OCI Architect 2023 - Exam

Attempt 1
Question 1:
A customer’s webserver runs a complicated application on three Baremetal instances that serve as
backends on a backend set for an OCI public Load Balancer. If one of the Baremetal instances fails, what
will the OCI Load Balancer do?
Explanation
If one of the backend server goes down or gets disconnected, the load balancer stops sending new
connections to that unhealthy instance and will send the new connections to remaining healthy backend
endpoints
Question 2:
Which statement is true regarding the run command feature in the Oracle Cloud Infrastructure (OCI)
Compute service?
Explanation
You can run commands on an instance even when the instance does not have SSH access or open
inbound ports.The run command feature is supported on compute instances that use the following
platform images: Oracle Autonomous Linux
Oracle Linux
CentOS
Windows Server
The run command feature uses the Compute Instance Run Command plugin that is managed by the
Oracle Cloud Agent software. The maximum size for a script file that you upload directly to an instance
in plain text is 4 KB.To provide a larger file, save the file in an Object Storage location.Hence the
statement "The maximum size for a script file that you upload directly to an instance in plain text is 4
KB." is Correct.
Question 3:
You are using the Oracle Cloud Infrastructure (OCI) Vault service to create and manage Secrets. For your
database password, you have created a secret and rotated the secret one time. The secret versions are
as follows:
Version Number | Status
-----------------------------------------
2 (latest) | Current
1 | Previous
You later realize that you have made a mistake in updating the secret content for version 2 and want to
rollback to version 1. What should you do to rollback to version 1?
Explanation
To promote an existing secret version to current: Open the navigation menu, click Identity & Security,
and then click Vault. Under List Scope, in the Compartment list, click the name of the compartment that
contains the vault that has the secret that you want to update. From the list of vaults in the
compartment, click the vault name.Click Secrets, and then click the name of the secret that you want to
update to use a different secret version. (If needed, first change the list scope to the compartment that
contains the secret.). Make a different secret version the current secret version by doing one of the
following: Click Edit, click Current Version, and then click the version number you want to promote.
When you're ready, click Save Changes. Under Secret Version List, locate the version number that you
want to promote, click the Actions icon (three dots) for that secret version, and then click Promote to
Current. Confirm the promotion by clicking Promote to Current.
Question 4:
You have an instance running in Oracle Cloud Infrastructure (OCI) that cannot be live-migrated during an
infrastructure maintenance event. OCI schedules a maintenance due date within 14 to 16 days and
sends you a notification. What would happen if you choose not to proactively reboot the instance
before the scheduled maintenance due date?
Explanation
If a VM instance cannot be live migrated or doesn't support live migration, Oracle Cloud Infrastructure
schedules a maintenance due date within 14 to 16 days and sends you a notification describing the type
of maintenance action that is required, such as reboot migration.If a VM instance is scheduled for
maintenance, you can proactively reboot (or stop and start) the instance at any time before the
scheduled maintenance due date. If you do not proactively reboot the instance before the due date, the
instance is either reboot migrated or rebuilt in place for you, depending on the shape.
Referencehttps://docs.oracle.com/en-us/iaas/Content/Compute/References/infrastructure-maintenanc
e.htm#planned-maintenance__vm-planned-maintenance
Question 5:
Which TWO statements are NOT correct regarding the Oracle Cloud Infrastructure (OCI) burstable
instances?
Explanation
Burstable instances are designed for scenarios where an instance is typically idle, or has low CPU
utilization with occasional spikes in usage.When you create a burstable instance, you specify the total
OCPU count (or CPU cores) and the baseline CPU utilization. The baseline utilization is a fraction of each
CPU core, either 12.5% or 50% (and NOT 75% as mentioned in one of the options). Hence, the below
two statements are INCORRECT.
1. Burstable instances are designed for scenarios where an instance is not typically idle and has high CPU
utilization.
2. Baseline utilization is a fraction of each CPU core, either 25% or 75%
Reference: https://docs.oracle.com/en-us/iaas/Content/Compute/References/burstable-instances.htm
Question 6:
You are part of a team that manages a set of workload instances running in an on-premises
environment. The Architect team is tasked with designing and configuring Oracle Cloud Infrastructure
(OCI) Logging service to collect logs from these instances. There is a requirement to archive Info-level
logging data of these instances into the OCI Object Storage. Which TWO features of OCI can help you
achieve this?
Explanation
Custom logs are logs that contain diagnostic information from custom applications, other cloud
providers, or an on-premise environment.Custom logs can be ingested in the following ways by
configuring the Unified Monitoring Agent. See Installing the Agent for instructions. The Unified
Monitoring Agent can be installed on many machines, and it pulls logs from local directories, where your
apps or systems emit logs. The agent can also parse your logs for you. All of this is configured in Agent
Configurations. An agent configuration is the central mechanism for defining:
What hosts you want logs from.
What specific logs you want from the hosts.
Additional parsers.
The custom log destination.

The service connector processes and moves log data from Logging to Object Storage.
Reference: Scenario:
https://docs.oracle.com/en-us/iaas/Content/service-connector-hub/archivelogs.htm
Question 7:
You have a block volume created in the US West (Phoenix) region. You enabled Cross Region Replication
for the volume and selected US West (San Jose) as the destination region. Now, you would like to create
a new volume from the volume replica in the US West (San Jose) region.What should you do?
Explanation
To create a new volume from a volume replica, you need to activate the replica. The activation process
creates a new volume by cloning the replica.Open the navigation menu and click Storage. Under Block
Storage, click Block Volume Replicas. Ensure that you are in correct destination region that contains the
volume replica you want to activate.
Click the replica that you want to activate.
Click Activate to open the Activate Volume Replica form.
On the Activate Volume Replica, specify the settings for the new volume,
Click Create. The new volume will appear in the block volumes list, in the provisioning state.
Question 8:
Which THREE protocols are supported by the Oracle Cloud Infrastructure (OCI) Network Load Balancer?
Explanation
You can configure multiple listeners for an IP address to load balance Layer 4 (TCP/UDP/ICMP) traffic.
Reference:
https://docs.oracle.com/en-us/iaas/Content/NetworkLoadBalancer/introducton.htm#Overview
Border Gateway Protocol (BGP) is used to Exchange routing information for the internet and is the
protocol used between ISP which are different ASes.Internet Small Computer Systems Interface or iSCSI
is an Internet Protocol-based storage networking standard for linking data storage facilities. iSCSI
provides block-level access to storage devices by carrying SCSI commands over a TCP/IP network.
Question 9:
In which TWO ways does Cloud Guard help improve the overall security posture for your tenancy?
Explanation
Oracle Data Safe is a unified control center for your Oracle databases which helps you understand the
sensitivity of your data, evaluate risks to data, mask sensitive data, implement and monitor security
controls, assess user security, monitor user activity, and address data security compliance
requirements.Hence Masks sensitive data and monitors security controls on your Oracle databases is
INCORRECT.Oracle Cloud Infrastructure (OCI) Vault lets you to centrally manage and control use of keys
and secrets across a wide range of OCI services and applications.Hence Allows you to centrally manage
encryption keys is INCORRECT.Security Zones enforce security posture on OCI cloud compartments and
prevent actions that could weaken a customers’ security posture. Security Zone policies can be applied
to various cloud infrastructure types (network, compute, storage, database, etc.) to ensure cloud
resources stay secure and prevent security misconfigurations. Hence Prevents you from creating
misconfigurations on your resources in Oracle Cloud Infrastructure (OCI) is incorrect.We are left with
two choices -
Monitors unauthorized or suspicious user activity &
Helps detect misconfigured resources, such as publicly accessible Object Storage buckets, instances, and
restricted ports on security lists.
Oracle Cloud Guard is an Oracle Cloud Infrastructure service that helps customers monitor, identify,
achieve, and maintain a strong security posture on Oracle Cloud. Use the service to examine your Oracle
Cloud Infrastructure resources for security weakness related to configuration, and your operators and
users for risky activities. Upon detection, Cloud Guard can suggest, assist, or take corrective actions,
based on your configuration.
Question 10:
You want to have an exact copy of your database system to demonstrate the feasibility of a method you
have in mind. You decide to clone your database system.Which of the following statement is true about
cloning a database system?
Explanation
Cloning creates a copy of a source DB system as it exists at the time of the cloning operation, including
the storage configuration software and database volumes.More Read on Cloning a DB System:
https://docs.oracle.com/en-us/iaas/dbcs/doc/clone-db-system.html
Question 11:
Which is NOT a valid statement regarding the Oracle Cloud Infrastructure (OCI) Audit service?
Explanation
Changes within the objects stored in an Object Storage bucket are NOT collected as Audit logs.
Audit service automatically records calls to all supported Oracle Cloud Infrastructure public application
programming interface (API) endpoints as log events. Currently, all services support logging by Audit.
Object Storage service supports logging for bucket-related events, but NOT for object-related events.Log
events recorded by the Audit service include API calls made by the Oracle Cloud Infrastructure Console,
Command Line Interface (CLI), Software Development Kits (SDK), your own custom clients, or other
Oracle Cloud Infrastructure services.If you’re a regular user (not an administrator) who needs to use the
Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a
user ID for you. The administrator can confirm which compartment or compartments you should be
using. Audit provides records of API operations performed against supported services as a list of log
events. The service logs events at both the tenant and compartment level.By default, Audit logs are
retained for 365 days. You can view the log retention period in the tenancy details page.Retention
period is a tenancy-level setting. The value of the retention period setting affects all regions and all
compartments. The retention period cannot be changed.
Question 12:
Oracle Cloud Agent is a lightweight process that manages plugins running on compute instances.Which
is NOT a valid Oracle Cloud Agent plugin name?
Explanation
OS Management Service Agent Plugin: Manages updates and patches for the operating system
environment on the instance.
Bastion Plugin: Allows secure shell (SSH) connections to an instance without public IP addresses using
the Bastion service.
Compute Instance Run Command Plugin: Runs scripts within the instance to remotely configure,
manage, and troubleshoot the instance.
Live Migration Agent is NOT a valid Oracle Cloud Agent plugin name.
Reference: You can find the list of available plugins here :

https://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/manage-plugins.htm#available-plugins
Question 13:
You are a security administrator for your company's Oracle Cloud Infrastructure (OCI) tenancy. Your
storage administrator informs you that she cannot associate an encryption key from an existing Vault to
a new Object Storage bucket.What could be a possible reason for this behavior?
Explanation
Instead of using an encryption key that Oracle manages, you can assign master encryption keys that you
manage to buckets.Keys associated with buckets will not work unless you authorize Object Storage to
use keys on your behalf.Additionally, you must also authorize users to delegate key usage to these
services in the first place.Object Storage is a regional service, it has regional endpoints. As such, you
must specify the regional service name for each region where you’re using Object Storage with Vault
encryption.Allow service objectstorage-<region_name> to use keys in compartment ABC where
target.key.id = '<key_OCID>'
Question 14:
You are responsible for creating and maintaining an enterprise application that consists of multiple
storage volumes across multiple compute instances in Oracle Cloud Infrastructure (OCI).The storage
volumes include boot volumes and block volumes for your data storage. You need to create a backup for
the boot volumes that will be done daily and a backup for the block volumes that will be done every six
hours.How can you meet this requirement?
Explanation
Group multiple storage volumes in a volume group and create volume group backups is incorrect as
we have different custom schedule requirement - backup for boot volumes to be done daily and backup
of block volumes to be done every six hours. Hence one Volume Group won't satisfy the requirement
mentioned.Create clones of all boot volumes and block volumes one at a time is incorrect as the
question is about backup and the answer talks about creating clones.Create on-demand full backups of
block volumes, and create custom images from the boot volumes. Use a function to run at a specific
time to start the backup process is incorrect as the option doesn't talk about volume groups.Group the
boot volumes into a volume group and create a custom backup policy. Group the block volumes and
create a custom backup policy is correct - You need to create two volume groups - one for grouping boot
volumes and the other for grouping block volumes. You would then define custom backup policies.
Question 15:
You create a file system and then add a 2 GB file. You then take a snapshot of the file system.What
would be the total meteredBytes shown by the File Storage service after the hourly update cycle is
complete?
Explanation
Snapshot data usage is metered against differentiated data only. If nothing has changed within the file
system since the last snapshot was taken, a new snapshot does not consume more storage.You create a
file system and add a 2GB file. The new file system now contains 2 GB including metadata. After the
hourly update cycle is complete, the total meteredBytes shown by the File Storage service is 2 GB.Next,
you create a snapshot of the file system. After the hourly update cycle is complete, the total
meteredBytes shown by the File Storage service remains at 2 GB, because there's no differentiated data
yet.
Question 16:
You plan to upload a large file (3 TiB) to Oracle Cloud Infrastructure (OCI) Object Storage. You would like
to minimize the impact of network failures while uploading, and therefore you decide to use the
multipart upload capability.Which TWO statements are true about performing a multipart upload using
the Multipart Upload API?
Explanation
Performing a multipart upload using the Multipart Upload API:Before you use the multipart upload API,
you are responsible for creating the parts to upload.With multipart upload, you split the object you want
to upload into individual parts. Individual parts can be as large as 50 GiB.While a multipart upload is still
active, you can keep adding parts as long as the total number is less than 10,000.When you have
uploaded all object parts, commit the upload.Reference:
https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/usingmultipartuploads.htm#using_api
Question 17:
Your customer would run month-end jobs on their on-premises databases that would take around 14
hours to complete and sometimes even fail due to overloaded database systems. After a detailed
evaluation, they migrated their database to Oracle Autonomous Data Warehouse. They realized they
could also move their analytics platform to Oracle Analytics Cloud (OAC) and have their best of breed
technology platforms meet their critical business requirements.After migrating their analytics platform,
they want to use one consumer group for running month-end jobs and another consumer group that
can be used by the analytics team for performing data analytics tasks everyday.How can your customer
implement this requirement?
Explanation
By default, the CPU/IO shares assigned to the consumer groups HIGH, MEDIUM, LOW are 4, 2, and 1,
respectively. With the default settings the consumer group HIGH will be able to use 4 times more
CPU/IO resources compared to LOW and 2 times more CPU/IO resources compared to MEDIUM, when
needed. The consumer group MEDIUM will be able to use 2 times more CPU/IO resources compared to
LOW, when needed.
Question 18:
Which are the TWO tools you would use for Logical migration?
Question 19:
Your cloud developer is using the Oracle Cloud Infrastructure (OCI) Vault service to encrypt plaintext.
She runs the following command using the OCI Command Line Interface (CLI) and encounters a service
error.
oci kms crypto encrypt --key-id

ocid1.key.oc1.iad.bbptfrr5aaeuk.abuwcljt32arg6e6xlswgluvc52lnrtk62jq7jenfejfxlhb46nkav3zhsta
--plaintext foobar --endpoint https://bbptfrr5aaeuk-management.kms.us-ashburn-1.oraclecloud.com
What could be the most likely reason for this error?
Explanation
Each vault has a unique endpoint for create, update, and list operations for keys. This endpoint is
referred to as the control plane URL or management endpoint. Each vault also has a unique endpoint for
cryptographic operations. This endpoint is known as the data plane URL or the cryptographic endpoint.
When using the CLI for key operations, you must provide the appropriate endpoint for the type of
operation.
oci kms crypto encrypt --key-id <key_OCID> --plaintext <base64_string> --endpoint <data_plane_url>
If you look at the endpoint in command (in the question),
https://bbptfrr5aaeuk-management.kms.us-ashburn-1.oraclecloud.com , it is wrong endpoint - It's not a
data plane endpoint, rather it is a management endpoint.
Question 20:
You are part of an organization with thousands of users accessing Oracle Cloud Infrastructure (OCI). An
unknown user action was executed resulting in configuration errors. You are tasked to quickly identify
the details of all users who were active in the last six hours along with any REST API calls that were
executed. Which OCI service would you use?
Explanation
Audit provides records of API operations performed against supported services as a list of log events.
The service logs events at both the tenant and compartment level.When viewing events logged by Audit,
you might be interested in specific activities that happened in the tenancy or compartment and who was
responsible for the activity. You will need to know that the approximate time and date something
happened and the compartment in which it happened to display a list of log events that includes the
activity in question.
Question 21:
You want to run compute virtual machine (VM) instances in Oracle Cloud Infrastructure (OCI). Your
business unit has the following requirements that need to be considered before you launch the VMs:
Requirement 1: Shared infrastructure should not be used to deploy VMs.
Requirement 2: Meet node-based licensing requirements that require you to license an entire server.
Which compute capacity type would you select to meet these requirements?
Explanation
The Oracle Cloud Infrastructure Compute service's dedicated virtual machine host feature gives you the
ability to run compute virtual machine (VM) instances on dedicated servers that are a single tenant and
not shared with other customers.This feature lets you meet compliance and regulatory requirements for
isolation that prevent you from using shared infrastructure. You can also use this feature to meet
node-based or host-based licensing requirements that require you to license an entire server.
Question 22:
Which TWO components are optional while creating the Monitoring Query Language (MQL) expressions
in the Oracle Cloud Infrastructure (OCI) Monitoring service?
Explanation
An MQL expression includes the following components:
metric
interval
dimensions , as one or more name-value pairs (optional)
grouping function (optional)
statistic
comparison operation (optional). Useful for defining

https://docs.oracle.com/en-us/iaas/Content/Monitoring/Concepts/monitoringoverview.htm#AlarmsOv
erview
More Read:
https://docs.oracle.com/en-us/iaas/Content/Monitoring/Reference/mql.htm#Monitoring_Query_Langu
age_MQL_Reference
Question 23:
You plan to launch a VM instance with the VM.Standard2.24 shape and Oracle Linux 8 platform image.
You want to protect your VM instance from low-level threats, such as rootkits and bootkits that can
infect the firmware and operating system and are difficult to detect. What should you do?
Explanation
Threats like rootkits and bootkits that have kernel-level privileges can infect the firmware and operating
system and are difficult to detect. Rootkits containing low-level malware allow an attacker to perform
the following tasks:
Take control of the system without the owner’s knowledge
Run files remotely
Change system configuration
Steal passwords and encryption keys
Perform data exfiltration
Bootkits are a type of rootkit that targets the boot code and can cause system instability and inability to
launch the operating system. These tactics are commonly used to perform ransomware
attacks.Unfortunately, rootkits and bootkits are hard to detect because they activate even before the
operating system boots and can block antivirus and antimalware software, rendering them ineffective.
You can use Shielded instances, which protect virtual machines (VM) and bare metal instances against
these low-level threats.
Reference: https://docs.oracle.com/en-us/iaas/Content/Compute/References/shielded-instances.htm
Question 24:
You are launching a new project in the US West (Phoenix) region. You would like to reserve the compute
capacity mentioned below so that the capacity is available for your workloads when you need it.
10 VM.Standard2.2 Instances
6 VM.Standard.E4.Flex Instances
The project also requires you to be mindful about high availability and place the instances in at least two
Availability Domains.At a bare minimum, how many capacity reservations would you create to meet this
requirement?
Explanation
When you create your capacity reservation, you specify the availability domain in the tenancy where
you want to reserve capacity. Reservations are specific to that availability domain.In this scenario, as you
need to be mindful about High Availability (placing it in atleast 2 Availability Domains), at a bare
minimum we need 2 Capacity reservations (as it is AD specific). We can then add capacity configuration
as per the requirement.
Question 25:
Which statement is NOT correct regarding the Oracle Cloud Infrastructure (OI) File System snapshots?
Explanation
A snapshot is a point-in-time view of your file system. Snapshots initially consume no additional usage in
the file system, because they reference the original data instead of duplicating it, limiting usage
cost.Snapshot data usage is metered against differentiated data only. If nothing has changed within the
file system since the last snapshot was taken, a new snapshot does not consume more storage.
Question 26:
You need to implement automatic backups for your database system. You can easily check “Enable
Automatic Backup” in the web console. Before you do that though, you need to have which of the
following TWO prerequisites in place?
Explanation
Prerequisites: The DB system requires access to the Oracle Cloud Infrastructure Object Storage service,
including connectivity to the applicable Swift endpoint for Object Storage.
Reference:
https://docs.oracle.com/en/cloud/paas/bm-and-vm-dbs-cloud/dbbackupoci/index.html#articletitle
Question 27:
A few Object Storage buckets in your Oracle Cloud Infrastructure (OCI) tenancy should remain public,
and yet you do not want the Cloud Guard service to detect these as problems.
In which TWO ways would you address this requirement?
Explanation
A conditional group sets parameters that you specify, to limit the scope of situations for which the
violation of a detector rule actually triggers a problem.
Example: You have 10 Compute Instances. Two instances (Instance1 and Instance2) should be public, so
you don't want the "Instance is publicly accessible" rule to trigger problems on these instances. You can
use conditional groups to exclude these two instances, using either custom lists or managed lists.When
you dismiss a problem, you're telling Cloud Guard to ignore this instance of the problem for that
resource, and simply ignore it if it happens in the future. Only the problem history of the dismissed
problem is updated.When you mark a problem as resolved, you're telling Cloud Guard that it was in fact
a problem, but you've taken an action that handled it. If another instance of this same problem occurs,
it's detected again.
Question 28:
What security consideration should you be mindful of before performing a database migration?
Explanation
Reference:
https://database-heartbeat.com/2021/07/06/restore-a-tde-encrypted-cloud-database-backup-to-anoth
er-availability-domain-oci-region-or-on-premises/,
https://database-heartbeat.com/2021/07/06/restore-a-tde-encrypted-cloud-database-backup-to-anoth
er-availability-domain-oci-region-or-on-premises/
Question 29:
In an Object Storage bucket you have two objects named ObjectA and ObjectB. ObjectA was last
modified six months ago and ObjectB was modified 14 months ago. You create a retention rule and
specify a duration of 1 year.What does the rule do?
Explanation
It's important to understand retention duration for time-bound rules. Even though you are creating
retention rules for a bucket, the duration of a rule is applied to each object in the bucket individually,
and is based on the object's Last Modified timestamp.In this scenario, you have two objects in the
bucket, ObjectA and ObjectB.
ObjectA was last modified 6 months ago and ObjectB was last modified 14 months ago.
You create a retention rule with a duration of 1 year.
This rule prevents the modification or deletion of ObjectA for the next 6 months.
The rule allows the modification or deletion of ObjectB because the retention rule duration (1 year) is
less that the object's Last Modified timestamp (14 months).
Question 30:
The volume of transactions of your rental business is increasing. You anticipate a rise in workload during
the upcoming holiday sales event. You want to ensure that the business is not impacted during the
event due to an overloaded database system. Based on your database administrator's suggestion, you
intend to scale up your Virtual Machine DB System during the event period to address the resource
demand.Which of the following TWO statements are true about scaling the Virtual Machine DB System?
Explanation
Scale the CPU Cores For a Bare Metal DB System. If a bare metal DB system requires more compute
node processing power, you can scale up (increase) the number of enabled CPU cores in the system
without impacting the availability of that system.Scale Up the Storage For a Virtual Machine DB System.
If a virtual machine DB system requires more block storage, you can increase the storage at any time
without impacting the system.
More Read: https://docs.oracle.com/en-us/iaas/dbcs/doc/scale-db-system.html
############################################################################
############################################################################
Question 1:
You are backing up your on-premises data to the Oracle Cloud Infrastructure (OCI) Object Storage
Service.
Your requirements are:
1. Backups need to be retained for at least full 31 days.
2. Data should be accessible immediately if and when needed after the backup.
Which OCI Object Storage tier is suitable for storing the backup to minimize cost?
Explanation
The Standard tier is the primary, default storage tier used for Object Storage service data. The Standard
storage tier is "hot" storage used for data that you need to access quickly, immediately, and frequently.
Data accessibility and performance justifies a higher price to store data in the Standard tier. It does not
satisfy the "minimum cost" requirement mentioned in the question and hence is INCORRECT.
The Infrequent Access tier is "cool" storage used for data that you access infrequently, but that must be
available immediately when needed. Storage costs are lower than Standard. The Infrequent Access tier
has a minimum storage retention period and data retrieval fees. The minimum storage retention period
for the Infrequent Access tier is 31 days. This satisfies all requirements mentioned in the question and
hence this is the CORRECT ANSWER.
The Archive tier is the primary, default storage tier used for Archive Storage service data. The Archive
storage tier is "cold" storage used for data seldom or rarely accessed, but that must be retained and
preserved for long periods of time. Objects in the Archive tier must be restored before they are available
for access. It does not satisfy the "Data should be accessible immediately if and when needed after the
backup" requirement of the question and hence it is INCORRECT.
Auto-Tiering monitors data access patterns and helps you reduce storage costs by automatically moving
objects larger than 1 MiB out of the Standard tier into the more cost-effective Infrequent Access tier.
This is not exactly an Object Storage tier and hence this is also INCORRECT.
Question 2:
Which TWO predefined service names can you use when connecting to an Oracle Cloud Infrastructure
(OCI) Autonomous Data Warehouse?
Explanation
Question 3:
You just got a last minute request to create a set of instances in Oracle Cloud Infrastructure (OCI). The
configuration and installed software are identical for every instance, and you already have a running
instance in your OCI tenancy.
Which image option allows you to achieve this task with the least amount of effort?
Explanation
The keywords in the question are "configuration and installed software are identical for every instance" ,
"already have a running instance" and "least amount of effort".
Option: Use Oracle-provided images and customize the installation using a third-party tool: This option
can be eliminated as using third party tool does not satisfy the "least amount of work" requirement of
the question.
Option: Select an image from the OCI Marketplace: This option can be eliminated as it does not talk
about the configuration and software installation, that is desired as per the scenario in the question.
Option: Bring your own image and use it as a template for the new instances: This option does not
satisfy the "least amount of work" requirement. It also does not leverage the existing instance. Hence it
is Incorrect. For more information on the process of BYOI refer : Bring Your Own Image (BYOI)
(oracle.com)
Option: Create a custom image and use it as a template for the new instances: Oracle Cloud
Infrastructure uses images to create compute instances. You basically specify which image to use when
you create an instance. You may also create a custom image of an instance’s boot disk and use that
image to create other instances. These instances include the customizations, configuration, and
software that was installed when you created the image. As you already have a running instance,
configure and install the software and then create a custom image and use it as a template for the new
instances. This is the correct answer.
Question 4:
A financial firm is designing an application architecture for its online trading platform that should have
high availability and fault tolerance.
Their solutions architects configured the application to use an Oracle Cloud Infrastructure (OCI) Object
Storage bucket located in the US West (us-phoenix-1) region to store large amounts of financial data.
The stored financial data in the bucket should not be impacted even if there is an outage in one of the
Availability Domains or a complete region.
What should the architect do to avoid any costly service disruptions and ensure data durability?
Explanation
Replication provides protection from regional outages, aids in disaster recovery efforts, and addresses
data redundancy compliance requirements. After the replication policy is created, the destination
bucket is read-only and updated only by replication from the source bucket. Objects uploaded to a
source bucket after policy creation are asynchronously replicated to the destination bucket. Hence
"Create a replication policy to send data to a different bucket in another OCI region." is the CORRECT
answer.
The option Create a lifecycle policy to regularly send data from the Standard to Archive storage is
INCORRECT as lifecycle policy rules instruct Object Storage to delete uncommitted multipart uploads,
move objects to a different storage tier, and delete supported resources on your behalf within a given
bucket.
The option Create a new Object Storage bucket in another region and configure lifecycle policy to move
data every 5 days is also INCORRECT as using lifecycle policy we cannot move data to another region.
The option Copy the Object Storage bucket to a block volume is irrelevant and not necessary as there is
a built in replication policy in object storage that can be used. Moreover the region information is not
specified for the Block Volume. If the Block Volume is in the same region, it doesn't solve the purpose.
Hence this is also INCORRECT.
Question 5:
Which TWO are key benefits of setting up Site-to-Site VPN on Oracle Cloud Infrastructure (OCI)?
Explanation
Oracle Cloud Infrastructure supports only the tunnel mode for IPSec VPNs. Each Oracle IPSec connection
consists of multiple redundant IPSec tunnels.
So the option When setting up Site-to-Site VPN, OCI provisions redundant VPN tunnels is correct.
For a given tunnel, you can use either Border Gateway Protocol (BGP) dynamic routing or static routing
to route that tunnel's traffic.
Hence the option When setting up Site-to-Site VPN, customers can configure it to use static or dynamic
routing (BGP) is also correct.
Oracle Cloud Infrastructure FastConnect provides an easy way to create a dedicated, private connection
between your data center and Oracle Cloud Infrastructure. FastConnect provides higher-bandwidth
options, and a more reliable and consistent networking experience compared to internet-based
connections.
Hence the options When setting up Site-to-Site VPN, it creates a private connection that provides
consistent network experience and When setting up Site-to-Site VPN, customers can expect bandwidth
above 2 Gbps are INCORRECT.
Question 6:
Which TWO statements about the Oracle Cloud Infrastructure (OCI) File Storage Service are accurate?
Explanation
The File Storage service encrypts all file system and snapshot data at rest. By default all file systems are
encrypted using Oracle-managed encryption keys. You have the option to encrypt all of your file systems
using the keys that you own and manage using the Vault service. Hence the options File systems use
Oracle-managed keys by default and Customer can encrypt data in their file system using their own
Vault encryption key are CORRECT.
Now, let's try to understand why the other options are Incorrect.
Option: Customer can encrypt the communication to a mount target via export options: NFS export
options are a set of parameters within the export that specify the level of access granted to NFS clients
when they connect to a mount target.
Option: Communication with file systems in a mount target is encrypted via HTTPS: In-transit encryption
provides a way to secure your data between instances and mounted file systems using TLS v.1.2
(Transport Layer Security) encryption.
Option: Mount targets use Oracle-managed keys by default: A mount target is an NFS endpoint that lives
in a VCN subnet of your choice and provides network access for file systems. All file systems , by default
are encrypted using Oracle-managed encryption keys.
Question 7:
Which statement is TRUE about delegating an existing domain to the Oracle Cloud Infrastructure (OCI)
DNS service?
Explanation
Delegating your domain with your domain's registrar makes your Oracle Cloud Infrastructure hosted
zone accessible through the internet.
Use the Type sort filter to locate the NS records for your zone.
Note the name servers in the RDATA field within each NS record.
You can use the noted name servers to change your domain's DNS delegation. Refer to your registrar's
documentation for instructions.
Hence Domains can be delegated to OCI DNS from the Domain Registrar’s self-service portal is the
CORRECT answer.
Question 8:
Which of the following statements is true about cloning a volume in the Oracle Cloud Infrastructure
(OCI) Block Volume service?
Explanation
You can only create a clone for a volume within the same region, availability domain and tenant. So the
option You can clone a volume to another region is incorrect.
Creating a clone is faster than creating backup. Reference: See the comparison table of Backup vs Clone
here Cloning a Volume (oracle.com) Hence the option Creating a clone takes longer than creating a
backup of a volume is incorrect as well.
The option You need to detach a volume before cloning it is also Incorrect as per the below statement
from Oracle documentation :
"If the source volume is attached when a clone is created, you need to wait for the first clone operation
to complete from the source volume before creating additional clones. If the source volume is detached,
you can create up to ten clones from the same source volume simultaneously"
This means irrespective of whether the volume is detached or attached, you can create clones.
The option You can change the block volume size when cloning a volume is CORRECT as you can clone
an existing volume to a new, larger volume. Since the clone is a copy of the source volume it will be the
same size as the source volume unless you specify a larger volume size when you create the clone. (you
have the option to specify a larger size).
Question 9:
When creating an Oracle Cloud Infrastructure (OCI) Virtual Cloud Network (VCN) with the VCN wizard,
which THREE gateways are created automatically?
• Bastion Host
Explanation
The wizard creates a virtual cloud network contains with the following elements:
An Internet gateway, a NAT gateway, and a Service gateway for the VCN
A regional public subnet with routing to the internet gateway
Instances in a public subnet may optionally have public IP addresses.
A regional private subnet with routing to the NAT gateway and service gateway (and therefore the
Oracle Services Network)
Instances in a private subnet cannot have public IP addresses.
Basic security list rules for the two subnets, including SSH access
It does not create Local Peering Gateway, Bastion Host, Dynamic Routing Gateway, Storage Gateway.
Question 10:
Which is NOT a valid Oracle Cloud Infrastructure (OCI) Virtual Cloud Network (VCN) approach?
Explanation
We have to identify an INVALID Statement.
Private subnets should ideally have individual route tables to control the flow of traffic within and
outside of VCN: When you have a public subnet and a private subnet in your VCN (for an example, see
Scenario C: Public and Private Subnets with a VPN), you'll need to use different route tables for the
subnets because the route rules for the subnets need to be different. Hence this is a VALID statement.
Use OCI tags to tag VCN resources so that all resources follow organizational tagging/naming
conventions: Oracle Cloud Infrastructure Tagging allows you to add metadata to resources, which
enables you to define keys and values and associate them with resources. You can use the tags to
organize and list resources based on your business needs. Hence this is a VALID statement.
Ensure not all IP addresses are allocated at once within a VCN or subnet; instead reserve some IP
addresses for future use: This is one of the best practices to be adopted during the VCN
design/implementation phase. Hence this is a VALID statement.
Ensure VCN CIDR prefix overlaps with other VCNs in your tenancy or with your organizations private IP
network ranges.: If you intend to connect a VCN to your on-premise network or another VCN, Oracle
recommends that you ensure that the IP address ranges don’t overlap. This is NOT a valid approach and
hence it is the answer.
Question 11:
You are responsible for deploying an application on Oracle Cloud Infrastructure (OCI). The application is
memory intensive and performs poorly if enough memory is not available. You have created an instance
pool of Linux compute instances in OCI to host the application and defined Autoscaling Configuration for
the instance pool. What should you do to ensure that the instance pool autoscales to prevent poor
application performance?
Explanation
When you configure an Autoscaling policy, you have the option to select Memory Utilization as the
performance metric (as shown in the screenshot below):
The question mentions that the application is memory intensive and performs poorly if enough memory
is not available.
You can directly eliminate Install OCI SDK on all compute instances and create a script that triggers the
autoscaling event if there is high memory usage and Install the monitoring agent on all compute
instances, which triggers the autoscaling group as these options do not mention the use of auto scaling
policy.
Now the remaining two options talk about autoscaling policy but the option "Configure the autoscaling
policy to monitor CPU usage and scale up the number of instances when it meets the threshold." can be
eliminated as the question is mentioning memory sensitive application which performs poorly if enough
memory is not available.
So the correct answer is Configure the autoscaling policy to monitor memory usage and scale up the
number of instances when it meets the threshold.
Question 12:
Your DevOps team needs to interconnect the on-premises network to the Oracle Cloud Infrastructure
(OCI) resources, such as a managed database that resides in a private subnet. They indicate that they
have a low budget and their bandwidth requirements are minimal, so you decide that a site-to-site VPN
is the best option. They provide you with their router public IP address. You need to create an object in
OCI that represents this router. Which object would you create?
Explanation
At your end of Site-to-Site VPN is the actual device in your on-premises network (whether hardware or
software). The term customer-premises equipment (CPE) is commonly used in some industries to refer
to this type of on-premises equipment. When setting up the VPN, you must create a virtual
representation of the device. Oracle calls the virtual representation a CPE, but this documentation
typically uses the term CPE object to help distinguish the virtual representation from the actual CPE
device. The CPE object contains basic information about your device that Oracle needs.
Question 13:
What should be created before provisioning an Oracle Cloud Infrastructure (OCI) DB System?
Question 14: Incorrect
Which of the following is a valid RFC 1918 CIDR prefix that can be used for creating an Oracle Cloud
Infrastructure (OCI) Virtual Cloud Network (VCN)?
Explanation
A VCN is a virtual, private network that you set up in Oracle data centers.
The allowable VCN size range is /16 to /30 (for example, 10.0.0.0/16). This eliminates 10.0.0.0/8,
0.0.0.0/0, 172.16.0.0/12 and 189.215.154.89/32.
Now you are left with two options: 192.168.0.0/16 and 192.268.0.0/24.
192.268.0.0/24 is an INVALID CIDR block. as the maximum in the second octet can be 255.
The Networking service reserves the first two IP addresses and the last one in each subnet’s CIDR.For
your VCN, OCI recommends using one of the private IP address ranges specified in RFC 1918
(10.0.0.0/16, 172.16/16, or 192.168/16).
Hence, 192.168.0.0/16 is a valid RFC 1918 CIDR prefix.
Question 15:
You have multiple applications running on a compute instance that generate a large amount of log files.
You are required to retain these log files retained for a total of 60 days; at least 15 days on the boot
volume, and an additional 45 days in any location.
Which is the most cost-effective way to meet the 15-day boot volume retention requirement and the
60-day total retention requirement?
Explanation
The question mentions " most cost-effective way". Whenever you see this keyword you have to directly
think about Object Storage service.
Option: Attach a block volume and use a script that moves log files older than 15 days to the new
volume and deletes them completely after 60 days. - It is incorrect as the Block Volume service costs
more than Object Storage.
Option: Do not delete any logs but resize the boot volume of the instance every time additional space is
needed.- You can reject this option right away as using this option would increase the cost. You want
the log files to be retained for 60 days and this option doesn't talk about that. It is incorrect.
Option: Terminate the instance while preserving the boot volume. Create a new instance from the boot
volume and select a DenseIO shape to take advantage of the local NVMe storage. - Not at all a
cost-effective option. This option too doesn't talk about the requirements mentioned in the question.
Option: Create an Object Storage bucket and use a script that runs daily to move log files older than 15
days from the boot volume to the bucket. Create a lifecycle rule for the bucket to delete any logs over
60 days old. - This is the only option which talks about Object Storage service. You can leverage lifecycle
policy rules to delete the logs after 60 days. Object Storage service is the most effective amongst all
storage options in OCI- Object, Block and File Storage.
Question 16:
You are in the process of migrating several legacy applications from on-premises to Oracle Cloud
Infrastructure (OCI). The current servers are already virtualized. However, you notice that the version of
CentOS currently running does not align with any of the Oracle-provided compute images.
How would you migrate your existing virtual server images to OCI?
Explanation
You simply export virtual machines from your existing virtualization environment and import directly to
OCI as a custom image. At launch, you can import images in either QCOW2 or VMDK formats.
Custom images must meet the following requirements:: The disk image must be a VMDK or QCOW2 file.
This eliminates options having VDI format/QED format.
The new image import experience for emulation mode VMs supports a number of new and older
operating systems including:
RHEL: 4.5, 5.11, 6.9, 7.4
CentOS: 4.0, 4.8, 5.11, 6.9, 7.x
Oracle Linux: 4.5, 4.8, 5.11, 6.9, 7.4
Ubuntu: 12.04, 14.04, 16.04
Hence, Export your current image in the QCOW2 format and copy to an Object Storage bucket. Import it
as a custom image. Select emulated mode to ensure compatibility with legacy drivers is the CORRECT
ANSWER.
Question 17:
You want to create a policy to allow the NetworkAdmins group to manage Virtual Cloud Network (VCN)
in compartment C. You want to attach this policy to the tenancy. The compartment hierarchy is shown
below.
Which policy statement can be used to accomplish this task?
Explanation
The keyword in the question is "attach this policy to the tenancy". For that you would have to write the
policy statement that specifies the path from CompartmentA to CompartmentC.
Allow group NewtworkAdmins to manage virtual-network-family in compartment A:B:C
If you attach the policy to the compartment or its parent, you can simply specify the compartment
name. If you attach the policy further up the hierarchy, you must specify the path. The format of the
path is each compartment name (or OCID) in the path, separated by a colon:
<compartment_level_1 >:<compartment_level_2 >: . . . <compartment_level_n>
Question 18:
You have three compartments: ProjectA, ProjectB, and ProjectC. For each compartment, there is an
admin group set up: A-Admins, B-Admins, and C-Admins. Each admin group has full access over their
respective compartments as shown in the graphic below. Your organization has set up a tag namespace,
EmployeeGroup.Role and all your admin groups are tagged with a value of 'Admin'.You want to set up
a Test compartment for members of the three projects to share. You also need to provide admin access
to all three of your existing admin groups.Which policy would you write to accomplish this task?
Explanation
To arrive at the correct answer use the process of elimination:
Allow <subject> to <verb> <resource-type> in <location> where <conditions>
Subject: group <group_name> | group id <group_ocid> | dynamic-group <dynamic-group_name> |

dynamic-group id<dynamic-group_ocid> | any-user
This eliminates Allow all-group to manage all-resources in compartment Test where

request.principal.group.tag.EmployeeGroup.Role='Admin' and Allow group any-group to manage
all-resources in compartment Test where request.principal.group.tag.EmployeeGroup.Role='Admin'
We can easily eliminate Allow dynamic-group to manage all-resources in compartment Test where
request.principal.group.tag.EmployeeGroup.Role='Admin' as here you are allowing dynamic groups.
Dynamic groups allow you to group Oracle Cloud Infrastructure compute instances as "principal" actors
(similar to user groups). For example, a rule could specify that all instances in a particular compartment
are members of the dynamic group.
So the correct answer is Allow any-user to manage all-resources in compartment Test where
request.principal.group.tag.EmployeeGroup.Role='Admin'
Question 19:
Which TWO statements are TRUE about Public IP addresses in Oracle Cloud Infrastructure (OCI)?
Explanation
Oracle Cloud Infrastructure allows you to Bring Your Own IP (BYOIP) address space to use with resources
in Oracle Cloud Infrastructure, in addition to using Oracle owned addresses. Bring Your Own IP
(oracle.com) . Hence option You must use OCI provided public IP addresses. You cannot bring your own
IP addresses to OCI is NOT TRUE. There are two types of public IPs:
Ephemeral: Think of it as temporary and existing for the lifetime of the instance.
Reserved: Think of it as persistent and existing beyond the lifetime of the instance it's assigned to. You
can unassign it and then reassign it to another instance whenever you like. Exception: reserved public
IPs on public load balancers
Therefore the option Public IP addresses can be ephemeral or reserved is TRUE.
You can assign a public IP address to an instance to enable communication with the internet. The
instance is assigned a public IP address from the Oracle Cloud Infrastructure address pool. The
assignment is actually to a private IP object on the instance. The VNIC that the private IP is assigned to
must be in a public subnet. A given instance can have multiple secondary VNICs, and a given VNIC can
have multiple secondary private IPs. So you can assign a given instance multiple public IPs across one or
more VNICs if you like. Hence option You can assign a given instance multiple public IPs across one or
more VNICs is TRUE.
Option: By default, an instance in a public subnet has one primary public IP address: As discussed earlier
the instance is assigned a public IP address from the Oracle Cloud Infrastructure address pool. The
assignment is actually to a private IP object on the instance. Therefore the option is NOT TRUE.
Question 20:
Your IT team has asked you to provision an Autonomous Database in Oracle Cloud Infrastructure (OCI),
but they want it to operate similar to what you have currently on-premises. What are the TWO
prerequisites for successfully deploying an Autonomous Dedicated Database in OCI?
Explanation
Dedicated Autonomous Database services offer two deployment possibilities for operational control and
isolation: Oracle Cloud Infrastructure: A private dedicated database within a public cloud that
completely isolates your data and operations. Dedicated Autonomous Databases on Oracle cloud get
dedicated system resources such as processor, memory, network, or storage to offer greater control
over operational policies and customizations.
Exadata Cloud@Customer Infrastructure: An Autonomous Database in your data center to meet

regulatory, data sovereignty, or network latency requirements for workloads that cannot move to the
public cloud. This deployment option enables IT to easily deliver self-service databases to business users
and developers while ensuring the security and governance of all data.
The Oracle Autonomous Database dedicated Exadata infrastructure feature is based upon these kinds of
Oracle Cloud resources: An Exadata Infrastructure resource represents the Exadata Database Machine
system in your data center, together with the networking configuration that connects it to Oracle Cloud.
An Autonomous Exadata VM Cluster resource provides the link between the Exadata Infrastructure
resource and the Autonomous Container Database resources in your deployment. It is a set of
symmetrical VMs (virtual machines) across all compute nodes of the underlying Exadata Infrastructure
resource.An Autonomous Container Database resource provides a container for your Autonomous
Databases. You can create multiple Autonomous Container Database resources in a single Autonomous
Exadata VM Cluster resource, but you must create at least one before you can create any Autonomous
Databases.
Question 21:
As a network architect you have been tasked with creating a fully redundant connection from your
on-premises data center to your Virtual Cloud Network (VCN) in the us-ashburn-1 region.
Which TWO options will accomplish this requirement?

Explanation
The question has a key word - "fully redundant connection". We can eliminate the answer Configure a
Site-to-Site VPN from a single on-premises CPE as this option is using a single on-premises Customer
Premises Equipment (CPE). It's not a fully redundant solution.
Option: Configure one FastConnect virtual circuit to the us-ashburn-1 region and the second
FastConnect virtual circuit to the us-phoenix-1 region : The question clearly specifies that the VCN is in
the ashburn region. This answer is proposing second Fast Connect virtual circuit to the phoenix region.
hence this is also INCORRECT.
By the process of elimination, we have eliminated two incorrect answers.
So we are left with the remaining two options which are Correct but let's look at why they are correct.
Option: Configure one FastConnect virtual circuit to the us-ashburn-1 region and a Site-to-Site VPN to
the us-ashburn-1 region : Oracle recommends using Site-to-Site VPN as a backup for your FastConnect
connection. If you do, ensure that the Site-to-Site VPN IPSec tunnels are configured to use BGP routing
with a route-based VPN. Additional Information: Within your existing on-premises network, manipulate
the routing to prefer routes learned through FastConnect over routes learned through Site-to-Site VPN.
For example, use AS_Path Prepend to influence egress traffic from Oracle, and use local preference to
influence egress traffic from your network.
Option: Configure two FastConnect virtual circuits to the us-ashburn-1 region and terminate them in
diverse hardware on-premises :
For redundancy, Oracle provides multiple providers for each region and Two FastConnect locations for
US East (Ashburn). You should handle redundancy of the physical connection between your existing
network and Oracle.
Question 22:
As a network architect you have deployed a public subnet on your Virtual Cloud Network (VCN) with this
security list:You have also created a network security group (NSG) as shown in the table here, and
assigned it to your bastion host:You have confirmed that routing is correct but when you SSH to the VM
from your home over the Internet you are unable to connect.What could be the problem?
Explanation
If you look at the security list rules, port 22 (SSH) is not there on the Destination Port list. Hence SSH
traffic is not allowed from the internet.
If you look at the NSG, port 22 (SSH) does appear in the Destination Port list but the source is not
0.0.0.0/0 (Internet) - look at CIDR range.
Hence SSH traffic is not allowed in the security list nor on the NSG from the Internet is the CORRECT
answer.
Question 23:
Which TWO statements are TRUE about Private IP addresses in Oracle Cloud Infrastructure (OCI)?
Explanation
A VNIC enables an instance to connect to a VCN and determines how the instance connects with
endpoints inside and outside the VCN. Each VNIC resides in a subnet in a VCN and includes these items
(list not exhaustive, just for explanation of this question). For more details refer to Virtual Network
Interface Cards (VNICs) (oracle.com). One primary private IPv4 address from the subnet the VNIC is in,
chosen by either you or Oracle.
Up to 31 optional secondary private IPv4 addresses from the same subnet the VNIC is in, chosen by
either you or Oracle.An optional public IPv4 address for each private IP, chosen by Oracle but assigned
by you at your discretion.The first two points make it clear that the option "By default, the primary VNIC
of an instance in a subnet has one primary private IP address" is CORRECT. It also implies the option "By
default, the primary VNIC of an instance in a subnet has one primary private IP address and one
secondary private IP address" is INCORRECT (as the secondary private IP address is Optional).The third
pointer suggests that the option "A private IP can have an optional public IP assigned to it if it resides in
a public subnet." is CORRECT.The option "Each VNIC can only have one private IP address" is also
INCORRECT as each vnic can have more than one private IP addresses (one primary and up to 31
secondary).
Question 24:
Your company sells services to photographers where patrons can preview the photos that they want
prints for. To avoid unauthorized copies, the sample photos have lower resolution and are
watermarked. The photos are processed after they are uploaded. The process is fast but not immediate.
It creates samples and sends them to storage outside of the instances.Which type of instance is ideal for
a process like this; short lived and one that keeps the cost low?
Explanation
In this question, you need to identify the keywords. The first keyword is "The process is fast but not
immediate". The second keyword is "short lived". The third keyword is "low cost".
Now coming to the options,
Option: Burstable instances - Burstable instances are designed for scenarios where an instance is
typically idle, or has low CPU utilization with occasional spikes in usage, which isn't the case here and
hence it is incorrect.Option: Spot instances - There is nothing called Spot Instances in OCI. A Spot
Instance is an unused EC2 instance in AWS that is available for less than the On-Demand price. Hence
this option is incorrect.Option: On-demand instances -This is a capacity type where you pay for only the
compute capacity that you use. With on-demand capacity, you pay for compute capacity by the second,
and depending on the shape, you pay only for the seconds that your instances are running. Capacity
availability is not guaranteed when launching large workloads. This again has nothing to do with the
requirement of the question (low cost, short lived and not immediate). Hence this option is also
Incorrect.Option: Preemptible instances - Preemptible instances are designed for short-term usage. The
capacity is reclaimed when it's needed elsewhere. The capacity is not guaranteed for a minimum
amount of time, so instances can be reclaimed at any time. If your workloads are fault-tolerant and can
withstand interruptions, then preemptible instances can reduce your costs. For example, you can use
preemptible instances to optimize costs for workloads that can tolerate interruptions, such as tests that
can be stopped and resumed later. It is satisfying all the requirements mentioned in the question and
hence it is the CORRECT answer.
Question 25:
As your company’s cloud architect, you have been invited by the CEO to join his staff meeting. They
want your input on interconnecting Oracle Cloud Infrastructure (OCI) to another cloud provider in
London, with some specific requirements:
• They want resources in the other cloud provider to leverage OCI Autonomous Data Warehouse ML
capabilities.
• The connection between OCI and the other cloud provider should be provisioned as quickly as
possible.
• The connection should offer high bandwidth and predictable performance.
Which other cloud provider should you recommend to interconnect with OCI and meet the above
requirements?
Explanation
Oracle Interconnect for Microsoft Azure provides organizations with a simple migration path to a
multicloud environment that includes Oracle Database capabilities such as Oracle Exadata Database
Service, Autonomous Database, and MySQL Heatwave. Customers can innovate using the best of Oracle
Cloud Infrastructure (OCI) and Microsoft Azure with seamless interoperability. This low-latency, private
connection between two leading cloud providers brings flexible innovation while maximizing return on
investment. Interconnect pricing is port-based and there are no additional charges for bandwidth
consumed.Microsoft and Oracle have partnered to provide low latency, high throughput cross-cloud
connectivity allowing you to take advantage of the best of both clouds. Hence the answer is Microsoft
Azure.
Question 26:
Which is NOT a valid action within the Oracle Cloud Infrastructure (OCI) Block Volume service?
Explanation
The Oracle Cloud Infrastructure Block Volume service lets you expand the size of block volumes and
boot volumes. You have several options to increase the size of your volumes:Expand an existing volume
in place with online resizing. See Online Resizing of Block Volumes Using the Console for the steps to do
this.Restore from a volume backup to a larger volume. See Restoring a Backup to a New Volume and
Restoring a Boot Volume.Clone an existing volume to a new, larger volume. See Cloning a Volume and
Cloning a Boot Volume.Expand an existing volume in place with offline resizing. See Offline Resizing of
Block Volumes Using the Console for the steps to do this.As you can see from the above discussion,
there are 3 valid actions:Cloning an existing volume to a new, larger volume.Expanding an existing
volume in place with offline resizing.Restoring from a volume backup to a larger volume.So the only one
option remaining is Attaching a block volume to an instance in a different availability domain. This is
NOT a valid action as the Block Volume must be in the same availability domain as the instance. Hence it
is the correct answer.
Question 27:
Which Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) policy is invalid?
Explanation
The overall syntax of a policy statement is as follows:
Allow <subject> to <verb> <resource-type> in <location> where <conditions>
The supported verbs are :inspect,read,use,manag
If we look at the option : Allow group A-Developers to create volumes in compartment Project-A, it has a
verb create which is NOT a valid verb type. Hence it is invalid.
Question 28:
As a solution architect, you are showcasing the Oracle Cloud Infrastructure (OCI) Object Storage feature
about Object Versioning to a customer.Which statement is true regarding OCI Object Storage
Versioning?
Explanation
Option: Object Versioning does not provide data protection against accidental or malicious object
update, overwrite, or deletion: Object versioning provides data protection against accidental or
malicious object update, overwrite, or deletion. For more info : Using Object Versioning (oracle.com)
Hence this option is INCORRECT.Option: Objects are physically deleted from a bucket when versioning is
enabled: No object is physically deleted from a bucket that has versioning enabled until you take explicit
action to do so. Hence this option is INCORRECT.Option: Object Versioning is disabled on a bucket by
default: Each Object Storage bucket has object versioning status of disabled, enabled, or suspended. By
default, object versioning is disabled on a bucket. Hence this option is CORRECT.Option: A bucket that is
versioning-enabled can and will always have the latest version of the object in the bucket: A bucket that
is versioning-enabled can have many versions of an object. There is always one latest version of the
object and zero or more previous versions. Hence this option is INCORRECT.
Question 29:
Which THREE capabilities are available with the Oracle Cloud Infrastructure (OCI) DNS service?
Explanation
The Oracle Cloud Infrastructure Domain Name System (DNS) service lets you create and manage your
DNS zones.You can create zones, add records to zones, and allow Oracle Cloud Infrastructure's edge
network to handle your domain's DNS queries. You can also list zones.Hence Creating and managing
zones, Creating and managing records and Viewing all zones are the capabilities of DNS service and
therefore the CORRECT ANSWERS.WAF is a security service that helps protect applications from
malicious and unwanted internet traffic . By combining threat intelligence with consistent rule
enforcement on Oracle Flexible Load Balancer, Oracle Cloud Infrastructure Web Application Firewall
strengthens defenses and protects internet-facing application servers and internal applications. It is a
security service. Hence it is NOT the correct answer.IAM Policy is a document that specifies who can
access which Oracle Cloud Infrastructure resources that your company has, and how. Nothing to do with
DNS service. Hence it is NOT the correct answer.Security Lists: Act as virtual firewalls for your compute
instances and other kinds of resources. A security list consists of a set of ingress and egress security rules
that apply to all the VNICs in any subnet that the security list is associated with. Hence it is NOT the
correct answer.
Question 30:
Which statement is NOT true about the Oracle Cloud Infrastructure (OCI) Object Storage service?
Explanation
Option: Object Versioning is enabled at the namespace level: Object versioning is enabled at the bucket
level and not at the namespace level. Hence this statement is NOT true and the correct answer to this
question.Option: Object Storage resources can be shared across tenancies: You can write policies that
let your tenancy access Object Storage resources in other tenancies. For more details: Accessing Object
Storage Resources Across Tenancies (oracle.com) Hence this statement is true.Option: Immutable
option for data stored in Object Storage can be set via retention rules: Retention rules provide
immutable, WORM-compliant storage options for data written to Object Storage and Archive Storage
for data governance, regulatory compliance, and legal hold requirements. Hence this statement is
true.Option: Object lifecycle rules can be used to either archive or delete objects:You can define rules
that automatically do things like the following:Move Standard tier objects with a .doc extension to either
the Infrequent Access or Archive tier 60 days after creation or last update.Move Standard tier objects to
the Archive tier 30 days after creation or last update, and then automatically delete those archived
objects after 180 days.Move Standard tier objects to the Infrequent Access tier 90 days after creation or
last update.Delete any previous object versions 120 days after the object version transitions from the
latest version to a previous version.Delete uncommitted or failed multipart uploads after 5 days.Delete
all objects and object versions in a bucket in preparation for bucket deletion. Hence this statement is
also true.
#####################################################################################
#######################################################################
Question 1:
You are a system administrator of your company and you are managing a complex environment
consisting of compute instances running Oracle Linux on Oracle Cloud Infrastructure (OCI). It's your task
to apply all the latest kernel security updates to all instances. Which OCI service will allow you to
complete this task?
Explanation
The Oracle Cloud Infrastructure OS Management service allows you to manage and monitor updates and
patches for the operating system environments on your Oracle Cloud instances, including instances
managed by the OS Management Oracle Autonomous Linux service. Hence it is the correct ANSWER.OCI
Registry makes it easy to store, share, and manage development artifacts like Docker images. Hence it is
INCORRECT. Cloud Guard is a cloud native service that helps customers monitor, identify, achieve, and
maintain a strong security posture on Oracle Cloud. Use the service to examine your Oracle Cloud
Infrastructure resources for security weakness related to configuration, and your Oracle Cloud
Infrastructure operators and users for risky activities. Upon detection, Cloud Guard can suggest, assist,
or take corrective actions, based on your configuration. Hence it is INCORRECT. The OCI Streaming
service is a real-time, serverless, Apache Kafka-compatible event streaming platform for developers and
data scientists. Hence it is INCORRECT. Security Zones enforce security posture on OCI cloud
compartments and prevent actions that could weaken a customers’ security posture. Security Zone
policies can be applied to various cloud infrastructure types (network, compute, storage, database, etc.)
to ensure cloud resources stay secure and prevent security misconfigurations. Hence it is INCORRECT.
Question 2:
You want to distribute DNS traffic to different endpoints based on the location of the end user. Which
Traffic Management Steering Policy would you use?
Explanation
GEOLOCATION STEERING: Geolocation steering policies distribute DNS traffic to different endpoints
based on the location of the end user. Customers can define geographic regions composed of originating
continent, countries or states/provinces (North America) and define a separate endpoint or set of
endpoints for each region.
FAILOVER: Failover policies allow you to prioritize the order in which you want answers served in a
policy (for example, Primary and Secondary). Oracle Cloud Infrastructure Health Checks monitors and
on-demand probes are leveraged to determine the health of answers in the policy. If the Primary
Answer is determined to be unhealthy, DNS traffic will automatically be steered to the Secondary
Answer.
LOAD BALANCER: Load Balancer policies allow distribution of traffic across multiple endpoints.
Endpoints can be assigned equal weights to distribute traffic evenly across the endpoints or custom
weights may be assigned for ratio load balancing. Oracle Cloud Infrastructure Health Checks monitors
and on-demand probes are leveraged to determine the health of the endpoint. DNS traffic will be
automatically distributed to the other endpoints, if an endpoint is determined to be unhealthy.
IP PREFIX STEERING: IP Prefix steering policies enable customers to steer DNS traffic based on the IP
Prefix of the originating query.
Question 3:
When defining a query for metric data in Monitoring, which field provides the time window for
aggregating metric data points plotted on the metric chart?
Explanation
interval: The time window used to convert the set of raw data points.
dimension: A qualifier provided in a metric definition.
statistic: The aggregation function applied to the set of raw data points.
metric namespace: Indicator of the resource , service, or application that emits the metric.
Question 4:
Which is NOT a valid option for an Oracle Cloud Infrastructure (OCI) compute shape?
Explanation
A shape is a template that determines the number of OCPUs , amount of memory, and other resources
that are allocated to an instance. Oracle Cloud Infrastructure offers both bare metal and virtual machine
instances:
Bare metal: A bare metal compute instance gives you dedicated physical server access for highest
performance and strong isolation.
Virtual machine: A virtual machine (VM) is an independent computing environment that runs on top of
physical bare metal hardware. The virtualization makes it possible to run multiple VMs that are isolated
from each other. VMs are ideal for running applications that do not require the performance and
resources (CPU, memory, network bandwidth, storage) of an entire physical machine.
Hence the options Bare Metal & Virtual Machine are VALID and hence NOT the correct answers. Now,
let's consider Dedicated Virtual Machine Host.Dedicated virtual machine hosts let you run Oracle Cloud
Infrastructure Compute virtual machine (VM) instances on dedicated servers that are a single tenant and
not shared with other customers. Use dedicated virtual machine hosts to meet compliance and
regulatory requirements for isolation that prevent you from using shared infrastructure. You can also
use dedicated virtual machine hosts to meet node-based or host-based licensing requirements that
require you to license an entire server.Hence Dedicated virtual machine host is also a valid Compute
Shape and hence NOT the correct answer.We are left with Exadata Virtual Machine. Oracle Exadata is a
pre-configured combination of hardware and software that provides an infrastructure for running Oracle
Database. It consists of a database layer and a storage layer connected through an InfiniBand network. It
is NOT a valid Compute shape and hence the CORRECT answer.
Question 5:
Which statement accurately describes the key features and benefits of OCI Confidential Computing?
Explanation
Confidential computing encrypts and isolates in-use data and the applications processing that data.
Confidential instances are compute virtual machines (VMs) or bare metal instances where both the data
and the application processing the data are encrypted and isolated while the application processes the
data, preventing unauthorized access or modification of either the data or the application. Confidential
computing improves isolation using real-time encryption. Data and applications are encrypted using a
per-VM encryption key generated during the VM creation and resides solely in the AMD Secure
Processor, which is part of the CPU. This key is not accessible from any applications, the VM or instance,
the hypervisor, or Oracle Cloud Infrastructure. Hence "It encrypts and isolates in-use data and the
applications processing that data, thereby preventing unauthorized access or modification." is the
CORRECT answer.
Question 6:
You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage workforce
authentication and access to all of your Oracle and non-Oracle applications, whether they are SaaS apps,
on-premises enterprise apps, or apps that are hosted in the cloud. Which IAM Identity Domain type
should you create?
Explanation
Premium identity domains provide the full IAM feature set for employee and workforce use-cases giving
you enterprise-ready access management across hybrid IT environments. It gives you support for all
apps and services, and for unlimited third-party applications. If you are standardizing on Oracle as your
enterprise identity and access manager provider, this is the identity domain type you want. Use Case:
You want a full-featured Identity-as-a-Service (IDaaS) solution that helps you manage workforce
authentication and access to all of your Oracle and non-Oracle applications whether they’re SaaS apps,
on-premises enterprise apps, or apps that are hosted in the cloud.
Question 7:
You have objects stored in an OCI Object Storage bucket that you want to share with a partner
company. You decide to use pre-authenticated requests to grant access to the objects. Which statement
is true about pre-authenticated requests?
Explanation
Pre-authenticated requests provide a way to let users access a bucket or an object without having their
own credentials. You can't edit a pre-authenticated request. If you want to change user access options
or enable object listing in response to changing requirements, you must create a new pre-authenticated
request. Pre-authenticated requests cannot be used to delete buckets or objects.
Question 8:
Company XYZ is spending $300,000.00 USD per month in egress fees for 7 Petabytes that they consume
for Outbound Data Transfer in North America with their current cloud provider. The company is seeking
to lower that expense considerably without reducing consumption. You propose migration to OCI
because the Gigabyte Outbound Data Transfer in North America costs just $0.0085 USD per month. With
OCI, how much will they spend per month for 7 Petabytes of Outbound Data Transfer? (1 Petabyte =
1000 Terabytes)
Explanation
Outbound data transfer (originating in North America) First 10 TB/Month is FREE.
So, 7 Petabytes = 7*1000 TB = 7000 TB
As the first 10TB is free, the revised number is 7000-10 = 6990 TB (6990*1000) GB = 6990000 GB As per
the question, the per GB charges are $0.0085 USD.
So, total spend per month = 6990000 * .0085 = $59,415
Question 9:
You created a virtual cloud network (VCN) with three private subnets. Two of the subnets contain
application servers and the third subnet contains a DB System. The application requires a shared file
system, therefore you have provisioned one using the file storage service (FSS).You have also created
the corresponding mount target in one of the application subnets. The VCN security lists are properly
configured so that the application servers can access FSS. The security team changed the settings for the
DB System to have read-only access to the file system. However when they test it, they are unable to
access FSS.How would you allow access to FSS?
Explanation
It is a clear case of missing security rules. Hence you can eliminate the below choices:
"Create an instance principal for the DB System. Write an Identity and Access Management (IAM) policy
that allows the instance principal read-only access to the file storage service." &
"Create an NFS export option that allows READ_ONLY access where the source is the CIDR range of the
DB System subnet." (This has already been taken care of. The same is mentioned in the question - "The
security team changed the settings for the DB System to have read-only access to the file system." Now
we are left with the below two choices. They sound very similar, the only difference is one option
specifies having stateless rules whereas the other option specifies stateful rules.
- Modify the security list associated with the subnet where the mount target resides. Change the ingress
rules corresponding to the DB System subnet to be stateless. --> INCORRECT
- Modify the security list associated with the subnet where the mount target resides. Change the ingress
rules corresponding to the DB System subnet to be stateful. --> CORRECT
Explanation: As we can see below(Reference: Configuring VCN Security Rules for File Storage
(oracle.com) ) we need to configure stateful rules and not stateless.
Question 10:
Which TWO statements are TRUE about restoring a volume from a block volume backup in the Oracle
Cloud Infrastructure (OCI) Block Volume service?
Explanation
You can restore a block volume backup to a larger volume size. You can only increase the size of the
volume, you cannot decrease the size. Hence the option "You can restore a block volume backup to a
larger volume size." is CORRECT.You can restore a volume from any of your incremental or full volume
backups. Both backup types enable you to restore the full volume contents to the point-in-time
snapshot of the volume when the backup was taken. Hence the option "You can restore a volume from
any full volume backup but not from an incremental backup." is INCORRECT). Backups are encrypted and
stored in Oracle Cloud Infrastructure Object Storage, and can be restored as new volumes to any
availability domain within the same region they are stored. Hence the option "You can restore a volume
to any availability domain within the same region where the backup is stored." is CORRECT and the
option "You can only restore a volume to the same availability domain in which the original block
volume resides." is INCORRECT.Manual backups do not expire, they are maintained until you delete
them. You can restore multiple new volumes from the backup later in the future. Hence the statement
"You can restore only one volume from a manual block volume backup." is INCORRECT.
Question 11:
You have a high-demand web application running on Oracle Cloud Infrastructure (OCI). Your tenancy
administrator has set up a schedule-based autoscaling policy on instance pool with an initial size of 5
instances for the application.
Policy 1:Target pool size: 10 instances. Execution time: 8:30 a.m. on every Monday through Friday, in
every month, in every year
Cron expression: 0 30 8 ? * MON-FRI *
Which statement accurately explains the goal of this policy?
Explanation
In this question, we should employ the elimination process to arrive at the correct answer.It is clearly
specified in the question that the Execution time is 8:30 a.m. on every Monday through Friday, in every
month, in every year. Please pay special attention to the words every month and every year. It clearly
means it is NOT a one time schedule and rather a recurring schedule.Hence the option "Goal: A
one-time schedule with only one scaling out event. At 8:30 a.m., on December 31, 2021, scale the
instance pool to 10 instances from 5." can be eliminated. Now please pat special attention to the words
every Monday through Friday in the statement "Execution time: 8:30 a.m. on every Monday through
Friday, in every month, in every year" --> It does not mean "all days of the week". Hence the option
"Goal: A recurring weekly schedule. On all days of the week at 8.30 a.m., scale out the pool to 10
instances from the initial size of 5." can be eliminated.On similar lines, the option "Goal: A recurring
monthly schedule. On all days of the month, set the initial pool size to 5 instances. At 8.30 a.m., on every
day of the month, scale out to 10 instances. can be eliminated as the execution time is not intended to
be on all the days of the month.Now, we are left with only one option "Goal: A recurring daily schedule.
On weekday mornings at 8.30 a.m., scale out to 10 instances." Let's understand why this is the CORRECT
answer.This option mentions weekday mornings -> This satisfies the execution time in policy (every
Monday through Friday).
Question 12:
Which statement is true about File System Replication in Oracle Cloud Infrastructure (OCI)?
Explanation
Cross-region replication for File Storage provides protection from regional outages, aids in disaster
recovery efforts, and addresses data redundancy compliance requirements.You can replicate the data in
one file system to another file system in the same region or a different region.REPLICATION INTERVAL:
The frequency that the replication operation is performed. You specify the interval when you create the
replication resource.Only a file system that has never been exported can be used as a target file system.
Question 13:
You are using a custom application with third-party APIs to manage the application and data hosted in
an Oracle Cloud Infrastructure (OCI) tenancy. Although your third-party APIs do not support OCI’s
signature-based authentication, you want them to communicate with OCI resources. Which
authentication option should you use to ensure this?
Explanation
Auth tokens are Oracle-generated token strings that you can use to authenticate with third-party APIs
that do no support Oracle Cloud Infrastructure's signature-based authentication. Auth tokens do not
expire. Each user can have up to two auth tokens at a time.
Question 14:
You need to set up instance principals so that an application running on an instance can call Oracle
Cloud Infrastructure (OCI) public services, without the need to configure user credentials. A developer in
your team has already configured the application built using an OCI SDK to authenticate using the
instance principals provider.Which is NOT a necessary step to complete this set up?
Explanation
Using instance principal authentication, you can authorize an instance to make API calls on Oracle Cloud
Infrastructure services. After you set up the required resources and policies, an application running on
an instance can call Oracle Cloud Infrastructure public services, removing the need to configure user
credentials or a configuration file.
Process Overview: The following steps summarize the process flow for setting up and using instances as
principals:
Create a dynamic group. In the dynamic group definition, you provide the matching rules to specify
which instances you want to allow to make API calls against services.
Create a policy granting permissions to the dynamic group to access services in your tenancy (or
compartment).
A developer in your organization configures the application built using the Oracle Cloud Infrastructure
SDK to authenticate using the instance principals provider. The developer deploys the application and
the SDK to all the instances that belong to the dynamic group.
The deployed SDK makes calls to Oracle Cloud Infrastructure APIs as allowed by the policy (without
needing to configure API credentials).
Hence, the option "Generate Auth Tokens to enable instances in the dynamic group to authenticate with
APIs" is NOT a necessary step and hence the CORRECT answer.
Question 15:
In which two ways can Oracle Security Zones assist with the cloud security shared responsibility model?
Explanation
In general, security zone policies align with the following core security principles. Resources in a security
zone can’t be moved to a compartment outside of the security zone because it might be less secure. All
the required components for a resource in a security zone must also be located in the same security
zone. Resources that are not in a security zone might be vulnerable, and resources in a different security
zone might have a lower security posture. For example, an instance (Compute) in a security zone can't
use a boot volume that is not in the same security zone. Resources in a security zone must not be
accessible from the public internet. Resources in a security zone must be encrypted using
customer-managed keys. Resources in a security zone must be regularly and automatically backed up.
Data in a security zone is considered privileged and can't be copied outside of the security zone because
it might be less secure. Resources in a security zone must use only configurations and templates
approved by Oracle.
Question 16:
Which statement is TRUE about patching an Oracle Cloud Infrastructure (OCI) DB System?
Explanation
Run precheck: Check for any prerequisites to ensure that the update can be successfully applied. Apply:
Applies the selected update. Oracle recommends that you run the precheck operation for an update
before applying it. Refer: https://docs.oracle.com/en-us/iaas/dbcs/doc/patch-db-system.html
Question 17:
Which tool provides a diagram of the implemented topology of all Virtual Cloud Networks (VCNs) in a
selected region and tenancy?
Explanation
Your Oracle virtual network is composed of virtual cloud networks (VCNs), subnets, gateways, and other
resources. These entities are related and connected through routing that is often complex. These
resources can also have complex relationships with other Oracle Cloud Infrastructure (OCI) services. The
ability to have a concise picture of these entities and their relationships is essential for understanding
the design and operation of a virtual network. The Network Visualizer provides a diagram of the
implemented topology of all VCNs in a selected region and tenancy.
Question 18:
Which of the following statements is true about the Oracle Cloud Infrastructure (OCI) Object Storage
server-side encryption?
Explanation
The Oracle Cloud Infrastructure Object Storage service encrypts and decrypts all objects using 256-bit
Advanced Encryption Standard (AES-256) to encrypt object data on the server. Each object is encrypted
with its own data encryption key. Data encryption keys are always encrypted with a master encryption
key that is assigned to the bucket (Hence it is not optional). Encryption is enabled by default and cannot
be turned off. Using optional API headers, you can provide your own 256-bit AES encryption key that is
used to encrypt and decrypt objects uploaded to and downloaded from Object Storage. Hence, only the
statement "Encryption is enabled by default and cannot be turned off." is true.
Question 19:
You can attach resources to a Dynamic Routing Gateway (DRG). Select THREE of these resources.
Explanation
A DRG acts as a virtual router, providing a path for traffic between your on-premises networks and
VCNs, and can also be used to route traffic between VCNs.A DRG is a virtual router to which you can
attach the following resources:
VCNs
Remote Peering Connections
Site-to-Site VPN IPSec tunnels
Oracle Cloud Infrastructure FastConnect virtual circuits
Hence, Local Peering Connection, VNIC and Subnet are incorrect options and the remaining three
options( as discussed above) are Correct answers.
Question 20:
Which database option in Oracle Cloud Infrastructure (OCI) provides Oracle Active Data Guard?
Explanation
All single-node Oracle RAC DB systems support the following Oracle Database editions:
Standard Edition
Enterprise Edition
Enterprise Edition - High Performance
Enterprise Edition - Extreme Performance
Oracle Active Data Guard enables read-only access to a physical standby database for queries, sorting,
reporting, web-based access, etc., while continuously applying changes received from the production
database. Active Data Guard requires Enterprise Edition - Extreme Performance. Reference:
https://docs.oracle.com/en-us/iaas/dbcs/doc/use-oracle-data-guard-db-system.html
Question 21:
A recently hired network administrator has been given the task of removing SSH permissions from all
compute instances in the company’s tenancy. She finds all Virtual Cloud Networks (VCNs) in the tenancy
using Tenancy Explorer. She removes port 22 from the Security Lists in all VCNs. After she completes the
task, the very first compute instance that she tests SSH against, allows her to still SSH into it. Why is
that?
Explanation
The Networking service offers two virtual firewall features that both use security rules to control traffic
at the packet level. The two features are:
Security lists: The original virtual firewall feature from the Networking service.
Network security groups (NSGs): A subsequent feature designed for application components that have
different security postures. You can use security lists alone, network security groups alone, or both
together. It depends on your particular security needs.
If you choose to use both security lists and network security groups, the set of rules that applies to a
given VNIC is the union of these items:
• The security rules in the security lists associated with the VNIC's subnet
• The security rules in all NSGs that the VNIC is in
A packet in question is allowed if any rule in any of the relevant lists and groups allows the traffic. She
removed port 22 from the Security Lists in all VCNs. But she forgot to check the Network Security
Group(NSG). Hence "The VNIC of that compute instance is attached to a Network Security Group (NSG)
that has a stateful ingress rule for all protocols on source CIDR 0.0.0.0/0." is the correct answer.

OCI Architect 2023 - Exam

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

OCI Architect 2023 - Exam

Uploaded by

Copyright:

Available Formats

Attempt 1

Version Number | Status

2. Baseline utilization is a fraction of each CPU core, either 25% or 75%

What hosts you want logs from.

What specific logs you want from the hosts.

The custom log destination.

Click the replica that you want to activate.

Click Activate to open the Activate Volume Replica form.

Monitors unauthorized or suspicious user activity &

Reference: You can find the list of available plugins here :

oci kms crypto encrypt --key-id

What could be the most likely reason for this error?

Requirement 1: Shared infrastructure should not be used to deploy VMs.

An MQL expression includes the following components:

grouping function (optional)

comparison operation (optional). Useful for defining

Take control of the system without the owner’s knowledge

Run files remotely

Change system configuration

Steal passwords and encryption keys

Perform data exfiltration

In which TWO ways would you address this requirement?

You create a retention rule with a duration of 1 year.

More Read: https://docs.oracle.com/en-us/iaas/dbcs/doc/scale-db-system.html

Your requirements are:

1. Backups need to be retained for at least full 31 days.

Instances in a public subnet may optionally have public IP addresses.

Instances in a private subnet cannot have public IP addresses.

We have to identify an INVALID Statement.

Question 14: Incorrect

Hence, 192.168.0.0/16 is a valid RFC 1918 CIDR prefix.

This eliminates options having VDI format/QED format.

RHEL: 4.5, 5.11, 6.9, 7.4

CentOS: 4.0, 4.8, 5.11, 6.9, 7.x

Oracle Linux: 4.5, 4.8, 5.11, 6.9, 7.4

Ubuntu: 12.04, 14.04, 16.04

Allow group NewtworkAdmins to manage virtual-network-family in compartment A:B:C

<compartment_level_1 >:<compartment_level_2 >: . . . <compartment_level_n>

To arrive at the correct answer use the process of elimination:

Allow <subject> to <verb> <resource-type> in <location> where <conditions>

Subject: group <group_name> | group id <group_ocid> | dynamic-group <dynamic-group_name> |

This eliminates Allow all-group to manage all-resources in compartment Test where

Therefore the option Public IP addresses can be ephemeral or reserved is TRUE.

Exadata Cloud@Customer Infrastructure: An Autonomous Database in your data center to meet

Which TWO options will accomplish this requirement?

By the process of elimination, we have eliminated two incorrect answers.

Now coming to the options,

• The connection should offer high bandwidth and predictable performance.

The overall syntax of a policy statement is as follows:

Allow <subject> to <verb> <resource-type> in <location> where <conditions>

The supported verbs are :inspect,read,use,manag

dimension: A qualifier provided in a metric definition.

So, 7 Petabytes = 7*1000 TB = 7000 TB

So, total spend per month = 6990000 * .0085 = $59,415

Cron expression: 0 30 8 ? * MON-FRI *

Which statement accurately explains the goal of this policy?

Remote Peering Connections

Site-to-Site VPN IPSec tunnels

Oracle Cloud Infrastructure FastConnect virtual circuits

Enterprise Edition - High Performance

Enterprise Edition - Extreme Performance

• The security rules in all NSGs that the VNIC is in

You might also like