurate?

- FSS leverages UNIX user group and permission checking for file access security
- Encryption of file system in FSS is optional
- IAM controls which file systems are mountable by which instances
 - Security lists can be used as a virtual firewall to prevent an instance from mounting an FSS mount
target within the same subnet
- Data in transit to an FSS mount target is encrypted

- FSS leverages UNIX user group and permission checking for file access security
- Data in transit to an FSS mount target is encrypted

Explanation
- All data is encrypted at rest. and In-transit encryption provides a way to secure your data between instances
and mounted file systems using TLS v. 1.2 (Transport Layer Security) encryption.
- File Storage service supports the AUTH_UNIX style of authentication and permission checking for remote
NFS client requests.

28. What is true about data guard set up with Fast-Start FailOver (FSFO) in OCI?

- The best practice for high availability and durability is to run the primary, standby, and observer in
separate ADs
- When you configure data guard using OCI console, the default mode is set to maxprotection.
- You cannot create the standby DB system in a different AD from the primary DB system.
- You cannot use database CLI to set up data guard with FSFO.

- The best practice for high availability and durability is to run the primary, standby, and observer in
separate ADs

Explanation
The best practice for high availability and durability is to run the primary, standby, and observer in separate
availability domains. The observer determines whether or not to failover to a specific target standby
database
https://docs.cloud.oracle.com/en-us/iaas/Content/Database/Tasks/
usingDG.htm#ConfiguringObserverOptional

29. Which 2 statements about fault domains are true?

- A fault domain is a grouping of hardware and infrastructure within an availability domain

- Each availability domain contains 3 fault domain
- A failed instance in a fault domain is automatically relaunched
- A fault domain is selected automatically based on usage data

- A fault domain is a grouping of hardware and infrastructure within an availability domain

- Each availability domain contains 3 fault domains

Explanation
A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability
domain contains three fault domains. Fault domains provide anti- affinity: they let you distribute your
instances so that the instances are not on the same physical hardware within a single availability domain.
30. You have an app running on OCI. You identified that the read and write operations are slowing
your application down enough to impair user access. The application is currently using a
VM.Standard1.2 compute without any block storage attached to it.
Which 2 options allow you to increase disk performance?

- Terminate the compute instance preserving the boot volume. Create a new compute instance using a VM
Dense IO shape using the boot volume preserved
- Terminate the compute instance preserving the boot volume. Create a new compute instance using a VM
Standard shape and attach a new block volume to host your application.
- Create a backup of the boot volume. Create a new compute instance using a VM Dense IO shape and
restore the backup
- Terminate the compute instance and create a backup of the boot volume. Create a new compute instance
using a VM Dense IO shape and restore the backup

 Terminate the compute instance preserving the boot volume. Create a new compute instance using a
VM Dense IO shape using the boot volume preserved
 Terminate the compute instance preserving the boot volume. Create a new compute instance using a
VM Standard shape and attach a new block volume to host your application.

Explanation
You can permanently terminate (delete) instances that you no longer need.By default, the instance's boot
volume is deleted when you terminate the instance, however you can preserve the boot volume associated
with the instance, so that you can attach it to a different instance as a data volume, or use it to launch a new
instance.
You can use a boot volume backup to create an instance or you can attach it to another instance as a data
volume. However before you can use a boot volume backup, you need to restore it to a boot volume.

31. You are about to upload a large log file (5 TiB size) to OCI object storage and have decided to use
multipart upload capability for a more efficient and resilient upload.
Which two statements are true about multipart upload?

- Individual object parts can be as small as 10 MiB or as large as 50 GiB

- While a multipart upload is still active, you cannot add parts even if the total number of parts is less
than 10,000
- The maximum size for an uploaded object is 10 TiB
- You do not have to commit the upload after you have uploaded all the object parts

 Individual object parts can be as small as 10 MiB or as large as 50 GiB

 The maximum size for an uploaded object is 10 TiB

Explanation
- With multipart upload, you split the object you want to upload into individual parts. Individual parts can be
as large as 50 GiB or as small as 10 MiB. (Object Storage waives the minimum part size restriction for the
last uploaded part.) Decide what part number you want to use for each part. Part numbers can range from 1
to 10,000. You do not need to assign contiguous numbers, but Object Storage constructs the object by
ordering part numbers in ascending order.
- The maximum size for an uploaded object is 10 TiB
- While a multipart upload is still active, you can keep adding parts as long as the total number is less than
10,000.

32. You must implement a backup solution for your ADW that will enable you to restore data as old
as one year with a recovery point objective (RPO) of 10 days.Which database backup strategy
would you select?

- Take weekly manual backups to supplement the automated backups and preserve them for 12 months.
- Use the automated backups
- Take monthly manual backups to supplement the automated backups and preserve them for 12 months
- Take quarterly manual backups to supplement the automated backups and preserve them for 12 months

- Use the automated backups

Explanation:
- OCI automatically backs up your Autonomous Databases and retains these backups for 60 days. Automatic
backups are weekly full backups and daily incremental backups. You can also create manual backups to
supplement your automatic backups. Manual backups are stored in an Object Storage bucket that you create
and are retained for 60 days.
The retention period for manual backups is the same as automatic backups which is 60 days. So we cannot
preserve the backup for 12 months.
https://docs.oracle.com/en/cloud/paas/autonomous-data-warehouse-cloud/user/backup- manual.html#GUID-
D95E5D6A-C470-4A68-9545-CC99D937E7D1

33. Which 3 load-balancing policies can be used with a backend set? (Choose 3.)

- throughput
- IP hash
- weighted round robin
- CPR utilization
- least connections

- IP hash
- weighted round robin
- least connections

Explanation
you can apply policies to control traffic distribution to your backend servers. The Load Balancing service
supports three primary policy types: Round Robin, Least Connections, IP Hash.

34. Which 2 statements are true about an OCI object storage bucket? (choose 2)

- You can associate a bucket with multiple compartments

- You cannot change a bucket from private to public after it is created
- You can associate a bucket with only a single compartment
- You cannot edit or append data to an object, but you can replace the entire object
- You can associate a bucket with only a single compartment
- You cannot edit or append data to an object, but you can replace the entire object

Explanation - A bucket is associated with a single compartment.You can't edit or append data to an object,
but you can replace the entire object.

35. You are a network architect and have designed the network infrastructure of a three-tier
application on OCI. In the architecture, back-end DB servers are in a private subnet. One of your
DB administrators requests to have access to OCI object storage service.
How can you meet this requirement?

- Create a service gateway, add a new route rule to the private subnet route table that uses storage as
your service gateway target type
- Create a DRG and attach it your VCN. Add a default route rule to the private subnets route table and
set the target as DRG
- Attach a public IP address to the instances in the private subnet, and then add a new route rule to the
private subnet route table to route default traffic to the internet gateway
- Add a new route rule to the private subnet route table to route default traffic to the internet gateway

- Create a service gateway, add a new route rule to the private subnet route table that uses storage as your
service gateway target type

Explanation
A service gateway lets resources in your VCN privately access specific Oracle services, without exposing
the data to an internet gateway or NAT. The resources in the VCN can be in a private subnet and use only
private IP addresses. The traffic from the VCN to the service of interest travels over the Oracle network
fabric and never traverses the internet.
To give your VCN access to a given service CIDR label, you must enable that service CIDR label for the
VCN's service gateway. You can do that when you create the service gateway, or later after it's created. You
can also disable a service CIDR label for the service gateway at any time.
For traffic to be routed from a subnet in your VCN to a service gateway, you must add a rule accordingly to
the subnet's route table. The rule must use the service gateway as the target.

36. What is a valid option when exporting a custom image?

- Object Storage URL

- Archive Storage URL
- File Storage Service
- Block Volume

- Object Storage URL

Explanation
You can use the Console or API to export images, and the exported images are stored in the OCI Object
Storage service. To perform an image export, you need write access to the Object Storage bucket for the
image.

37. You are an administrator with an application running on OCI. The company has a fleet of OCI
compute virtual instances behind an OCI Load Balancer. The OCI Load Balancer Backend Set
health check API is providing a 'Critical' level warning. You have confirmed that your application
is running healthy on the backend servers.
What is the possible reason for this 'Critical' warning?
 - A user does not have correct IAM credentials on the Backend Servers
- The Backend Server VCN's Route Table does not include the route for OCI LB
- OCI Load Balancer Listener is not configured correctly
- The Backend Server VCN's Security List does not include the IP range for the source of the health
check requests

- The Backend Server VCN's Security List does not include the IP range for the source of the health check
requests

Explanation
A SECURITY RULE IS MISCONFIGURED. Health status indicators help you diagnose two cases of
misconfigured security rules: l All entity health status indicators report OK, but traffic does not flow (as with
misconfigured listeners). If the listener is not at fault, check the security rule configuration. l All entity
health statuses report as unhealthy. You have checked your health check configuration and your services run
properly on your backend servers. In this case, your security rules might not include the IP range for the
source of the health check requests. You can find the health check source IP on the Details page for each
backend server. You can also use the API to find the IP in the sourceIpAddress field of the
HealthCheckResult object.

38. You have created a public subnet in a VCN, and your public subnet has a Route Table, a Security
List, and an Internet Gateway. However, none of the compute instances can connect to the
Internet.
Which two are possible reasons for the connectivity issue? (Choose 2)

- There is no DRG associated with the VCN.

- The Route Table has no default route for routing traffic to the Internet Gateway
- There is no stateful ingress rule in the Security List associated with the public subnet
- There is no stateful egress rule in the Security List associated with the public subnet

 The Route Table has no default route for routing traffic to the Internet Gateway
 There is no stateful egress rule in the Security List associated with the public subnet

Explanation
An internet gateway as an optional virtual router that connects the edge of the VCN with the internet. To use
the gateway, the hosts on both ends of the connection must have public IP addresses for routing.
Connections that originate in your VCN and are destined for a public IP address (either inside or outside the
VCN) go through the internet gateway. Connections that originate outside the VCN and are destined for a
public IP address inside the VCN go through the internet gateway.

Working with Internet Gateways

You create an internet gateway in the context of a specific VCN. In other words, the internet gateway is
automatically attached to a VCN. However, you can disable and re- enable the internet gateway at any time.
Compare this with a DRG, which you create as a standalone object that you then attach to a particular VCN.
DRGs use a different model because they're intended to be modular building blocks for privately connecting
VCNs to your on-premises network.
For traffic to flow between a subnet and an internet gateway, you must create a route rule accordingly in the
subnet's route table (for example, destination CIDR = 0.0.0.0/0 and target = internet gateway). If the internet
gateway is disabled, that means no traffic will flow to or from the internet even if there's a route rule that
enables that traffic. For more information, see Route Tables.
For the purposes of access control, you must specify the compartment where you want the internet gateway
to reside. If you're not sure which compartment to use, put the internet gateway in the same compartment as
the cloud network. For more information, see Access Control.
You may optionally assign a friendly name to the internet gateway. It doesn't have to be unique, and you can
change it later. Oracle automatically assigns the internet gateway a unique identifier called an Oracle Cloud
ID (OCID). For more information, see Resource Identifiers.

To delete an internet gateway, it does not have to be disabled, but there must not be a route table that lists it
as a target.
AS per compute instances can connect to the Internet so you use egress no ingress.

39. Your on-premises hosted application uses Oracle database server. Your database administrator
must have access to the database server for managing the application. Your database server is
sized for seasonal peak workloads, which results in high licensing costs. You want to move your
application to OCI to take advantage of CPU scaling options.
Which database offering on OCI would you select?

- Bare Metal DB Systems

- VM DB Systems
- ATP
- ADW

- Bare Metal DB Systems

Explanation
- In Oracle Autonomous Database, Customers are not given OS logons or SYSDBA privileges to prevent
phishing attacking.
- If a bare metal DB system requires more compute node processing power, you can scale up (increase) the
number of enabled CPU cores in the system without impacting the availability of that system.
- You cannot change the number of CPU cores for a VM DB system in the same way as metal DB system.
Instead, you must change the shape to one with a different number of OCPUs
- Changing the shape does not impact the amount of storage available to the DB system. However, the new
shape can have different memory and network bandwidth characteristics, and you might need to reapply any
customizations to these aspects after the change.

40. You want an OCI compute instance in your compartment to make API calls to other services
within OCI without storing credentials in a configuration file.
What do you need to do?

- Create a dynamic group with appropriate matching rules to include the instance, and reference this
group in your IAM policy statement
- Instances cannot access services outside their compartment
- VM instances are treated as users. Create a user, assign the user to that VM instance, and reference the
instance in your Identity and Access Management (IAM) policy statement
- By default, all VM instances are created with an instance principal. Reference this instance principal in
your IAM policy statement.

- Create a dynamic group with appropriate matching rules to include the instance, and reference this group in
your IAM policy statement.
41. You have an application deployed in OCI running only in the Phoenix region. You were asked to
create a DR plan that will protect against the loss of critical data. The DR site must be at least 500
miles from your primary site and data transfer between the two sites must not traverse the public
Internet.
Which is the recommended disaster recovery plan?

- Create a new VCN in the Phoenix region and create a subnet in one availability domain (AD) that is
not currently being used by your production systems. Establish VCN peering between the production
and DR sites.
- Create a DR environment in Ashburn. Associate a DRG with the VCN in each region and create a
remote peering connection between the two VCNs
- Create a DR environment in Ashburn and provision a FastConnect virtual circuit using DRG between
the regions.
- Create a DR environment in Ashburn. Associate a DRG with the VCN in each region and configure an
IPsec VPN connection between the two regions.

- Create a DR environment in Ashburn. Associate a DRG with the VCN in each region and create a remote
peering connection between the two VCNs

Explanation
Remote VCN peering is the process of connecting two VCNs in different regions (but the same tenancy ).
The peering allows the VCNs' resources to communicate using private IP addresses without routing the
traffic over the internet or through your on-premises network. Without peering, a given VCN would need an
internet gateway and public IP addresses for the instances that need to communicate with another VCN in a
different region.
Summary of Networking Components for Remote Peering
At a high level, the Networking service components required for a remote peering include:
- 2 VCNs with non-overlapping CIDRs, in different regions that support remote peering.
- The VCNs must be in the same tenancy.
- A DRG attached to each VCN in the peering relationship. Your VCN already has a DRG if you're using an
IPSec VPN or an OCI FastConnect private virtual circuit.
- A remote peering connection (RPC) on each DRG in the peering relationship.
- A connection between those two RPCs.
- Supporting route rules to enable traffic to flow over the connection, and only to and from select subnets in
the respective VCNs (if desired).
- Supporting security rules to control the types of traffic allowed to and from the instances in the subnets that
need to communicate with the other VCN.

42. You are managing a tier-1 OLTP application on an ATP database. Your business needs to run
hourly batch processes on this ATP database that may consume more CPUs than what is available
on the server.
How can you limit these batch processes to not interfere with the OLTP transactions?

- Copy OLTP data into new tables in a new table space and run batch processes against these new tables
- ATP is designed for OLTP workload only; you should not run batch processes on ATP
- Disable automated backup during the batch process operations
- Configure ATP resource management rules to manage runtime and IO consumption for the consumer
group of batch processes
- Configure ATP resource management rules to manage runtime and IO consumption for the consumer
group of batch processes

Explanation
ATP comes with predefined CPU/IO shares assigned to different consumer groups. You can modify these
predefined CPU/IO shares if your workload requires different CPU/IO resource allocations.By default, the
CPU/IO shares assigned to the consumer groups TPURGENT, TP, HIGH, MEDIUM, and LOW are 12, 8, 4,
2, and 1, respectively. The shares determine how much CPU/IO resources a consumer group can use with
respect to the other consumer groups. With the default settings the consumer group TPURGENT will be
able to use 12 times more CPU/IO resources compared to LOW, when needed. The consumer group TP will
be able to use 4 times more CPU/IO resources compared to MEDIUM, when needed.

43. You have successfully configured identity federation between OCI and IDCS. A new project
manager wants access to OCI for her team and provides the name of an existing group within
IDCS to use when granting access.
How do you configure federation to allow the project team access to OCI resources?

- Create a new IAM group in OCI and map it to the existing IDCS group. Create a new policy in IDCS
and reference the name of the IAM group.
- Create a new Identity and Access Management (IAM) policy in OCI and reference the name of the
IDCS group in each policy statement.
- Create a new compartment in OCI with the same name as the existing IDCS group. Create an IAM
policy that references the new compartment and the name of the IDCS group.
- Create a new IAM group in OCI and map it to the existing IDCS group. Create a new IAM policy and
reference the name of the IAM group in each policy statement.

Create a new IAM group in OCI and map it to the existing IDCS group. Create a new IAM policy and
reference the name of the IAM group in each policy statement.

Explanation
When working with your IdP, your administrator defines groups and assigns each user to one or more
groups according to the type of access the user needs. OCI also uses the concept of groups (in conjunction
with IAM policies) to define the type of access a user has. As part of setting up the relationship with the IdP,
your administrator can map each IdP group to a similarly defined IAM group, so that your company can re-
use the IdP group definitions when authorizing user access to OCI resources.

Here's a screenshot from the mapping process: (shows IdP Group with arrow to OCI Group & then Submit
button.

44. You need to create a high performance shared file system, and have been advised to use file
storage service (FSS). You have logged into the OCIe console, created a file system, and followed
the steps to mount the shared file system on your Linux instance. However, you are still unable to
access the shared file system from your Linux instance.
What is the likely reason for this?

- There are no security list rules for mount target traffic

- There is no internet gateway set up for mount target traffic
- There is no IAM policy set up to allow you to access the mount target
- There is no route in your VCN route table for mount target traffic
- There are no security list rules for mount target traffic

Explanation
to have access to file system At least one VCN in a compartment. Correctly configured security rules for the
file system mount target. Security rules can be created in the security list for the mount target subnet, or in a
Network Security Group (NSG) that you add the mount target to. See Security Rules for information about
how security rules work in OCI. Use the instructions in Configuring VCN Security Rules for File Storage to
set up security rules correctly for your file systems.

45. You have one database style application that frequently makes many random reads and writes
across the dataset. Which storage offering supports this application?

- Block Volume Service

- File Storage Service
- Object Storage Service
- Archive Storage Service

- Block Volume Service

Explanation
The OCI Block Volume service lets you dynamically provision and manage block storage volumes . You
can create, attach, connect, and move volumes, as well as change volume performance, as needed, to meet
your storage, performance, and application requirements. After you attach and connect a volume to an
instance, you can use the volume like a regular hard drive. You can also disconnect a volume and attach it to
another instance without the loss of data.

46. Which statement is true about OCI object storage support for server-side encryption?

- You must manually enable server-side encryption for each object as you upload to OCI object storage
- Objects are automatically encrypted as they are uploaded to object storage and decrypted upon retrieval
- You must manually decrypt the data when retrieving from OCI object storage
- Only the object data is encrypted and the user-defined metadata that is associated with the object is not
encrypted.

- Objects are automatically encrypted as they are uploaded to object storage and decrypted upon retrieval

Explanation
- Oracle Object Storage supports server-side encryption. All data stored in Oracle Object Storage is
automatically encrypted- Encryption is automatically enabled for all data with no action required on the part
of customers.
- Oracle encrypt both the object data and the user-defined metadata associated with the object.
Ref : https://www.oracle.com/cloud/storage/object-storage-faq.html

47. Which statement is true about Data Guard Implementation in DB systems?

- Both DB systems must be in the same compartment, and they must be the same shape
- You cannot manage Oracle database Initialization parameters at a global level
- You can define the backup window and set custom backup retention period for the automatic database
backup schedule
- You cannot manage the database as ays/sysdba
- Both DB systems must be in the same compartment, and they must be the same shape

Explanation
An Oracle Data Guard implementation requires two DB systems, one containing the primary database and
one containing the standby database. When you enable Oracle Data Guard for a VM DB system database, a
new DB system with the standby database is created and associated with the primary database. For a bare
metal DB system, the DB system with the database that you want to use as the standby must already exist
before you enable Oracle Data Guard.
Requirement details are as follows:
- Both DB systems must be in the same compartment.
- The DB systems must be the same shape type (for example, if the shape of the primary database is a vm,
then the shape of the standby database can be any other vm shape).
- If your primary and standby databases are in different regions, then you must peer the VCN for each
database. See Remote VCN Peering (Across Regions).
- Configure the security list ingress and egress rules for the subnets of both DB systems in the Oracle Data
Guard association to enable TCP traffic to move between the applicable ports. Ensure that the rules you
create are stateful (the default).

48. You have an OCI load balancer distributing traffic via an evenly-weighted round robin policy to
your backend web servers. You notice that one of your web servers is receiving more traffic than
other web servers.
How can you resolve this imbalance?

- Check security lists and route tables of your VCN and fix any issues associated with the rules
- Create separate listeners for each backend web server
- Delete and re-create your OCI load balancer
- Disable session persistence on your backend set

- Disable session persistence on your backend set

Explanation
Session persistence is a method to direct all requests originating from a single logical client to a single
backend web server. Backend servers that use caching to improve performance, or to enable log-in sessions
or shopping carts, can benefit from session persistence

49. Your organization has deployed a large, complex application across multiple compute instances in
OCI. These compute instances also have block volume storage attached to them. You want to
create a time consistent backup of this block volume storage. Which implementation strategy
should be used?

- Create a manual backup of each volume

- Use scripts available in OCI to backup block volume storag
- Group volumes in a volume group first and then use available scripts in OCI
- Group volumes in a volume group and create a manual backup of the volume group

- Group volumes in a volume group and create a manual backup of the volume group

Explanation
Block Volume service provides you with the capability to group together multiple volumes in a volume
group. A volume group can include both types of volumes, boot volumes, which are the system disks for
your Compute instances, and block volumes for your data storage. You can use volume groups to create
volume group backups and clones that are point-in-time and crash-consistent. This simplifies the process to
create time-consistent backups of running enterprise applications that span multiple storage volumes across
multiple instances. You can then restore an entire group of volumes from a volume group backup.

To create a backup of the volume group:

- Open the navigation menu. Under Core Infrastructure, go to Block Storage and click Volumes Groups.
- In the Volume Groups list, click Create Volume Group Backup in the Actions menu for the volume group
you want to create a backup for.

50. Which 2 statements are true about an OCI VCN? (Choose 2)

- A VCN creates the DRG by default

- A VCN can reside In multiple OCI regions and availability domains
- A VCN covers a single, contiguous IPv4 CIDR block of your choice
- The allowable VCN size range is:/16 to /30

- A VCN covers a single, contiguous IPv4 CIDR block of your choice

- The allowable VCN size range is:/16 to /30

Explanation
VCN resides in a single OCI region and covers a single, contiguous IPv4 CIDR block of your choice.The
allowable VCN size range is /16 to /30.

Which 2 options are necessary for achieving high availability on OCI?

- Store your database across multiple regions so that half of the data resides in one region and the other half
resides in another region
- Attach your block volume from AD1 to a compute instance in AD 2 (and vice versa) so that they are
highly available.
- Configure your database to have Data Guard in another AD in Sync mode within a region
- Store your database files on Object Storage so that they are available in all ADs in all regions
- Distribute your application servers across all ADs within a region
- Configure your database to have Data Guard in another AD in Sync mode within a region
- Distribute your application servers across all ADs within a region

Explanation
All details can find in "Best Practices for Deploying High Availability Architecture on OCI -
https://docs.cloud.oracle.com/en-us/iaas/Content/Resources/Assets/whitepapers/best- practices-deploying-
ha-architecture-oci.pdf

You are designing a two-tier web application in OCI. Your clients want to access the web servers from
anywhere, but want to prevent access to the database servers from the Internet.
Which is the recommended way to design the network architecture?

- Create public subnets for web servers and private subnets for database servers in your VCN, and associate
separate internet gateways for each subnet
- Create a public subnet for web servers and associate a DRG with that subnet, and a private subnet for
database servers with no association to DRG
- Create public subnets for web servers and private subnets for database servers in your VCN, and associate
separate security lists and route tables for each subnet
- Create a single public subnet for your web servers and database servers, and associate only your web
servers to internet gateway
- Create public subnets for web servers and private subnets for database servers in your VCN, and associate
separate security lists and route tables for each subnet

Explanation
When you create a subnet, by default it's considered public, which means instances in that subnet are
allowed to have public IP addresses. Whoever launches the instance chooses whether it will have a public IP
address. You can override that behavior when creating the subnet and request that it be private, which means
instances launched in the subnet are prohibited from having public IP addresses. Network administrators can
therefore ensure that instances in the subnet have no internet access, even if the VCN has a working internet
gateway, and security rules and firewall rules allow the traffic.
There are 2 optional gateways (virtual routers) that you can add to your VCN depending on the type of
internet access you need:
- Internet gateway: For resources with public IP addresses that need to be reached from the internet
(example: a web server) or need to initiate connections to the internet.
- NAT gateway: For resources without public IP addresses that need to initiate connections to the internet
(example: for software updates) but need to be protected from inbound connections from the internet.

Just having an internet gateway alone does not expose the instances in the VCN's subnets directly to the
internet. The following requirements must also be met:
- The internet gateway must be enabled (by default, the internet gateway is enabled upon creation).
- The subnet must be public.The subnet must have a route rule that directs traffic to the internet gateway.
- The subnet must have security list rules that allow the traffic (and each instance's firewall must allow the
traffic).
- The instance must have a public IP address.

Which 2 statements are true about DB Systems in OCI? (Choose 2)

- Customers can consolidate multiple database homes on a single VM database host

- Customers have no control over database patching
- Customers can manage the TDE Wallet after DB Systems are provisioned
- The database and backups are encrypted by default

- Customers can manage the TDE Wallet after DB Systems are provisioned
- The database and backups are encrypted by default

Explanation
- All databases created in OCI are encrypted using transparent data encryption (TDE).
- OCI encrypts all managed backups in the object store. Oracle uses the Database Transparent Encryption
feature by default for encrypting the backups. and the customers can manage the TDE Wallet after DB
Systems are provisioned.

A company currently uses Microsoft Active Directory as its identity provider. The company recently
purchased OCI to leverage the cloud platform for its test and development operations. As the admin,
you are now tasked with giving access only to developers so that they can start creating resources in
their OCI accounts.
Which step will you perform to achieve this requirement?

- Create a group for developers on OCI and map the group to a similar group in Microsoft Active Directory
during the federation process
- Federate all Microsoft Active Directory groups with OCI to allow users to use their existing credentials
- Create a new user account for each user, and then create policies to provide access to developers
- Create a group for developers on OCI, export all the developers from Microsoft Active Directory, and then
import them into the IAM group.
- Create a group for developers on OCI and map the group to a similar group in Microsoft Active Directory
during the federation process

Explanation
When working with your IdP, your administrator defines groups and assigns each user to one or more
groups according to the type of access the user needs. OCI also uses the concept of groups (in conjunction
with IAM policies) to define the type of access a user has. As part of setting up the relationship with the IdP,
your administrator can map each IdP group to a similarly defined IAM group, so that your company can re-
use the IdP group definitions when authorizing user access to OCI resources.

Which 2 choices are true for ADW? (Choose 2)

- Billing stops only when the ADW is terminated

- Billing stops for both CPU usage and Storage usage when ADW is stopped
- Billing for Compute stops when ADW is stopped
- Billing for Storage continues when ADW is stopped

- Billing for compute stops when ADW is stopped

- Billing for storage continues when ADW is stopped

Explanation
- When ADB instance is stopped, CPU billing is halted based on full-hour cycles of usage
- Billing for storage continues as long as the service instance exists.
- When ADB instance is started, the CPU billing is initiated

As the Cloud Architect for your company, you have been tasked with designing a high performance
(HPC) cluster in OCI. The following requirements have been defined:
* The cluster must be a minimum of three nodes, but may increase to six nodes when demand requires.
* The cluster must be resilient to any potential infrastructure failures.
* To minimize latency, all nodes must be deployed within the same AD.
* Adding or replacing nodes within the cluster should take no more than 30 minutes.

Which TWO steps should be performed to satisfy these requirements in OCI?

- Deploy the cluster in a single AD with a shared file system that leverages the file storage service (FSS).
Deploy a standby cluster in another AD and configure it to use the same shared file system
- Deploy the cluster in a single AD. Place each of the nodes in one of the three different fault domains in that
AD.
- Create a backup of your HPC node compute instance boot volume. Launch new compute instances directly
from the backup reduce provisioning time
- Create a custom image of your HPC node compute instance. Launch new compute instances using this
image to reduce provisioning time
- Deploy the cluster in a single AD. Place each of the nodes in a different VCN subnet.

- Deploy the cluster in a single AD. Place each of the nodes in one of the three different fault domains in that
AD.
- Create a custom image of your HPC node compute instance. Launch new compute instances using this
image to reduce provisioning time
Explanation
A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability
domain contains three fault domains. Fault domains provide anti- affinity: they let you distribute your
instances so that the instances are not on the same physical hardware within a single availability domain. A
hardware failure or Compute hardware maintenance event that affects one fault domain does not affect
instances in other fault domains. In addition, the physical hardware in a fault domain has independent and
redundant power supplies, which prevents a failure in the power supply hardware within one fault domain
from affecting other fault domains.
To control the placement of your compute instances, bare metal DB system instances, or VM DB system
instances, you can optionally specify the fault domain for a new instance or instance pool at launch time. If
you don't specify the fault domain, the system selects one for you. OCI makes a best-effort anti-affinity
placement across different fault domains, while optimizing for available capacity in the availability domain.
To change the fault domain for an instance, terminate it and launch a new instance in the preferred fault
domain.

Use fault domains to do the following things: Protect against unexpected hardware failures or power supply
failures. Protect against planned outages because of Compute hardware maintenance.

You are about to deploy an e-business app on OCI and one of the requirements is to use a shared file
system that supports the NFS protocol.
Which storage service would meet this requirement?

- Object Storage
- Block Volume
- Data Transfer Appliance
- File Storage
- File Storage

Explanation
Use the File Storage service when your application or workload includes big data and analytics, media
processing, or content management, and you require Portable Operating System Interface (POSIX)-
compliant file system access semantics and concurrently accessible storage. The File Storage service is
designed to meet the needs of applications and users that need an enterprise file system across a wide range
of use cases, including the following:
- General Purpose File Storage: Access to an unlimited pool of file systems to manage growth of structured
and unstructured data.
- Big Data and Analytics: Run analytic workloads and use shared file systems to store persistent data.
- Lift and Shift of Enterprise Applications: Migrate existing Oracle applications that need NFS storage, such
as Oracle E-Business Suite and PeopleSoft.Databases and Transactional Applications: Run test and
development workloads with Oracle, MySQL, or other databases.
- Backups, Business Continuity, and Disaster Recovery: Host a secondary copy of relevant file systems from
on premises to the cloud for backup and disaster recovery purposes.
- MicroServices and Docker: Deliver stateful persistence for containers. Easily scale as your container-based
environments grow.

When terminating a compute instance, which statement is true?

- The instance needs to be stopped first, and then terminated

- The boot volume is always deleted
- All block volumes attached to the instance are terminated
- Users can preserve the boot volume associated with the instance
- Users can preserve the boot volume associated with the instance

Explanation
You can permanently terminate (delete) instances that you no longer need. Any attached VNICs and
volumes are automatically detached when the instance terminates. Eventually, the instance's public and
private IP addresses are released and become available for other instances. By default, the instance's boot
volume is deleted when you terminate the instance, however you can preserve the boot volume associated
with the instance, so that you can attach it to a different instance as a data volume, or use it to launch a new
instance.

Your app front end consists of several OCI compute instances behind a load balancer. You have
configured the load balancer to perform health checks on these instances.
If an instance fails to pass the configured health checks, what will happen?

- The instance is replaced automatically by the load balancer

- The instance is terminated automatically by the load balancer
- The instance is taken out of the back end set by the load balancer
- The load balancer stops sending traffic to that instance

- load balancer stops sending traffic to that instance

Explanation
One or more of the backend servers reports as unhealthy.A backend server might be unhealthy or the health
check might be misconfigured.

You are designing a networking infrastructure in multiple OCI regions and require connectivity
between workloads in each region. You have created a DRG and a remote peering connection.
However, your workloads are unable to communicate with each other.
What are 2 reasons for this? (Choose 2)

- The security lists associated with subnets in each VCN do not have the appropriate ingress rules
- IAM policies have not been defined to allow connectivity across the two VCNs in different regions
- A local peering gateway needs to be created in each VCN with a default route rule added in the route table
forwarding the traffic to the local peering gateway
- An Internet gateway needs to be created in each VCN with a default route rule added in the route table
forwarding the traffic to the Internet Gateway
- The route table associated with subnets in each VCN do not have a route rule defined to forward the traffic
to their respective DRGs
- The security lists associated with subnets in each VCN do not have the appropriate ingress rules
- The route table associated with subnets in each VCN do not have a route rule defined to forward the traffic
to their respective DRGs

Explanation
Setting Up a Remote Peering
- Create the RPCs: Each VCN administrator creates an RPC for their own VCN's DRG.
- Share information: The administrators share the basic required information.
- Set up the required IAM policies for the connection: The administrators set up IAM policies to enable the
connection to be established.
- Establish the connection: The requestor connects the two RPCs (see Important Remote Peering Concepts
for the definition of the requestor and acceptor).
- Update route tables: Each administrator updates their VCN's route tables to enable traffic between the
peered VCNs as desired.
- Update security rules: Each administrator updates their VCN's security rules to enable traffic between the
peered VCNs as desired.

Which two options are true for ATP database? (Choose 2)

- You can add/remove Diskgroup in ATP

- You can scale storage up or down in ATP
- You can scale CPU up or down in ATP
- You can add more Pluggable Databases for consolidating multiple databases in ATP
- You can add new ORACLE_HOME for bringing older versions of on-premises databases to ATP

- You can scale storage up or down in ATP

- You can scale CPU up or down in ATP

Explanation
- You can scale up/down your Autonomous Database to scale both in terms of compute and storage only
when needed, allows people to pay per use.
- Oracle allows you to scale compute and storage independently, no need to do it together. these scaling
activities fully online (no downtime required)
- in Details page Autonomous Database click Scale Up/Down. Click on arrow to select a value for CPU
Core Count or Storage (TB).
- OR - Select auto scaling to allow the system to automatically use up to three times more CPU and IO
resources to meet workload demand, compared to the database operating with auto scaling disabled.

How can you provide users access to an existing compartment?

- by granting users access to a compartment when the compartment is created

- by adding users to a group and defining a policy to provide the group access to the compartment
- by adding users to a compartment; all users in the compartment will have access to the objects in the
compartment.
- by granting access directly to the user when the user is created.

- by adding users to a group and defining a policy to provide the group access to the compartment

Explanation
- A policy is a document that specifies who can access which OCI resources that your company has, and
how. A policy simply allows a GROUP to work in certain ways with specific types of RESOURCES in a
particular COMPARTMENT

In general, here's the process an IAM administrator in your organization needs to follow:
- Define users, groups, and one or more compartments to hold the cloud resources for your org.
- Create 1+ policies, each written in the policy language.
- Place users into the appropriate groups depending on the compartments and resources they need to work
with.
- Provide the users with 1x password that they need in order to access the Console and work with the
compartments.
Which 2 are valid image sources when launching a new compute instance?

- Bare Metal Instance

- Object Storage
- Custom Image
- Boot Volume

- Custom Image
- Boot Volume

Explanation
A template of a virtual hard drive that determines the operating system and other software for an instance.
For details about OCI platform images, see Oracle-Provided Images.

You can also launch instances from:

- Trusted third-party images published by Oracle partners from the Partner Image catalog. For more
information about partner images, see Overview of Marketplace and Working with Listings.
- Pre-built Oracle enterprise images and solutions enabled for OCI Custom images, including bring your
own image scenarios.Boot Volumes.
OCI Block Volume service lets you expand the size of block and boot volumes. Which 3 options below can
you use to increase the size of your block volumes?

- Clone an existing volume to a new, larger volume

- You can only expand block volumes and not boot volumes
- Expand an existing volume in place with offline resizing
- Take a backup of your existing volume and restore from the volume backup to a larger volume
- Expand an existing volume in place with online resizing
- Clone an existing volume to a new, larger volume
- Expand an existing volume in place with offline resizing
- Take a backup of your existing volume and restore from the volume backup to a larger volume

Explanation
The OCI Block Volume service lets you expand the size of block volumes and boot volumes.
You have 3 options to increase the size of your volumes:
1. Expand an existing volume in place with offline resizing. See Resizing a Volume Using the Console for
the steps to do this.
2. Restore from a volume backup to a larger volume. See Restoring a Backup to a New Volume and
Restoring a Boot Volume.
3. Clone an existing volume to a new, larger volume. See Cloning a Volume and Cloning a Boot Volume.
Which 2 statements are true regarding cloning a block volume?

- You can change the block volume performance when creating a clone
- You can clone block volumes across regions
- You can change the block volume size when creating a clone
- You can skip block volume encryption when creating a clone
- You can change the block volume performance when creating a clone
- You can change the block volume size when creating a clone

Explanation
- You can create a clone from a volume using the Block Volume service. Cloning enables you to make a
copy of an existing block volume without needing to go through the backup and restore process.
- A cloned volume is a point-in-time direct disk-to-disk deep copy of the source volume, so all the data that
is in the source volume when the clone is created is copied to the clone volume.
- You can only create a clone for a volume within the same region, availability domain and tenant. You can
create a clone for a volume between compartments as long as you have the required access permissions for
the operation.during create a clone you can do the following

- If you want to clone the block volume to a larger size volume, check Custom Block Volume Size (GB) and
then specify the new size. You can only increase the size of the volume, you cannot decrease the size. If you
clone the block volume to a larger size volume, you need to extend the volume's partition. See Extending the
Partition for a Block Volume for more information.
- If you want to change the elastic performance setting when cloning the volume,check Custom Block
Volume Performance and select the elastic performance setting you want the volume clone to use. See Block
Volume Elastic Performance for more information. You can also change the elastic performance setting
after you have cloned the volume, see Block Volume Elastic Performance. If you leave Custom Block
Volume Performance unchecked, the cloned volume will use the same elastic performance setting as the
source volume.
You have deployed a compute instance (VM.Standard2.24) to run an Oracle database. With this set up, you
run into some performance issues and want to leverage an OCI Dense IO shape (VM.DenseIO2.24), with
which you get 25.6 TB local NVMe SSD. You do not want to lose the configuration changes you made to
the instance. Which of the following TWO steps ARE NOT required to make this transition?

- Terminate the VM.Standard2.24 instance and do not preserve the boot volume
- Create a new instance using the VM.Dense102.24 shape using the preserved boot volume and move the
Oracle Database data to NVMe disks
- Terminate the VM.Standard2.24 instance and preserve the boot volume
- Create a new instance using a VM.DenseIO2.24 shape using the preserved boot volume and move the
Oracle Database data to block volumes
- Terminate the VM.Standard2.24 instance and do not preserve the boot volume
- Create a new instance using a VM.DenseIO2.24 shape using the preserved boot volume and move the
Oracle Database data to block volumes

Explanation
You can permanently terminate (delete) instances that you no longer need. Any attached VNICs and
volumes are automatically detached when the instance terminates. Eventually, the instance's public and
private IP addresses are released and become available for other instances. By default, the instance's boot
volume is deleted when you terminate the instance, however you can preserve the boot volume associated
with the instance, so that you can attach it to a different instance as a data volume, or use it to launch a new
instance.

Dense I/O Shapes Designed for large databases, big data workloads, and applications that require high-
performance local storage. DenseIO shapes include locally-attached NVMe-based SSDs.
so once you create the VM.DenseIO you need to move the Database to locally-attached NVMe-based SSDs
You are running several Linux based operating systems in your on .premises environment that you want to
import to OCI as custom images. You can launch your imported images as OCI compute VMs. Which two
modes below can be used to launch these imported Linux VMs?

- Native
- Mixed
- Paravirtualized
- Emulated
- Paravirtualized
- Emulated

Explanation
You can use the Console or API to import exported images from Object Storage. To import an image, you
need read access to the Object Storage object containing the image.during the Import you can select the
Launch mode:
- For custom images where the image format is .oci , OCI selects
the applicable launch mode based on the launch mode for the source image.For custom images exported
from OCI where the image type is QCOW2, select Native Mode.
- To import other custom images select Paravirtualized Mode or Emulated Mode. For more information, see
Bring Your Own Image (BYOI).

** see Linux Distributions that Support Custom Image Import chart here - https://docs.cloud.oracle.com/en-
us/iaas/Content/Compute/Tasks/importingcustomimagelinux.htm
You have an application deployed in OCI running in the US East region. You have been asked to create a
disaster recovery plan that will protect against the loss of critical data. The DR site must be at least a few
hundred miles from your primary site and data transfer between the two sites must not traverse the public
Internet. Which is the lowest latency and lowest cost recommended disaster recovery plan?

- Create a DR environment in the US West region and provision a FastConnect virtual circuit using DRG
between the regions
- Create a DR environment in the US West region. Associate a DRG with the VCN in each region and
configure an IPsec VPN connection between the two regions
- Create a DR environment in the US West region. Associate a DRG with the VCN in each region and create
a remote peering connection between the 2 VCNs
- Create a DR environment in the US West region. Associate a Local Peering Gateway with the VCN in
each region and create a local peering connection between the 2 VCNs
- Create a DR environment in the US West region. Associate a DRG with the VCN in each region and create
a remote peering connection between the 2 VCNs

Explanation
Remote VCN peering is the process of connecting two VCNs in different regions (but the same tenancy ).
The peering allows the VCNs' resources to communicate using private IP addresses without routing the
traffic over the internet or through your on-premises network. Without peering, a given VCN would need an
internet gateway and public IP addresses for the instances that need to communicate with another VCN in a
different region.

At a high level, the Networking service components required for a remote peering include:
- 2 VCNs with non-overlapping CIDRs, in different regions that support remote peering. The VCNs must be
in the same tenancy.
- A DRG attached to each VCN in the peering relationship. Your VCN already has a DRG if you're using an
IPSec VPN or an OCI FastConnect private virtual circuit.
- An RPC on each DRG in the peering relationship.
A connection between those two RPCs.
- Supporting route rules to enable traffic to flow over the connection, and only to and from select subnets in
the respective VCNs (if desired).
- Supporting security rules to control the types of traffic allowed to and from the instances in the subnets that
need to communicate with the other VCN.
Which 2 statements are true about OCI IPSec VPN Connect?

- Each OCI IPSec VPN consists of multiple redundant IPSec tunnels

- OCI IPSec VPN tunnel supports only static routes to route traffic
- OCI IPSec VPN can be configured in tunnel mode only
- OCI IPSec VPN can be configured in trans port mode only
- Each OCI IPSec VPN consists of multiple redundant IPSec tunnels
- OCI IPSec VPN can be configured in tunnel mode only

Explanation
VPN Connect provides a site-to-site IPSec VPN between your on-premises network and your VCN. The
IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination
and decrypts the traffic when it arrives.
On general, IPSec can be configured in the following modes:
- Transport mode: IPSec encrypts and authenticates only the actual payload of the packet, and the header
information stays intact.
- Tunnel mode (supported by Oracle): IPSec encrypts and authenticates the entire packet. After encryption,
the packet is then encapsulated to form a new IP packet that has different header information. OCI supports
only the tunnel mode for IPSec VPNs.

Each Oracle IPSec VPN consists of multiple redundant IPSec tunnels. For a given tunnel, you can use either
Border Gateway Protocol (BGP) dynamic routing or static routing to route that tunnel's traffic. More details
about routing follow.IPSec VPN site-to-site tunnels offer the following advantages:
- Public internet lines are used to transmit data, so dedicated, expensive lease lines from one site to another
aren't necessary.
- Internal IP addresses of the participating networks and nodes are hidden from external users.
- The entire communication between the source and destination sites is encrypted, significantly lowering the
chances of information theft.
Which 2 OCI services use a DRG?
- OCI FastConnect Public Peering
- Local Peering
- OCI FastConnect Private Peering
- Internet Gateway
- OCI IPSec VPN Connect
- OCI FastConnect Private Peering
- OCI IPSec VPN Connect

Explanation
You can think of a DRG as a virtual router that provides a path for private traffic (that is, traffic that uses
private IPv4 addresses) between your VCN and networks outside the VCN's region.

you use a DRG when connecting your existing on-premises network to your VCN with one (or both) of
these:
- IPSec VPN
- OCI FastConnect (Private Only)

You also use a DRG when peering a VCN with a VCN in a different region:
- Remote VCN Peering (Across Regions)
You have an instance running in a development compartment that needs to make API calls against other
OCI services, but you do not want to configure user credentials or a store a configuration file on the
instance. How can you meet this requirement?

- Create a dynamic group with matching rules to include your instance

- Instances can automatically make calls to other OCI services
- Instances are secure and cannot make calls to other OCI services
- Create a dynamic group with matching rules to include your instance and write a policy for this dynamic
group
- Create a dynamic group with matching rules to include your instance and write a policy for this dynamic
group

Explanation
Dynamic groups allow you to group OCI compute instances as "principal" actors (similar to user groups).
When you create a dynamic group, rather than adding members explicitly to the group, you instead define a
set of matching rules to define the group members. For example, a rule could specify that all instances in a
particular compartment are members of the dynamic group. The members can change dynamically as
instances are launched and terminated in that compartment.
A dynamic group has no permissions until you write at least one policy that gives that dynamic group
permission to either the tenancy or a compartment. When writing the policy, you can specify the dynamic
group by using either the unique name or the dynamic group's OCID. Per the preceding note, even if you
specify the dynamic group name in the policy, IAM internally uses the OCID to determine the dynamic
group.
You have the following compartment structure in your tenancy. Root compartment->Training->Training-
subl ->Training-sub2 You create a policy in the root compartment to allow the default admin for the account
(Administrators) to manage block volumes in compartment Training-sub2. What policy would you write to
meet this requirement?

- Allow group Administrators to manage volume-family in root compartment

- Allow group Administrators to manage volume-family in compartment Training-sub1 :Training-sub2
- Allow group Administrators to manage volume-family in compartment Training: Training- sub
1 :Training-sub2
- Allow group Administrators to manage volume-family in compartment Training-sub2
xplanation
a policy statement must specify the compartment for which access is being granted (or the tenancy). Where
you create the policy determines who can update the policy. If you attach the policy to the compartment or
its parent, you can simply specify the compartment name. If you attach the policy further up the hierarchy,
you must specify the path. The format of the path is each compartment name (or OCID) in the path,
separated by a colon: "<compartment_level_1>:<compartment_level_2>: . . . <compartment_level_n>"
For example, assume you have a 3-level compartment hierarchy, shown here:
screenshot showing Root, CompartmentA, B, C all as sub-compartments of Compartment directly
above it

You want to create a policy to allow NetworkAdmins to manage VCNs in CompartmentC. If you want to
attach this policy to CompartmentC or to its parent, CompartmentB, write this policy statement: "Allow
group NetworkAdmins to manage virtual-network-family in compartment CompartmentC"

However, if you want to attach this policy to CompartmentA (so that only administrators of CompartmentA
can modify it), write this policy statement that specifies the path: "Allow group NetworkAdmins to manage
virtual-network-family in compartment CompartmentB:CompartmentC"

To attach this policy to the tenancy, write this policy statement that specifies the path from CompartmentA
to CompartmentC: "Allow group NetworkAdmins to manage virtual-network-family in compartment
CompartmentA:CompartmentB:CompartmentC"
You have created a new compartment called Production to host some production apps. You have also
created users in your tenancy and added them to a Group called "production group". Your users are still
unable to access the Production compartment. How can you resolve this situation?

- Every compartment you create comes with a predefined set of policies, so no further action is needed
- Your users get automatic access to all compartments, so no further action is needed
- Write an IAM Policy for each specific user granting them access to the production compartment
- Write an IAM Policy for "production_group" granting it access to the production compartment
- Write an IAM Policy for "production_group" granting it access to the production
compartment

Explanation
When creating a compartment, you must provide a name for it (maximum 100 characters, including letters,
numbers, periods, hyphens, and underscores) that is unique within its parent compartment. You must also
provide a description, which is a non-unique, changeable description for the compartment, from 1 through
400 characters.
After creating a compartment, you need to write at least one policy for it, otherwise no one can access it
(except administrators or users who have permissions set at the tenancy level). When creating a
compartment inside another compartment, the compartment inherits access permissions from compartments
higher up its hierarchy.
When you create an access policy, you need to specify which compartment to attach it to. This controls who
can later modify or delete the policy. Depending on how you've designed your compartment hierarchy, you
might attach it to the tenancy, a parent, or to the specific compartment itself.
You have 2 line of business operations (LOB1, LOB2) leveraging OCI. LOB1 is deployed in VCN1 in the
OCI US East region, while LOB2 is deployed in VCN2 in the US West region. You need to peer VCN1 and
VCN2 for disaster recovery and data backup purposes. To ensure you can utilize the OCI VCN remote
peering feature, which CIDR ranges should be used?

- VCN1 (10.0.0.0/16) and VCN2 (10.0.1.0/24)

- VCN1 (10.0.0.0/16) and VCN2 (172.16.0.0/16)
- VCN1 (172.16.1.0/24) and VCN2 (172.16.1.0/27)
- VCN1 (192.168.0.0/16) and VCN2 (192.168.1.0/27)
- VCN1 (10.0.0.0/16) and VCN2 (172.16.0.0/16)

Explanation
VCN1 (10.0.0.0/16) will use the IP Range from 10.0.0.0 to 10.0.255.255 and the VNC 2 (172.16.0.0/16) will
use the IP Range from 172.16.0.0 to 172.16.255.255 the will not be overlap between the 2 VCN
You deployed a web server in OCI using an Ephemeral Public IP address. While making configuration
changes, an admin inadvertently deleted your web server. You redeploy your web server, but many of your
LOB apps depend on this web server's public IP address and would need an update. What can you do to
prevent this from happening again?

- Create a reserved public IP and associate it with the security list for the subnet being used by your compute
instance
- Create a reserved public I P and associate it with the hosts file of your web server
- Create a reserved public IP and associate it with the subnet of your compute instance
- Create a reserved public IP and associate it with the VNIC of your compute instance
- Create a reserved public IP and associate it with the VNIC of your compute instance

Explanation
A public IP address is an IPv4 address that is reachable from the internet. If a resource in your tenancy needs
to be directly reachable from the internet, it must have a public IP address. Depending on the type of
resource, there might be other requirements.

There are two types of public IPs:

1. Ephemeral: Think of it as temporary and existing for the lifetime of the instance.
2. Reserved: Think of it as persistent and existing beyond the lifetime of the instance it's assigned to. You
can unassign it and then reassign it to another instance whenever you like. Exception: reserved public IPs on
public load balancers.

To create a new reserved public IP in your pool:

- Confirm you're viewing the region and compartment where you want to create the reserved public IP.
- Open the navigation menu. Under Core Infrastructure, go to Networking >click Public IPs.
- Click Create Reserved Public IP.Enter the following:
-- Name: An optional friendly name for the reserved public IP. The name doesn't have to be unique, and you
can change it later. Avoid entering confidential information.
-- Compartment: Leave as is.
-- Tags:Optionally, you can apply tags. If you have permissions to create a resource, you also have
permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to
use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you
should apply tags, skip this option (you can apply tags later) or ask your administrator.
-- Click Create Reserved Public IP.

To assign a reserved public IP to a private IP:

- Prerequisite: The private IP must not have an ephemeral or reserved public IP already assigned to it. If it
does, first delete the ephemeral public IP, or unassign the reserved public IP.
- Confirm you're viewing the compartment that contains the instance with the private IP you're interested in.
- Open the navigation menu. Under Core Infrastructure, go to Compute > Instances.
- Click the instance to view its details.
- Under Resources, click Attached VNICs.
- The primary VNIC and any secondary VNICs attached to the instance are displayed. Click the VNIC
you're interested in.
- Under Resources, click IP Addresses.
- The VNIC's primary private IP and any secondary private IPs are displayed.
- For the private IP you're interested in, click the Actions icon (three dots) > Edit.
- In the Public IP Address section, for Public IP Type, select the radio button for Reserved Public IP.
Enter the following:
-- Compartment: The compartment that contains the reserved public IP you want to assign.
-- Reserved Public IP: The reserved public IP you want to assign. You have 3 choices:
-1- Create a new reserved public IP - You may optionally provide a friendly name for it. The name doesn't
have to be unique, and you can change it later. Avoid entering confidential information.
-2- Assign a reserved public IP that is currently unassigned.
-3- Move a reserved public IP from another private IP.
-- Click Update.
You have launched a compute instance running Oracle database in a private subnet in the OCI US East
region. You have also created a Service Gateway to back up the data files to OCI Object Storage in the same
region. You have modified the security list associated with the private subnet to allow traffic to the Service
Gateway, but your instance still cannot access OCI Object Storage. How can you resolve this issue?

- Add a stateful rule that enables ingress HTTPS (TOP port 443) traffic to 001 Object Storage in the security
list associated with the private subnet
- Add a stateful rule that enables egress HTTPS (TCP port 443) traffic to OCI Object Storage in the security
list associated with the private subnet
- Add a rule in the Route Table associated with the private subnet with Target type as "Service Gateway"
and destination service as all IAD services in the Oracle Service Network.'
- Use the default Security List, which has ports open for OCI Object Storage
- Add a rule in the Route Table associated with the private subnet with Target type as "Service Gateway"
and destination service as all IAD services in the Oracle Service Network.'

Explanation
- A service gateway lets your VCN privately access specific Oracle services without exposing the data to the
public internet. No internet gateway or NAT is required to reach those specific services. The resources in the
VCN can be in a private subnet and use only private IP addresses. The traffic from the VCN to the Oracle
service travels over the Oracle network fabric and never traverses the internet.
- The service gateway is regional and enables access only to supported Oracle services in the same region as
the VCN.
- For traffic to be routed from a subnet in your VCN to a service gateway, you must add a rule accordingly
to the subnet's route table. The rule must use the service gateway as the target. For the destination, you must
use the service CIDR label that is enabled for the service gateway. This means that you don't have to know
the specific public CIDRs, which could change over time.
You are a network architect of an application running on OCI. Your security team has informed you about a
security patch that needs to be applied immediately to one of the backend web servers. What should you do
to ensure that the OCI load balancer does not forward traffic to this backend server during maintenance?

- Drain all existing connections to this backend server and mark the backend web server offline
- Create another OCI load balancer for the backend web servers, which are active and handling traffic
- Edit the security list associated with the subnet to avoid traffic connectivity to this backend serve
- Stop the load balancer for maintenance and restart the load balancer after the maintenance is finished
- Drain all existing connections to this backend server and mark the backend web server offline

Explanation
- a Load Balancer improves resource utilization, facilitates scaling, and helps ensure high availability. You
can configure multiple load balancing policies and application-specific health checks to ensure that the load
balancer directs traffic only to healthy instances.
- the Load balancer can reduce your maintenance window by draining traffic from an unhealthy application
server before you remove it from service for maintenance.
- Load Balancing service considers a server marked drain available for existing persisted sessions. New
requests that are not part of an existing persisted session are not sent to that server.
- Edit Drain State: Opens a dialog box in which you can change the drain state.If you set the server's drain
status to true, the load balancer stops forwarding new TCP connections and new non-sticky HTTP requests
to this backend server. This setting allows an administrator to take the server out of rotation for maintenance
purposes.
- Edit Offline State: Opens a dialog box in which you can change the offline status.
- If you set the server's offline status to true, the load balance forwards no ingress traffic to this backend
server.
Your application consists of 3 OCI compute instances running behind a public load balancer. You have
configured the load balancer to perform health checks on these instances, but one of the three instances fails
to pass the configured health check. Which of the following action will the load balancer perform?

- Stop sending traffic to the instance that failed health check

- Terminate the instance that failed health check
- Stop the instances that failed health check
- Remove the instance that failed the health check from the backend set
- Stop sending traffic to the instance that failed health check

Explanation
health check A test to confirm the availability of backend servers. A health check can be a request or a
connection attempt. Based on a time interval you specify, the load balancer applies the health check policy
to continuously monitor backend servers. If a server fails the health check, the load balancer takes the server
temporarily out of rotation. If the server subsequently passes the health check, the load balancer returns it to
the rotation.

You configure your health check policy when you create a backend set. You can configure TCP-level or
HTTP-level health checks for your backend servers.
-- TCP-level health checks attempt to make a TCP connection with the backend servers and validate the
response based on the connection status.
-- HTTP-level health checks send requests to the backend servers at a specific URI and validate the response
based on the status code or entity data (body) returned.The service provides application-specific health
check capabilities to help you increase availability and reduce your application maintenance window.
Which 3 items must be configured for a load balancer to accept incoming traffic?

- A route table entry pointing to the listener IP address A security list that is open on the listener port
- A backend set with at least one backend server
- SSL certificate
- A listener
1. A route table entry pointing to the listener IP address A security list that is open on the listener port
2. a backend set with at least one backend server
3. a Listener

Explanation
The essential components for load balancing include:
1- A load balancer with pre-provisioned bandwidth.
2- A backend set with a health check policy. See Managing Backend Sets.
3- Backend servers for your backend set. See Managing Backend Servers.
4- One or more listeners . See Managing Load Balancer Listeners.
5- Load balancer subnet security rules to allow the intended traffic. To learn more about these rules, see
Security Rules.

Optionally, you can associate your listeners with SSL server certificate bundles to manage how your system
handles SSL traffic.
Your IT dept wants to cut down storage costs, but also meet compliance requirements as set up by the
central audit group. You have a legacy bucket with both Word does (.docx) and Excel files (.xlsx). Your
auditors want to retain only Excel files for compliance purposes. Your IT departments wants to keep all
other files for 365 days only. What 2 steps can you take to meet this requirement?

- Create Object Storage Lifecycle rules to archive objects from the legacy bucket after 365 days without any
pattern matching
- Create Object Storage Lifecycle rules to delete objects from the legacy bucket after 365 days with a filter
type - include by pattern: ''.docx
- It is not possible to meet this requirement
- Create Object Storage Lifecycle rules to delete objects from the legacy bucket after 365 days with a filter
type - exclude by pattern: ''.xlsx"
- Create Object Storage Lifecycle rules to delete objects from the legacy bucket after 365 days without any
pattern matching
1 - Create Object Storage Lifecycle rules to delete objects from the legacy bucket after 365 days with a filter
type - include by pattern: ''.docx
2 - Create Object Storage Lifecycle rules to delete objects from the legacy bucket after 365 days with a filter
type - exclude by pattern: ''.xlsx"

Explanation
Object Lifecycle Management lets you automatically manage the archiving and deletion of objects. By using
Object Lifecycle Management to manage your ObjectStorage and Archive Storage data, you can reduce
your storage costs and the amount of time you spend managing data.
Use object name filters to specify which objects the lifecycle rule applies to.You can add object filters in any
order. Object Lifecycle Management evaluates the precedence of the rules as follows:
- Pattern exclusions
- Pattern inclusions
- Prefix inclusions
You have a working application in the US East region. The app is a 3-tier app with a database backend - you
take regular backups of the database into OCI Object Storage in the US East region. For Business continuity;
you are leveraging OCI Object Storage cross-region copy feature to copy database backups to the US West
region. Which of the following three steps do you need to execute to meet your requirement?

- Write an IAM policy and authorize the Object Storage service to manage objects on your behalf
- Specify an existing destination bucket
- Specify the bucket visibility for both the source and destination buckets Provide a destination object name
- Provide an option to choose bulk copying of objects
- Choose an overwrite rule
- Write an IAM policy and authorize the Object Storage service to manage objects on your behalf
- Specify an existing destination bucket
- Choose an overwrite rule

Explanation
- You can copy objects to other buckets in the same region and to buckets in other regions.You must have
the required access to both the source and destination buckets when performing an object copy. You must
also have permissions to manage objects in the source and destination buckets.
- Because Object Storage is a regional service, you must authorize the Object Storage service for each region
carrying out copy operations on your behalf. For example, you might authorize the Object Storage service in
region US East (Ashburn) to manage objects on your behalf. Once you authorize the Object Storage service,
you can copy an object stored in a US East (Ashburn) bucket to a bucket in another region.
You can use overwrite rules to control the copying of objects based on their entity tag (ETag) values.
- Specify an existing target bucket for the copy request. The copy operation does not automatically create
buckets.
Which of the following statement is true regarding OCI Object Storage Pre-Authenticated Requests?
- It Is not possible to create pre-authenticated requests for "archive" storage tier
- Changing the bucket visibility does not change existing pre-authenticated requests
- It is not possible to create pre-authenticated requests for the buckets, but only for the objects
- Pre-authenticated requests don't have an expiration
- Changing the bucket visibility does not change existing pre-authenticated requests

Explanation
Pre-authenticated requests provide a way to let users access a bucket or an object without having their own
credentials, as long as the request creator has permissions to access those objects. For example, you can
create a request that lets an operations support user upload backups to a bucket without owning API keys.
Or, you can create a request that lets a business partner update shared data in a bucket without owning API
keys.
When you create a pre-authenticated request, a unique URL is generated. Anyone you provide this URL to
can access the Object Storage resources identified in the pre-authenticated request, using standard HTTP
tools like curl and wget.
Understand the following scope and constraints regarding pre-authenticated requests:
- Users can't list bucket contents.
- You can create an unlimited number of pre-authenticated requests.
- There is no time limit to the expiration date that you can set.
- You can't edit a pre-authenticated request. If you want to change user access options in response to
changing requirements, you must create a new pre-authenticated request.
- The target and actions for a pre-authenticated request are based on the creator's permissions. The request is
not, however, bound to the creator's account login credentials. If the creator's login credentials change, a pre-
authenticated request is not affected.
- You cannot delete a bucket that has a pre-authenticated request associated with that bucket or with an
object in that bucket.

Understand the following scope and constraints regarding public access:

- Changing the type of access is bi-directional. You can change a bucket's access from public to private or
from private to public.
- Changing the type of access doesn't affect existing pre-authenticated requests. Existing pre-authenticated
requests still work.
You have 2 NFS clients running in two different subnets within the same OCI VCN. You have created a
shared file system for the two NFS clients who want to connect to the same file system, but you want to
restrict one of the clients to have READ access while the other has READ/Write access. Which OCI feature
would you leverage to meet this requirement?

- Use VCN security rules to control access for the NFS clients
- Use OCI Identity Access Management to control access for the NFS clients
- Use File Storage NFS Export Options to control access for the NFS clients
- Use NFS security to control access for the NES clients
- Use File Storage NFS Export Options to control access for the NFS clients

Explanation
OCI File Storage service provides a durable, scalable, secure, enterprise-grade network file system. You can
connect to a File Storage service file system from any bare metal, VM, or container instance in your VCN.
You can also access a file system from outside the VCN using OCI FastConnect and Internet Protocol
security (IPSec) VPN.
EXPORT
Exports control how NFS clients access file systems when they connect to a mount target. File systems are
exported (made available) through mount targets. Each mount target maintains an export set which contains
one or many exports. A file system must have at least one export in one mount target in order for instances
to mount the file system. The information used by an export includes the file system OCID, mount target
OCID, export set OCID, export path, and client export options. For more information, see Managing Mount
Targets.
EXPORT SET
Collection of one or more exports that control what file systems the mount target exports using NFSv3
protocol and how those file systems are found using the NFS mount protocol. Each mount target has an
export set. Each file system associated with the mount target has at least one export in the export set.
EXPORT PATH
A path that is specified when an export is created. It uniquely identifies the file system within the mount
target, letting you associate up to 100 file systems to a single mount target. This path is unrelated to any path
within the file system itself, or the client mount point path.
EXPORT OPTIONS
NFS export options are a set of parameters within the export that specify the level of access granted to NFS
clients when they connect to a mount target. An NFS export options entry within an export defines access
for a single IP address or CIDR block range. For more information, see Working with NFS Export Options.
Which statement is true about the OCI File Storage Service Snapshots?

- Snapshots are created under the root folder of file system, in a hidden directory named .snapshot
- Snapshots are not incremental
- You can restore the whole snapshot, but not the individual files
- It Is not possible to create snapshots from OCI console, but just the CLI
- Snapshots are created under the root folder of file system, in a hidden directory named .snapshot

Explanation
The File Storage service supports snapshots for data protection of your file system. Snapshots are a
consistent, point-in-time view of your file systems. Snapshots are copy- on-write, and scoped to the entire
file system. The File Storage service encrypts all file system and snapshot data at rest. You can take as many
snapshots as you need.
Data usage is metered against differentiated snapshot data. If nothing has changed within the file system
since the last snapshot was taken, the new snapshot does not consume more storage
Snapshots are accessible under the root directory of the file system at ".snapshot/name" . For data protection,
you can use a tool that supports NFSv3 to copy your data to a different availability domain, region, file
system, object storage, or remote location.
Which 2 statements are true about OCI Db Systems Data Guard Service? (Choose 2)

- Both DB systems must use the same VCN, and port 1521 must be open
- Data guard configuration on the OCI is limited to a VM only
- Data guard implementation for Bare Metal shapes requires two DB Systems, one containing the primary
database and one containing the standby database.
- Data guard implementation requires two DB Systems, one running the primary database on a VM and the
standby database running on bare metal.
- Both DB systems must use the same VCN, and port 1521 must be open
- Data guard implementation for Bare Metal shapes requires two DB Systems, one containing the primary
database and one containing the standby database.

Explanation
An Oracle Data Guard implementation requires two DB systems, one containing the primary database and
one containing the standby database. When you enable Oracle Data Guard for a VM DB system database, a
new DB system with the standby database is created and associated with the primary database. For a bare
metal DB system, the DB system with the database that you want to use as the standby must already exist
before you enable Oracle Data Guard.

Requirement details are as follows:

- Both DB systems must be in the same compartment.
- The DB systems must be the same shape type (for example, if the shape of the primary database is a VM,
then the shape of the standby database can be any other VM shape).
- If your primary and standby databases are in different regions, then you must peer the VCN for each
database.
- Configure the security list ingress and egress rules for the subnets of both DB systems in the Oracle Data
Guard association to enable TCP traffic to move between the applicable ports. Ensure that the rules you
create are stateful (the default).
Which 2characteristics do you need to consider when choosing a method to migrate a database to OCI?

- On-prem connectivity using remote and local VCN peering

- On-prem database character set and application version
- On-prem host operating system platform and network bandwidth
- On-prem database version and quantity of data, including indexes
- On-prem host operating system platform and network bandwidth
- On-prem database version and quantity of data, including indexes

Explanation
You can migrate your on-premises Oracle Database to an OCI Database service database using a number of
different methods that use several different tools. The method that applies to a given migration scenario
depends on several factors, including the version, character set, and platform endian format of the source
and target databases.

Choosing a Migration Method - Not all migration methods apply to all migration scenarios. Many of the
migration methods apply only if specific characteristics of the source and destination databases match or are
compatible. Moreover, additional factors can affect which method you choose for your migration from
among the methods that are technically applicable to your migration scenario.

Some characteristics and factors to consider when choosing a migration method:

- On-premises database version
- Database service database version
- On-premises host operating system and version
- On-premises database character set
- Quantity of data, including indexes
- Data types used in the on-premises database
- Storage for data staging
- Acceptable length of system outage
- Network bandwidth

To determine which migration methods are applicable to your migration scenario, gather the following info:

1) Database version of your on-premises database:

- Oracle Db 12c Release 2 version 12.2.0.1
- Oracle Db 12c Release 1 version 12.1.0.2 or higher
- Oracle Db 12c Release 1 version lower than 12.1.0.2
- Oracle Db 11g Release 2 version 11.2.0.3 or higher
- Oracle Db 11g Release 2 version lower than 11.2.0.3

2) For on-premises Oracle Database 12c Release 2 and Oracle Database 12c Release 1 databases, the
architecture of the database:
- Multitenant container database (CDB)
- Non-CDB

3) Endian format (byte ordering) of your on-premises database's host platform Some platforms are little
endian and others are big endian. Query V$TRANSPORTABLE_PLATFORM to identify the endian
format, and to determine whether cross-platform tablespace transport is supported. The OCI Db uses the
Linux platform, which is little endian.
4) Database character set of your on-premises database and the OCI Database database.Some migration
methods require that the source and target databases use compatible database character sets.

5) Database version of the OCI Database database you are migrating to:
- Oracle Db 12c Release 2
- Oracle Db 12c Release 1
- Oracle Db 11g Release 2
- Oracle Database 12c Release 2 and Oracle Database 12c Release 1 databases created on the Database
service use CDB architecture. Databases created using the Enterprise Edition software edition are single-
tenant, and databases created using the High Performance or Extreme Performance software editions are
multi-tenant.
Which is a customer's responsibility on an OCI DB System?

- Applying patches to the database and OS

- Installing the OS, Grid Infrastructure, and Db software
- Creating the first database on the DB System
- Creating an ASM diskgroup for data file or temp file storage
- Applying patches to the database and OS

Explanation
Oracle automatically takes care of Operating system Installation/Configuration, Grid Infrastructure, ASM
diskgroup Creation/Configuration , and database software Installation and first database on the DB System.
that's all when Creating DB Systems. and then the customer responsible to apply the patches to the database
and OS
Which 2 options are available within the service console of ATP?

- Monitor the health of the database server including CPU, memory and query performance
- Configure resource management rules and reset the admin password
- Perform a manual backup of the ATP database
- Fine tune a long running query using optimizer hints
- Monitor the health of the database server including CPU, memory and query performance
- Configure resource management rules and reset the admin password
Which of the following 2 tasks can be performed in the OCI Console for ADW?
- Adjust Network Bandwidth
- Scale up/down Memory
- Increase Storage allocated for Database
- Scale up/down CPU
- Increase Storage allocated for Database
- Scale up/down CPU

Explanation
- You can scale up/down your Autonomous Database to scale both in terms of compute (CPU) and storage
only when needed, allows people to pay per use.
- Oracle allows you to scale compute and storage independently, no need to do it together. these scaling
activities fully online (no downtime required)
- in Details page ADB in OCI console, click Scale Up/Down. Click on arrow to select a value for CPU Core
Count or Storage (TB).
- Or Select auto scaling to allow the system to automatically use up to three times more CPU and IO
resources to meet workload demand, compared to the database operating with auto scaling disabled.
Which 2 statements are true about ADW backup ?

- You can perform manual backups to OCI object storage in addition to automated backups available on
ADW
- You can backup ADW database only to a standard bucket type in OCI object storage
- OCI recommends backing up ADW databases manually to on-premises storage devices
- You must backup ADW database to object storage bucket named ADW_backup
- You can perform manual backups to OCI object storage in addition to automated backups available on
ADW
- You can backup ADW database only to a standard bucket type in OCI object storage

Explanation
- ADB automatically backs up your database for you.In addition to automatic backups ADB also allows you
take manual backups to your OCI Object Storage. for example if you want to take a backup before a major
change to make restore and recovery faster.
*Also, Manual backups are only supported with buckets created in the standard storage tier if you provision
an ADW instance named ADWC1, the bucket name should be backup_adwc1 (the bucket name is
lowercase)

Which 2 statements are true about the OCI object storage service?

- It provides strong consistency

- It provides higher lOPS than block storage.
- It can be directly attached to or detached from a compute instance
- Data is stored redundantly across multiple availability domains (ADs) in a multi-AD region

- It provides strong consistency

- Data is stored redundantly across multiple availability domains (ADs) in a multi-AD region

Explanation
Object Storage provides the following features:
- STRONG CONSISTENCY - When a read request is made, Object Storage always serves the most recent
copy of the data that was written to the system.
- DURABILITY - Object Storage is a regional service. Data is stored redundantly across multiple storage
servers. Object Storage actively monitors data integrity using checksums and automatically detects and
repairs corrupt data. Object Storage actively monitors and ensures data redundancy. If a redundancy loss is
detected, Object Storage automatically creates more data copies. For more details about Durability, see the
OCI Obj Storage FAQ
- CUSTOM METADATA - You can define your own extensive metadata as key-value pairs for any
purpose. For example, you can create descriptive tags for objects, retrieve those tags, and sort through the
data. You can assign custom metadata to objects and buckets using the OCI CLI or SDK. See Software
Development Kits and Command Line Interface for details
- ENCRYPTION - Object Storage employs 256-bit Advanced Encryption Standard (AES-256) to encrypt
object data on the server. Each object is encrypted with its own data encryption key. Data encryption keys
are always encrypted with a master encryption key that is assigned to the bucket. Encryption is enabled by
default and cannot be turned off. By default, Oracle manages the master encryption key. However, you can
optionally configure a bucket so that it's assigned an OCI Vault master encryption key that you control and
rotate on your own schedule.

You have 5 different company locations spread across the US. For a POC you need to setup secure
and encrypted connectivity to your workloads running in a single VCN in the OCI Ashburn region
from all company locations.
What would meet this requirement?

- Create 5 internet gateways in your VCN and have separate route table for each internet gateway.
- Create 5 virtual circuits using FastConnect for each company location and terminate those connections on a
single DRG. Attach that DRG to your VCN
- Create 5 IPsec connections with each company location and terminate those connections on a single DRG.
Attach that DRG to your VCN.

- Create 5 IPsec VPN connections with each company location and terminate those connections on five
separate DRGs. Attach those DRGs to your VCN
- Create 5 IPsec connections with each company location and terminate those connections on a single DRG.
Attach that DRG to your VCN.

Explanation
Access to Your On-Premises Network
There are 2 ways to connect your on-prem network to OCI:
1. VPN Connect - Offers multiple IPSec tunnels between your existing network's edge and your VCN, by
way of a DRG that you create and attach to your VCN.
2. OCI FastConnect: Offers a private connection between your existing network's edge and OCI. Traffic
does not traverse the internet. Both private peering and public peering are supported. That means your on-
prem hosts can access private IPv4 addresses in your VCN as well as regional public IPv4 addresses in OCI
(for example, Object Storage or public load balancers in your VCN).

** You can use one or both types of the preceding connections. If you use both, you can use them
simultaneously, or in a redundant configuration. These connections come to your VCN by way of a single
DRG that you create and attach to your VCN. Without that DRG attachment and a route rule for the DRG,
traffic does not flow between your VCN and on-premises network. At any time, you can detach the DRG
from your VCN but maintain all the remaining components that form the rest of the connection. You could
then reattach the DRG again, or attach it to another VCN

A customer has launched a compute instance In the VCN, which has an internet gateway, a service
gateway, a default security lists and a default route table. Customer has opened up Port 22 In the
security lists attached to the compute Instance subnet, however is still unable to connect to compute
Instances using ssh.
Which option would remedy this situation?

- Modify the route table associated with the VCN subnet in which the instance resides. Add a following
route to the route table.
Destination CIDB: 0.0.0.0/0
Target: Internet Gateway <"GM)
- Modify the route table associated with the VCN subnet in which the instance resides. Add a following
route to the route table.
Destination CIDP: 0.0.0.0/0
Target: Dynamic Routing Gateway (DRG)
- Modify the security list associated with the VCN subnet In which the Instance resides. Add a stateful
egress rule to allow ichp traffic in addition to the port 22
- Modify the route table associated with the VCN subnet In which the Instance resides. Add a following
route to the route table.
Destination CIDR: 0.0.0.0/0 Target: Service Gateway (SGW)

- Modify the route table associated with the VCN subnet in which the instance resides. Add a following
route to the route table.
Destination CIDB: 0.0.0.0/0
Target: Internet Gateway <"GM)

Explanation
You create an internet gateway in the context of a specific VCN. In other words, the internet gateway is
automatically attached to a VCN. However, you can disable and re- enable the internet gateway at any time.
For traffic to flow between a subnet and an internet gateway, you must create a route rule accordingly in the
subnet's route table (for example, destination CIDR = 0.0.0.0/0 and target = internet gateway). If the internet
gateway is disabled, that means no traffic will flow to or from the internet even if there's a route rule that
enables that traffic.
For the purposes of access control, you must specify the compartment where you want the internet gateway
to reside. If you're not sure which compartment to use, put the internet gateway in the same compartment as
the cloud network.