1.

Question 1 of 14
1. Question
You are the Solutions Architect of a large company and are tasked with migrating all your
services to Oracle Cloud Infrastructure. As part of this, you first design a Virtual Cloud Network
(VCN) with a public subnet and a private subnet. Then in order to provide Internet connectivity
to the instances in your private subnet, you create an Oracle Linux instance in your public subnet
and configure NAT on it. However, even after adding all related security list rules and routes in
the Route Table, your private subnet instances still cannot connect to the Internet.

Which action should you perform to enable Internet connectivity?

o 1.   There is no way that a private subnet can connect to the Internet.

o 2.   Create a Dynamic Routing Gateway (DRG) and route your private IP
traffic to the DRG.

o 3.   Restart the NAT Instance.

o 4.   Disable "Source and Destination Check" on the VNIC of your Linux
instance
Correct
Answer: 4

Explanation: 1 is wrong as private subnet can connect to Internet using NAT Instance in Public
Subnet

2 is wrong as DRG is to connect to On-Premise or other VCN, IGW (Internet Gateway is used to
connect to Internet)

3 is wrong as restarting NAT Instance will not have any impact

4 is correct answer because: By Default, every VNIC performs the source/destination check
listed on header of network packet. If VNIC is not the source or destination then packet is
dropped
 Course Progress
71% Complete
Question 2 of 14
2. Question
Which two are required to create on IPSec VPN connection?

 1.   Security List

 2.   Static Route CIDR
 3.   Name
 4.   Compute instance
Correct
Answer: 2, 3

Explanation:
https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/settingupIPsec.htm
#example_poc

Question 3 of 14
3. Question
For a compute instance that is launched in a private subnet in a Virtual Cloud
Network (VCN), which action needs to be performed to connect to the
Internet, assuming that the required security list is properly set up?

 1.   Assign & Public IP address to the compute instance.

 2.   Create and configure Network Address Translation (NAT) in a
public subnet and route all traffic to it.
 3.   There is no way for an instance in a private subnet to connect to
the Internet.
 4.   Create a default route entry in the route table to forward all
traffic to the Internet gateway.
 Incorrect
Sorry, Incorrect Answer

Explanation: Instance in Private Subnet can connect to the internet by

creating NAT Instance in public subnet and route all traffic to it

Question 4 of 14
4. Question
Which two use Oracle dynamic routing gateway (DRG) for connectivity?

 1.   Remote virtual cloud network (VCN) peering across region

 2.   Oracle IPsec VPN
 3.   Local VCN peering
 4.   Oracle Cloud Infrastructure FastConnect public peering
Correct
Ans.1,2

Local VCN peering dosent need DRG. Remote Peering (RPC) is via DRG
only. So A is correct and IPSec VPN is also via DRG.

Fast Connect Public Peering is over the Internet but on the Private Channel
and dosent require DRG.

Reference: https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managi
ngDRGs.htm

Question 5 of 14
5. Question
You have an external facing web server running in the Oracle Cloud
Infrastructure (OCI) London region. You are notified that customers in
North America and Australia are facing high latency while connecting to
your web server.

Which services are available on OCI that can help you get current
latency statistics to your web server from these markets?
 1.   Use DNS Zone Management service to check latency over that
connection
 2.   Setup an IPsec VPN with customers in those markets and check
latency over that connection
 3.   Use the Internet Intelligence tool. Run tests using the web
server’s public IP address review Trace route details from different
vantage points
 4.   Setup a FastConnect with customers in those markets and check
latency over that connection
Correct
Ans.3

Internet intelligence gives latency stats.

Question 6 of 14
6. Question
You are designing a high bandwidth, a redundant connection between
your data center and Oracle Cloud Infrastructure (OCI). While
researching for OCI FastConnect locations, you notice that you are co-
located with Oracle at one of the Oracle FastConnect locations in the
Ashburn region. What is the recommended design in this scenario?

 1.   Create a cross-connect group and have two or more cross-

connects in that group. Create an IPsec VPN connection on this group.
 2.   Setup two IPsec connections between your data center and OCI
Ashburn region. Create a OCI load balancer to distribute the traffic across the
two connections.
 3.   Create a cross-connect group and have at least two or more
cross-connects in that group. Create at least two or more virtual circuits
in the group.
 4.   Create a cross-connect group and have at least one cross-
connect in that group. Create at least one virtual circuit in the group.
Correct
 Ans.3

For Colo-cation it is via Cross-Connect cables and on the Console, we need

to create Cross-connect groups. Now since it should be redundant then we
need to have atleast 2 or more.

Also, we need to create virtual circuits so that we can define the path where
the packets will move.

Question 7 of 14
7. Question
You are designing a two-tier web application in Oracle Cloud
Infrastructure (OCI). Your clients want to access the web servers from
anywhere, but want to prevent access to the database servers from the
Internet.Which is the recommended way to design the network
architecture?

 1.   Create public subnets for web servers and private subnets for
database servers in your virtual Cloud network (VCN), and associate separate
internet gateways for each subnet.
 2.   Create public subnets for web servers and associate a dynamic
routing gateway with that subnet, and a private subnet for database servers
with no association to the dynamic gateway.
 3.   Create public subnets for web servers and private subnets
for database servers in your VCN, and associate separate security lists
and route tables for each subnet.
 4.   Create a single public subnet for your web servers and database
servers, and associate only your web servers to internet gateway.
Correct
Ans.3

3 because web server should be public and with security list, we can control

2 is wrong as  with DRG we only connect the on-premise network

 1 is wrong as we can not associate separate Internet gateway as it will be only
one for VCN

4 is wrong as we can not associate separate Internet gateway as it will be only

one for VCN

Question 8 of 14
8. Question
Which statement is true about Oracle Cloud Infrastructure FastConnect?

 1.   For private peering, FastConnect extends your existing

infrastructure to allow you to consume Object storage from your on-premises
data center
 2.   For private peering, FastConnect extends your existing
infrastructure to a virtual cloud network
 3.   The FastConnect provider network offers only 1 Gbps port
connection speed increments
 4.   For public peering, a dynamic routing gateway must be configured
and attached to the virtual Cloud network (VCN)
Correct
Ans.2

Explanation:

1 is wrong because Private Peering is an extension of On-prem data center to

VCN.

4 is wrong as Public peering doesn’t need DRG during the setup.

3 is wrong as Fastconnect provide 1GBPS and 10 GBPS connectivity

increments.

Reference: https://docs.cloud.oracle.com/iaas/Content/Network/Concepts/fast
connectoverview.htm
 Question 9 of 14
9. Question
You are implementing Oracle Cloud Infrastructure (OCI) FastConnect to
access OCI public access points (e.g. – object storage). You want other
Internet traffic from your on-premises environment to use your existing
connection with your ISP.

What is the correct way to establish OCI FastConnect to access these

OCI public endpoints?

 1.   Configure private peering on your FastConnect link. Redistribute

BGP routes learned into your Existing routing table and advertise a default
from your network infrastructure to OCI.
 2.   Configure private peering on your FastConnect link with a static
route that points to OCI object Storage service.
 3.   Configure public peering on your FastConnect link with a static
route that points to OCI object Storage service.
 4.   Configure public peering on your FastConnect link.
Redistribute BGP routes learned into your Existing routing table and
advertise a specific route for your network infrastructure to OCI
Correct
Ans.4

Explanation:

We need to establish public peering to access the public resource like object
storage or oci console. This will be accessing these public resources over a
dedicated private channel.

Question 10 of 14
10. Question
You are designing a networking infrastructure in multiple Oracle Cloud
Infrastructure regions and requirecconnectivity between workloads in
each region. You have created a dynamic routing gateway (DRG) and a
remote peering connection. However, your workloads are unable to
communicate with each other.
 What are two reasons for this?

 1.   The security lists associated with subnets in each virtual

cloud network (VCN) do not have the appropriate ingress rules
 2.   Identity and Access Management (IAM) policies have not been
defined to allow connectivity across the two VCNs in different regions
 3.   A local peering gateway needs to be created in each VCN with a
default route rule added in the route table forwarding the traffic to the local
peering gateway
 4.   An Internet gateway needs to be created in each VCN with a
default route rule added in the route table forwarding the traffic to the Internet
Gateway
 5.   The route table associated with subnets in each VCN do not
have a route rule defined to forward the traffic to their respective DRGs
Correct
Ans.1,5

1 is correct because by default egress rule is present for all protocols so the
issue can be with ingress rules.

2 is wrong as IAM has nothing to do with communication between 2 VCN.

3. LPG is created between 2 VCN in the same region. So its wrong.

4. IGW is used for communication to public network. So its wrong.

5. DRG should be attached to VCN and have routing table entry to make it
effective. So this can be one of the reason.

Question 11 of 14
11. Question
 You have an application server that needs to copy data on Oracle Cloud
Infrastrucutre (OCI) object storage in the same region. You have created
a service gateway for OCI object storage in your virtual cloud network
(VCN) and modified security lists associated with the subnet to allow
traffic to the service gateway. You are able to connect to the OCI object
storage, however, you notice that the connectivity is over the Internet
instead of the service gateway.

What is the reason for this behavior?

 1.   The route table associated with the subnet has no route rule
where the destination is object Storage service
 2.   The service gateway created in the VCN resides in a different
availability domain
 3.   The security list associated with the subnet has an egress
rule that allows all traffic to be forwarded to a destination CIDR 0.0.0.0/0
 4.   Identity and Access Management (IAM) policies restrict the
access to the object storage bucket
Incorrect
Sorry, Incorrect answer

Explanation:

1 is correct as In order for Machine inside a subnet to send traffic to Service

Gateway there should be a routeing table for Service Gateway and this Route
table should be attached to Subnet that needs to send data via Service
Gateway

2 is wrong as Service Gateway has Regional Scope so not applicable

3 is wrong as egress rule simply allow incoming traffic and request forwarding
to a destination is handled by Routing (no Security List )

4 is wrong as if there is a restriction on access to Object Storage Bucket then

it wouldn’t be accessible from Internet either
 Module IX Advanced Networking for Certification 1Z0-1072
September 9, 2018 by Rohit Pathak Pathak
Module IX Advanced Networking for Certification 1Z0-1072
1. Question 12 of 14
12. Question
A customer has established an Oracle Cloud Infrastructure (OCI) FastConnect
connection to OCI. The virtual circuit is up and routes are being advertised
from the customer’s end, however the customer is unable to ping from
compute instances inside the virtual cloud network (VCN) to servers residing
in its on-premises data center.

Which two options on OCI would remedy this situation?

o 1.   Modify the instances VCN subnet associated security

list and add a stateful egress rule to allow ICMP traffic
o 2.   Modify the instances VCN subnet associated security
list and add a stateful ingress rule to allow ICMP traffic
o 3.   Modify the VCN instance subnet route table to add a route
back to the customer’s on-premises environment to dynamic routing gateway
(DRG)
o 4.   Modify the VCN default route table to add a route back
to the customer’s on-premises environment to DRG
Incorrect
Sorry, Incorrect answer

Explanation:

1 is wrong as ingress rule is required for ICMP

2 is right as ingress rule need to be added for ICMP.

3 is wrong as route table is not at the subnet level and is always at the VCN
level.

4 is correct as we need to modify the route table at VCN level and add a route
back for customer premise.
 Question 13 of 14
13. Question
You are asked to configure a VPN connection to connect your on-premise
network to OCI VCN.

After the VCN has been created, what steps do you need to take on OCI to
create an IPSec tunnel?

 1.   Create a Dynamic Routing Gateway (DRG), attach the DRG to

the VCN, update the routing in your route table to use DRG, create a CPE
and then configure the DRG to open an IPSec connection to the CPE
object
 2.   Create a DRG, configure a CPE with appliance information and
then configure the DRG to open an IPSec connection
 3.   Create an Internet Gateway (IGW), attach the IGW to the VCN,
update the routing in your route table to use DRG, create a Customer Premise
Equipment (CPE) and then configure the IGW to open an IPSec connection to
the CPE object
 4.   Create an Internet Gateway, configure a CPE with appliance
information and then configure the IGW to open an IPSec connection
Correct
Ans: 1

Explanation
https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/settingupIPsec.ht
 Question 14 of 14
14. Question
Which three actions are required to configure a highly available and secure
hybrid network between Oracle Cloud and your data center? (Choose three.) 

 1.   Define a non-overlapping IP Address Space between the data

center and the cloud. 
 2.   Configure each of the CPEs to leverage each of the IPsec
Tunnels created by the connection process 
 3.   Create two or more CPEs that map to the private IP
addresses of the customer routers used in the IPSec VPN Tunnel. 
 4.   Define a default route table entry for the VCN that directs all
traffic to the data center network to a single DRG. 
 5.   Create dynamic routing gateways in more than one AD within
your region. 
Incorrect
Sorry, Incorrect answer

Explanation:  

https://docs.cloud.oracle.com/en-
us/iaas/Content/Network/Tasks/configuringCPE.htm

https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingDRGs.ht
m

Question 14 of 14
14. Question
Which three actions are required to configure a highly available and secure
hybrid network between Oracle Cloud and your data center? (Choose three.) 
 1.   Define a non-overlapping IP Address Space between the data
center and the cloud. 
 2.   Configure each of the CPEs to leverage each of the IPsec
Tunnels created by the connection process 
 3.   Create two or more CPEs that map to the private IP
addresses of the customer routers used in the IPSec VPN Tunnel. 
 4.   Define a default route table entry for the VCN that directs all
traffic to the data center network to a single DRG. 
 5.   Create dynamic routing gateways in more than one AD within
your region. 
Incorrect
Sorry, Incorrect answer

Explanation:  

https://docs.cloud.oracle.com/en-
us/iaas/Content/Network/Tasks/configuringCPE.htm

https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingDRGs.ht
m