OCI Architect Associate (1Z0-1072)

Ace your homework & exams now with Quizwiz!

You are deploying a highly available web application in OCI and have decided to use a public load balancer. The back end web servers will be distributed across all 3 ADs. How many subnets should you create to deliver a secure, highly available application? - 2 subnets in total; 1 regional private subnet to host your back-end web servers & 1 regional public subnet to host your public load load balancer - 3 subnets in total; 1 regional public subnet to host your back-end web servers and 2 AD specific private subnets to host your private load toad balancer - 1 subnet In total; 1 regional private subnet to host your back-end web servers and your public load balancer. - 2 subnets in total; 1 regional public subnet to host your back-end web servers and 1 regional private subnet to host your public load load balancer

- 2 subnets in total; 1 regional private subnet to host your back-end web servers & 1 regional public subnet to host your public load load balancer Explanation To accept traffic from the internet, you create a public load balancer. The service assigns it a public IP address that serves as the entry point for incoming traffic. You can associate the public IP address with a friendly DNS name through any DNS vendor.A public load balancer is regional in scope. If your region includes multiple ADs, a public load balancer requires either a regional subnet (recommended) or two availability domain-specific (AD-specific) subnets, each in a separate availability domain. With a regional subnet, the Load Balancing service creates a primary load balancer and a standby load balancer, each in a different availability domain, to ensure accessibility even during an availability domain outage. If you create a load balancer in two AD-specific subnets, one subnet hosts the primary load balancer and the other hosts a standby load balancer. If the primary load balancer fails, the public IP address switches to the secondary load balancer. The service treats the two load balancers as equivalent and you cannot specify which one is "primary". - Whether you use regional or AD-specific subnets, each load balancer requires one private IP address from its host subnet. The Load Balancing service supplies a floating public IP address to the primary load balancer. The floating public IP address does not come from your backend subnets. You cannot specify a private subnet for your public load balancer. - The backend servers (Compute instances) associated with a backend set can exist anywhere, as long as the associated network security groups (NSGs), security lists, and route tables allow the intended traffic flow. - Oracle recommends that you create your load balancer in a regional subnet. Oracle recommends that you distribute your backend servers across all availability domains within the region

Which 2 statements are true about an OCI VCN? (Choose 2) - A VCN creates the DRG by default - A VCN can reside In multiple OCI regions and availability domains - A VCN covers a single, contiguous IPv4 CIDR block of your choice - The allowable VCN size range is:/16 to /30

- A VCN covers a single, contiguous IPv4 CIDR block of your choice - The allowable VCN size range is:/16 to /30 Explanation VCN resides in a single OCI region and covers a single, contiguous IPv4 CIDR block of your choice.The allowable VCN size range is /16 to /30

Which 2 statements about fault domains are true? - A fault domain is a grouping of hardware and infrastructure within an availability domain - Each availability domain contains 3 fault domain - A failed instance in a fault domain is automatically relaunched - A fault domain is selected automatically based on usage data

- A fault domain is a grouping of hardware and infrastructure within an availability domain - Each availability domain contains 3 fault domains Explanation A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain contains three fault domains. Fault domains provide anti- affinity: they let you distribute your instances so that the instances are not on the same physical hardware within a single availability domain.

Which 2 OCI database services allow you to dynamically scale CPU and storage? - bare metal DB system - VM DB system - ADW - ATP

- ADW - ATP Explanation - If a bare metal DB system requires more compute node processing power, you can scale up (increase) the number of enabled CPU cores in the system without impacting the availability of that system but you can't increase the storage - If the original DB system VM shape uses a single node, running databases on the DB system nodes are sequentially stopped and then restarted on the new shape so not dynamic

You have launched a compute instance running Oracle database in a private subnet in the OCI US East region. You have also created a Service Gateway to back up the data files to OCI Object Storage in the same region. You have modified the security list associated with the private subnet to allow traffic to the Service Gateway, but your instance still cannot access OCI Object Storage. How can you resolve this issue? - Add a stateful rule that enables ingress HTTPS (TOP port 443) traffic to 001 Object Storage in the security list associated with the private subnet - Add a stateful rule that enables egress HTTPS (TCP port 443) traffic to OCI Object Storage in the security list associated with the private subnet - Add a rule in the Route Table associated with the private subnet with Target type as "Service Gateway" and destination service as all IAD services in the Oracle Service Network.' - Use the default Security List, which has ports open for OCI Object Storage

- Add a rule in the Route Table associated with the private subnet with Target type as "Service Gateway" and destination service as all IAD services in the Oracle Service Network.' Explanation - A service gateway lets your VCN privately access specific Oracle services without exposing the data to the public internet. No internet gateway or NAT is required to reach those specific services. The resources in the VCN can be in a private subnet and use only private IP addresses. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and never traverses the internet. - The service gateway is regional and enables access only to supported Oracle services in the same region as the VCN. - For traffic to be routed from a subnet in your VCN to a service gateway, you must add a rule accordingly to the subnet's route table. The rule must use the service gateway as the target. For the destination, you must use the service CIDR label that is enabled for the service gateway. This means that you don't have to know the specific public CIDRs, which could change over time.

Which is a customer's responsibility on an OCI DB System? - Applying patches to the database and OS - Installing the OS, Grid Infrastructure, and Db software - Creating the first database on the DB System - Creating an ASM diskgroup for data file or temp file storage

- Applying patches to the database and OS Explanation Oracle automatically takes care of Operating system Installation/Configuration, Grid Infrastructure, ASM diskgroup Creation/Configuration , and database software Installation and first database on the DB System. that's all when Creating DB Systems. and then the customer responsible to apply the patches to the database and OS

Your on-premises hosted application uses Oracle database server. Your database administrator must have access to the database server for managing the application. Your database server is sized for seasonal peak workloads, which results in high licensing costs. You want to move your application to OCI to take advantage of CPU scaling options. Which database offering on OCI would you select? - Bare Metal DB Systems - VM DB Systems - ATP - ADW

- Bare Metal DB Systems Explanation - In Oracle Autonomous Database, Customers are not given OS logons or SYSDBA privileges to prevent phishing attacking. - If a bare metal DB system requires more compute node processing power, you can scale up (increase) the number of enabled CPU cores in the system without impacting the availability of that system. - You cannot change the number of CPU cores for a VM DB system in the same way as metal DB system. Instead, you must change the shape to one with a different number of OCPUs - Changing the shape does not impact the amount of storage available to the DB system. However, the new shape can have different memory and network bandwidth characteristics, and you might need to reapply any customizations to these aspects after the change.

Which 2 choices are true for ADW? (Choose 2) - Billing stops only when the ADW is terminated - Billing stops for both CPU usage and Storage usage when ADW is stopped - Billing for Compute stops when ADW is stopped - Billing for Storage continues when ADW is stopped

- Billing for compute stops when ADW is stopped - Billing for storage continues when ADW is stopped Explanation - When ADB instance is stopped, CPU billing is halted based on full-hour cycles of usage - Billing for storage continues as long as the service instance exists. - When ADB instance is started, the CPU billing is initiated

You have one database style application that frequently makes many random reads and writes across the dataset. Which storage offering supports this application? - Block Volume Service - File Storage Service - Object Storage Service - Archive Storage Service

- Block Volume Service Explanation The OCI Block Volume service lets you dynamically provision and manage block storage volumes . You can create, attach, connect, and move volumes, as well as change volume performance, as needed, to meet your storage, performance, and application requirements. After you attach and connect a volume to an instance, you can use the volume like a regular hard drive. You can also disconnect a volume and attach it to another instance without the loss of data.

Which statement is true about Data Guard Implementation in DB systems? - Both DB systems must be in the same compartment, and they must be the same shape - You cannot manage Oracle database Initialization parameters at a global level - You can define the backup window and set custom backup retention period for the automatic database backup schedule - You cannot manage the database as ays/sysdba

- Both DB systems must be in the same compartment, and they must be the same shape Explanation An Oracle Data Guard implementation requires two DB systems, one containing the primary database and one containing the standby database. When you enable Oracle Data Guard for a VM DB system database, a new DB system with the standby database is created and associated with the primary database. For a bare metal DB system, the DB system with the database that you want to use as the standby must already exist before you enable Oracle Data Guard. Requirement details are as follows: - Both DB systems must be in the same compartment. - The DB systems must be the same shape type (for example, if the shape of the primary database is a vm, then the shape of the standby database can be any other vm shape). - If your primary and standby databases are in different regions, then you must peer the VCN for each database. See Remote VCN Peering (Across Regions). - Configure the security list ingress and egress rules for the subnets of both DB systems in the Oracle Data Guard association to enable TCP traffic to move between the applicable ports. Ensure that the rules you create are stateful (the default).

Which 2 statements are true about OCI Db Systems Data Guard Service? (Choose 2) - Both DB systems must use the same VCN, and port 1521 must be open - Data guard configuration on the OCI is limited to a VM only - Data guard implementation for Bare Metal shapes requires two DB Systems, one containing the primary database and one containing the standby database. - Data guard implementation requires two DB Systems, one running the primary database on a VM and the standby database running on bare metal.

- Both DB systems must use the same VCN, and port 1521 must be open - Data guard implementation for Bare Metal shapes requires two DB Systems, one containing the primary database and one containing the standby database. Explanation An Oracle Data Guard implementation requires two DB systems, one containing the primary database and one containing the standby database. When you enable Oracle Data Guard for a VM DB system database, a new DB system with the standby database is created and associated with the primary database. For a bare metal DB system, the DB system with the database that you want to use as the standby must already exist before you enable Oracle Data Guard. Requirement details are as follows: - Both DB systems must be in the same compartment. - The DB systems must be the same shape type (for example, if the shape of the primary database is a VM, then the shape of the standby database can be any other VM shape). - If your primary and standby databases are in different regions, then you must peer the VCN for each database. - Configure the security list ingress and egress rules for the subnets of both DB systems in the Oracle Data Guard association to enable TCP traffic to move between the applicable ports. Ensure that the rules you create are stateful (the default).

Which 2 statements are true about restoring a block volume from a manual or policy based block volume backup? - It can be restored as new volumes with different sizes from the backups - It can be restored as a new volume to any AD across different regions - It must be restored as a new volume to the same AD on which the original block volume backup resides - It can be restored as a new volume to any AD in the same region

- It can be restored as new volumes with different sizes from the backup - It can be restored as a new volume to any AD in the same region Explanation When you restore the backup you select a name for the block volume and choose the availability domain in which you want to restore it.You can restore a block volume backup to a larger volume size. To do this, check Custom Block Volume Size (GB), and then specify the new size.

Which of the following statement is true regarding OCI Object Storage Pre-Authenticated Requests? - It Is not possible to create pre-authenticated requests for "archive" storage tier - Changing the bucket visibility does not change existing pre-authenticated requests - It is not possible to create pre-authenticated requests for the buckets, but only for the objects - Pre-authenticated requests don't have an expiration

- Changing the bucket visibility does not change existing pre-authenticated requests Explanation Pre-authenticated requests provide a way to let users access a bucket or an object without having their own credentials, as long as the request creator has permissions to access those objects. For example, you can create a request that lets an operations support user upload backups to a bucket without owning API keys. Or, you can create a request that lets a business partner update shared data in a bucket without owning API keys. When you create a pre-authenticated request, a unique URL is generated. Anyone you provide this URL to can access the Object Storage resources identified in the pre-authenticated request, using standard HTTP tools like curl and wget. Understand the following scope and constraints regarding pre-authenticated requests: - Users can't list bucket contents. - You can create an unlimited number of pre-authenticated requests. - There is no time limit to the expiration date that you can set. - You can't edit a pre-authenticated request. If you want to change user access options in response to changing requirements, you must create a new pre-authenticated request. - The target and actions for a pre-authenticated request are based on the creator's permissions. The request is not, however, bound to the creator's account login credentials. If the creator's login credentials change, a pre-authenticated request is not affected. - You cannot delete a bucket that has a pre-authenticated request associated with that bucket or with an object in that bucket. Understand the following scope and constraints regarding public access: - Changing the type of access is bi-directional. You can change a bucket's access from public to private or from private to public. - Changing the type of access doesn't affect existing pre-authenticated requests. Existing pre-authenticated requests still work.

OCI Block Volume service lets you expand the size of block and boot volumes. Which 3 options below can you use to increase the size of your block volumes? - Clone an existing volume to a new, larger volume - You can only expand block volumes and not boot volumes - Expand an existing volume in place with offline resizing - Take a backup of your existing volume and restore from the volume backup to a larger volume - Expand an existing volume in place with online resizing

- Clone an existing volume to a new, larger volume - Expand an existing volume in place with offline resizing - Take a backup of your existing volume and restore from the volume backup to a larger volume Explanation The OCI Block Volume service lets you expand the size of block volumes and boot volumes. You have 3 options to increase the size of your volumes: 1. Expand an existing volume in place with offline resizing. See Resizing a Volume Using the Console for the steps to do this. 2. Restore from a volume backup to a larger volume. See Restoring a Backup to a New Volume and Restoring a Boot Volume. 3. Clone an existing volume to a new, larger volume. See Cloning a Volume and Cloning a Boot Volume.

Which two resources reside exclusively in a single availability domain? - Compute instance - Object Storage - Groups - Block Volume - Web Application Firewall Policy

- Compute instance - Block Volume Explanation Ad-Specific Resources • DB Systems • Ephemeral Public IPs • instances - They can be attached only to volumes in the same AD. • Subnets - When you create a subnet, you choose whether it is regional or specific to an AD. Oracle recommends using regional subnets. • Volumes - They can be attached only to an instance in the same availability domain.

You are managing a tier-1 OLTP application on an ATP database. Your business needs to run hourly batch processes on this ATP database that may consume more CPUs than what is available on the server. How can you limit these batch processes to not interfere with the OLTP transactions? - Copy OLTP data into new tables in a new table space and run batch processes against these new tables - ATP is designed for OLTP workload only; you should not run batch processes on ATP - Disable automated backup during the batch process operations - Configure ATP resource management rules to manage runtime and IO consumption for the consumer group of batch processes

- Configure ATP resource management rules to manage runtime and IO consumption for the consumer group of batch processes Explanation ATP comes with predefined CPU/IO shares assigned to different consumer groups. You can modify these predefined CPU/IO shares if your workload requires different CPU/IO resource allocations.By default, the CPU/IO shares assigned to the consumer groups TPURGENT, TP, HIGH, MEDIUM, and LOW are 12, 8, 4, 2, and 1, respectively. The shares determine how much CPU/IO resources a consumer group can use with respect to the other consumer groups. With the default settings the consumer group TPURGENT will be able to use 12 times more CPU/IO resources compared to LOW, when needed. The consumer group TP will be able to use 4 times more CPU/IO resources compared to MEDIUM, when needed.

Which 2 options are necessary for achieving high availability on OCI? - Store your database across multiple regions so that half of the data resides in one region and the other half resides in another region - Attach your block volume from AD1 to a compute instance in AD 2 (and vice versa) so that they are highly available. - Configure your database to have Data Guard in another AD in Sync mode within a region - Store your database files on Object Storage so that they are available in all ADs in all regions - Distribute your application servers across all ADs within a region

- Configure your database to have Data Guard in another AD in Sync mode within a region - Distribute your application servers across all ADs within a region Explanation All details can find in "Best Practices for Deploying High Availability Architecture on OCI - https://docs.cloud.oracle.com/en-us/iaas/Content/Resources/Assets/whitepapers/best- practices-deploying-ha-architecture-oci.pdf

You have 5 different company locations spread across the US. For a POC you need to setup secure and encrypted connectivity to your workloads running in a single VCN in the OCI Ashburn region from all company locations. What would meet this requirement? - Create 5 internet gateways in your VCN and have separate route table for each internet gateway. - Create 5 virtual circuits using FastConnect for each company location and terminate those connections on a single DRG. Attach that DRG to your VCN - Create 5 IPsec connections with each company location and terminate those connections on a single DRG. Attach that DRG to your VCN. - Create 5 IPsec VPN connections with each company location and terminate those connections on five separate DRGs. Attach those DRGs to your VCN

- Create 5 IPsec connections with each company location and terminate those connections on a single DRG. Attach that DRG to your VCN. Explanation Access to Your On-Premises Network There are 2 ways to connect your on-prem network to OCI: 1. VPN Connect - Offers multiple IPSec tunnels between your existing network's edge and your VCN, by way of a DRG that you create and attach to your VCN. 2. OCI FastConnect: Offers a private connection between your existing network's edge and OCI. Traffic does not traverse the internet. Both private peering and public peering are supported. That means your on- prem hosts can access private IPv4 addresses in your VCN as well as regional public IPv4 addresses in OCI (for example, Object Storage or public load balancers in your VCN). ** You can use one or both types of the preceding connections. If you use both, you can use them simultaneously, or in a redundant configuration. These connections come to your VCN by way of a single DRG that you create and attach to your VCN. Without that DRG attachment and a route rule for the DRG, traffic does not flow between your VCN and on-premises network. At any time, you can detach the DRG from your VCN but maintain all the remaining components that form the rest of the connection. You could then reattach the DRG again, or attach it to another VCN

You have an application deployed in OCI running only in the Phoenix region. You were asked to create a DR plan that will protect against the loss of critical data. The DR site must be at least 500 miles from your primary site and data transfer between the two sites must not traverse the public Internet. Which is the recommended disaster recovery plan? - Create a new VCN in the Phoenix region and create a subnet in one availability domain (AD) that is not currently being used by your production systems. Establish VCN peering between the production and DR sites. - Create a DR environment in Ashburn. Associate a DRG with the VCN in each region and create a remote peering connection between the two VCNs - Create a DR environment in Ashburn and provision a FastConnect virtual circuit using DRG between the regions. - Create a DR environment in Ashburn. Associate a DRG with the VCN in each region and configure an IPsec VPN connection between the two regions.

- Create a DR environment in Ashburn. Associate a DRG with the VCN in each region and create a remote peering connection between the two VCNs Explanation Remote VCN peering is the process of connecting two VCNs in different regions (but the same tenancy ). The peering allows the VCNs' resources to communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. Without peering, a given VCN would need an internet gateway and public IP addresses for the instances that need to communicate with another VCN in a different region. Summary of Networking Components for Remote Peering At a high level, the Networking service components required for a remote peering include: - 2 VCNs with non-overlapping CIDRs, in different regions that support remote peering. - The VCNs must be in the same tenancy. - A DRG attached to each VCN in the peering relationship. Your VCN already has a DRG if you're using an IPSec VPN or an OCI FastConnect private virtual circuit. - A remote peering connection (RPC) on each DRG in the peering relationship. - A connection between those two RPCs. - Supporting route rules to enable traffic to flow over the connection, and only to and from select subnets in the respective VCNs (if desired). - Supporting security rules to control the types of traffic allowed to and from the instances in the subnets that need to communicate with the other VCN.

You have an application deployed in OCI running in the US East region. You have been asked to create a disaster recovery plan that will protect against the loss of critical data. The DR site must be at least a few hundred miles from your primary site and data transfer between the two sites must not traverse the public Internet. Which is the lowest latency and lowest cost recommended disaster recovery plan? - Create a DR environment in the US West region and provision a FastConnect virtual circuit using DRG between the regions - Create a DR environment in the US West region. Associate a DRG with the VCN in each region and configure an IPsec VPN connection between the two regions - Create a DR environment in the US West region. Associate a DRG with the VCN in each region and create a remote peering connection between the 2 VCNs - Create a DR environment in the US West region. Associate a Local Peering Gateway with the VCN in each region and create a local peering connection between the 2 VCNs

- Create a DR environment in the US West region. Associate a DRG with the VCN in each region and create a remote peering connection between the 2 VCNs Explanation Remote VCN peering is the process of connecting two VCNs in different regions (but the same tenancy ). The peering allows the VCNs' resources to communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. Without peering, a given VCN would need an internet gateway and public IP addresses for the instances that need to communicate with another VCN in a different region. At a high level, the Networking service components required for a remote peering include: - 2 VCNs with non-overlapping CIDRs, in different regions that support remote peering. The VCNs must be in the same tenancy. - A DRG attached to each VCN in the peering relationship. Your VCN already has a DRG if you're using an IPSec VPN or an OCI FastConnect private virtual circuit. - An RPC on each DRG in the peering relationship. A connection between those two RPCs. - Supporting route rules to enable traffic to flow over the connection, and only to and from select subnets in the respective VCNs (if desired). - Supporting security rules to control the types of traffic allowed to and from the instances in the subnets that need to communicate with the other VCN.

You are designing a high bandwidth, redundant connection between your data center and OCI. While researching for OCI FastConnect locations, you notice that you are co-located with Oracle at one of the Oracle FastConnect locations in the Ashburn region. Larger image Error! Filename not specified. What is the recommended design in this scenario? - Create a cross-connect group and have two or more cross-connects in that group. Create an IPsec VPN connection on this group. - Setup two IPsec connections between your data center and OCI Ashburn region. Create an OCI load balancer to distribute the traffic across the two connections - Create a cross-connect group and have at least two or more cross-connects in that group. Create at least two or more virtual circuits in the group. - Create a cross-connect group and have at least one cross-connect in that group. Create at least one virtual circuit in the group

- Create a cross-connect group and have at least two or more cross-connects in that group. Create at least two or more virtual circuits in the group. Explanation You could have multiple private virtual circuits, for example, to isolate traffic from different parts of your organization virtual circuit for 10.0.1.0/24; another for 172.16.0.0/16), or to provide redundancy.

You want an OCI compute instance in your compartment to make API calls to other services within OCI without storing credentials in a configuration file. What do you need to do? - Create a dynamic group with appropriate matching rules to include the instance, and reference this group in your IAM policy statement - Instances cannot access services outside their compartment - VM instances are treated as users. Create a user, assign the user to that VM instance, and reference the instance in your Identity and Access Management (IAM) policy statement - By default, all VM instances are created with an instance principal. Reference this instance principal in your IAM policy statement

- Create a dynamic group with appropriate matching rules to include the instance, and reference this group in your IAM policy statement

You have an instance running in a development compartment that needs to make API calls against other OCI services, but you do not want to configure user credentials or a store a configuration file on the instance. How can you meet this requirement? - Create a dynamic group with matching rules to include your instance - Instances can automatically make calls to other OCI services - Instances are secure and cannot make calls to other OCI services - Create a dynamic group with matching rules to include your instance and write a policy for this dynamic group

- Create a dynamic group with matching rules to include your instance and write a policy for this dynamic group Explanation Dynamic groups allow you to group OCI compute instances as "principal" actors (similar to user groups). When you create a dynamic group, rather than adding members explicitly to the group, you instead define a set of matching rules to define the group members. For example, a rule could specify that all instances in a particular compartment are members of the dynamic group. The members can change dynamically as instances are launched and terminated in that compartment. A dynamic group has no permissions until you write at least one policy that gives that dynamic group permission to either the tenancy or a compartment. When writing the policy, you can specify the dynamic group by using either the unique name or the dynamic group's OCID. Per the preceding note, even if you specify the dynamic group name in the policy, IAM internally uses the OCID to determine the dynamic group.

A company currently uses Microsoft Active Directory as its identity provider. The company recently purchased OCI to leverage the cloud platform for its test and development operations. As the admin, you are now tasked with giving access only to developers so that they can start creating resources in their OCI accounts. Which step will you perform to achieve this requirement? - Create a group for developers on OCI and map the group to a similar group in Microsoft Active Directory during the federation process - Federate all Microsoft Active Directory groups with OCI to allow users to use their existing credentials - Create a new user account for each user, and then create policies to provide access to developers - Create a group for developers on OCI, export all the developers from Microsoft Active Directory, and then import them into the IAM group

- Create a group for developers on OCI and map the group to a similar group in Microsoft Active Directory during the federation process Explanation When working with your IdP, your administrator defines groups and assigns each user to one or more groups according to the type of access the user needs. OCI also uses the concept of groups (in conjunction with IAM policies) to define the type of access a user has. As part of setting up the relationship with the IdP, your administrator can map each IdP group to a similarly defined IAM group, so that your company can re-use the IdP group definitions when authorizing user access to OCI resources.

You deployed a compute instance (VM.Standard2.16) to run a SQL database. After a few weeks, you need to increase disk performance by using NVMe disks; the number of CPUs will not change. As a first step you terminate the instance and preserve the boot volume. What is the next step? - Create a new instance using a VM.DenseIO2.16 shape using the preserved boot volume and move the SQL Database data to block volume - Create a new instance using a VM.DenseIO2.8 shape using the preserved boot volume and move the SQL Database data to NVMe disks - Create a new instance using a VM.Standard1.16 shape using the preserved boot volume and move the SQL Database data to NVMe disks - Create a new instance using a VM.DenseIO2.16 shape using the preserved boot volume move the SQL Database data to NVMe disks

- Create a new instance using a VM.DenseIO2.16 shape using the preserved boot volume move the SQL Database data to NVMe disks Explanation to increase disk performance by using NVMe disks you can use Dense IO Shape also as the number of CPUs will not change so we should VM.DenseIO2.16

You deployed a web server in OCI using an Ephemeral Public IP address. While making configuration changes, an admin inadvertently deleted your web server. You redeploy your web server, but many of your LOB apps depend on this web server's public IP address and would need an update. What can you do to prevent this from happening again? - Create a reserved public IP and associate it with the security list for the subnet being used by your compute instance - Create a reserved public I P and associate it with the hosts file of your web server - Create a reserved public IP and associate it with the subnet of your compute instance - Create a reserved public IP and associate it with the VNIC of your compute instance

- Create a reserved public IP and associate it with the VNIC of your compute instance Explanation A public IP address is an IPv4 address that is reachable from the internet. If a resource in your tenancy needs to be directly reachable from the internet, it must have a public IP address. Depending on the type of resource, there might be other requirements. There are two types of public IPs: 1. Ephemeral: Think of it as temporary and existing for the lifetime of the instance. 2. Reserved: Think of it as persistent and existing beyond the lifetime of the instance it's assigned to. You can unassign it and then reassign it to another instance whenever you like. Exception: reserved public IPs on public load balancers. To create a new reserved public IP in your pool: - Confirm you're viewing the region and compartment where you want to create the reserved public IP. - Open the navigation menu. Under Core Infrastructure, go to Networking >click Public IPs. - Click Create Reserved Public IP.Enter the following: -- Name: An optional friendly name for the reserved public IP. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information. -- Compartment: Leave as is. -- Tags:Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator. -- Click Create Reserved Public IP. To assign a reserved public IP to a private IP: - Prerequisite: The private IP must not have an ephemeral or reserved public IP already assigned to it. If it does, first delete the ephemeral public IP, or unassign the reserved public IP. - Confirm you're viewing the compartment that contains the instance with the private IP you're interested in. - Open the navigation menu. Under Core Infrastructure, go to Compute > Instances. - Click the instance to view its details. - Under Resources, click Attached VNICs. - The primary VNIC and any secondary VNICs attached to the instance are displayed. Click the VNIC you're interested in. - Under Resources, click IP Addresses. - The VNIC's primary private IP and any secondary private IPs are displayed. - For the private IP you're interested in, click the Actions icon (three dots) > Edit. - In the Public IP Address section, for Public IP Type, select the radio button for Reserved Public IP. Enter the following: -- Compartment: The compartment that contains the reserved public IP you want to assign. -- Reserved Public IP: The reserved public IP you want to assign. You have 3 choices: -1- Create a new reserved public IP - You may optionally provide a friendly name for it. The name doesn't have to be unique, and you can change it later. Avoid entering confidential information. -2- Assign a reserved public IP that is currently unassigned. -3- Move a reserved public IP from another private IP. -- Click Update.

You are a network architect and have designed the network infrastructure of a three-tier application on OCI. In the architecture, back-end DB servers are in a private subnet. One of your DB administrators requests to have access to OCI object storage service. How can you meet this requirement? - Create a service gateway, add a new route rule to the private subnet route table that uses storage as your service gateway target type - Create a DRG and attach it your VCN. Add a default route rule to the private subnets route table and set the target as DRG - Attach a public IP address to the instances in the private subnet, and then add a new route rule to the private subnet route table to route default traffic to the internet gateway - Add a new route rule to the private subnet route table to route default traffic to the internet gateway

- Create a service gateway, add a new route rule to the private subnet route table that uses storage as your service gateway target type Explanation A service gateway lets resources in your VCN privately access specific Oracle services, without exposing the data to an internet gateway or NAT. The resources in the VCN can be in a private subnet and use only private IP addresses. The traffic from the VCN to the service of interest travels over the Oracle network fabric and never traverses the internet. To give your VCN access to a given service CIDR label, you must enable that service CIDR label for the VCN's service gateway. You can do that when you create the service gateway, or later after it's created. You can also disable a service CIDR label for the service gateway at any time. For traffic to be routed from a subnet in your VCN to a service gateway, you must add a rule accordingly to the subnet's route table. The rule must use the service gateway as the target.

You have created a VCN with 3 private subnets. 2 of the subnets contain application servers and the 3rd subnet contains a DB System. The application requires a shared file system so you have provisioned one using the file storage service (FSS). You also created the corresponding mount target in one of the application subnets. The VCN security lists are properly configured so that both app servers and the DB System can access the file system. The security team determines that the DB System should have read-only access to the file system. What change would you make to satisfy this requirement? - Create an NFS export option that allows READ_ONLY access where the source is the CIDR range of the DB System subnet - Connect via SSH to one of the application servers where the file system has been mounted. Use the Unix command chmod to change permissions on the file system directory, allowing the database userread-only access - Modify the security list associated with the subnet where the mount target resides. Change the ingress rules corresponding to the DB System subnet to be stateless. - Create an instance principal for the DB System. Write an IAM policy that allows the instance principal read-only access to the file storage service

- Create an NFS export option that allows READ_ONLY access where the source is the CIDR range of the DB System subnet Explanation NFS export options enable you to create more granular access control than is possible using just security list rules to limit VCN access. You can use NFS export options to specify access levels for IP addresses or CIDR blocks connecting to file systems through exports in a mount target.

Which 2 statements about File Storage Service (FSS) are accurate? - FSS leverages UNIX user group and permission checking for file access security - Encryption of file system in FSS is optional - IAM controls which file systems are mountable by which instances - Security lists can be used as a virtual firewall to prevent an instance from mounting an FSS mount target within the same subnet - Data in transit to an FSS mount target is encrypted

- FSS leverages UNIX user group and permission checking for file access security - Data in transit to an FSS mount target is encrypted Explanation - All data is encrypted at rest. and In-transit encryption provides a way to secure your data between instances and mounted file systems using TLS v. 1.2 (Transport Layer Security) encryption. - File Storage service supports the AUTH_UNIX style of authentication and permission checking for remote NFS client requests.

You have multiple apps installed on a compute Instance and these apps generate a large amount of log files. These log files must reside on the boot volume for a min of 15 days. Any files over 15 days do not have to reside on boot volume but still must be retained for at least 60 days. The 60-day retention requirement Is causing an Issue with available disk space. What are the TWO recommended methods to provide additional boot volume space for this compute instance? - Terminate the instance while preserving the boot volume. Create a new instance from the boot volume and select a DenseIO shape to take advantage of local NVMe storage. - Create an object storage bucket and use a script that runs daily to move log files older than 15 days to the bucket Create and attach a block volume to the compute instance and copy the log files - Create a custom image and launch a new compute instance with a larger boot volume size - Write a custom script to remove the log files on a daily basis and free up the space on the boot volume

- Create an object storage bucket and use a script that runs daily to move log files older than 15 days to the bucket - Create a custom image and launch a new compute instance with a larger boot volume size Explanation These log files must reside on the boot volume for a minimum of 15 days so you have to increase the boot Volume

You are designing a two-tier web application in OCI. Your clients want to access the web servers from anywhere, but want to prevent access to the database servers from the Internet. Which is the recommended way to design the network architecture? - Create public subnets for web servers and private subnets for database servers in your VCN, and associate separate internet gateways for each subnet - Create a public subnet for web servers and associate a DRG with that subnet, and a private subnet for database servers with no association to DRG - Create public subnets for web servers and private subnets for database servers in your VCN, and associate separate security lists and route tables for each subnet - Create a single public subnet for your web servers and database servers, and associate only your web servers to internet gateway

- Create public subnets for web servers and private subnets for database servers in your VCN, and associate separate security lists and route tables for each subnet Explanation When you create a subnet, by default it's considered public, which means instances in that subnet are allowed to have public IP addresses. Whoever launches the instance chooses whether it will have a public IP address. You can override that behavior when creating the subnet and request that it be private, which means instances launched in the subnet are prohibited from having public IP addresses. Network administrators can therefore ensure that instances in the subnet have no internet access, even if the VCN has a working internet gateway, and security rules and firewall rules allow the traffic. There are 2 optional gateways (virtual routers) that you can add to your VCN depending on the type of internet access you need: - Internet gateway: For resources with public IP addresses that need to be reached from the internet (example: a web server) or need to initiate connections to the internet. - NAT gateway: For resources without public IP addresses that need to initiate connections to the internet (example: for software updates) but need to be protected from inbound connections from the internet. Just having an internet gateway alone does not expose the instances in the VCN's subnets directly to the internet. The following requirements must also be met: - The internet gateway must be enabled (by default, the internet gateway is enabled upon creation). - The subnet must be public.The subnet must have a route rule that directs traffic to the internet gateway. - The subnet must have security list rules that allow the traffic (and each instance's firewall must allow the traffic). - The instance must have a public IP address.

Which 2 are valid image sources when launching a new compute instance? - Bare Metal Instance - Object Storage - Custom Image - Boot Volume

- Custom Image - Boot Volume Explanation A template of a virtual hard drive that determines the operating system and other software for an instance. For details about OCI platform images, see Oracle-Provided Images. You can also launch instances from: - Trusted third-party images published by Oracle partners from the Partner Image catalog. For more information about partner images, see Overview of Marketplace and Working with Listings. - Pre-built Oracle enterprise images and solutions enabled for OCI Custom images, including bring your own image scenarios.Boot Volumes.

Which 2 statements are true about DB Systems in OCI? (Choose 2) - Customers can consolidate multiple database homes on a single VM database host - Customers have no control over database patching - Customers can manage the TDE Wallet after DB Systems are provisioned - The database and backups are encrypted by default

- Customers can manage the TDE Wallet after DB Systems are provisioned - The database and backups are encrypted by default Explanation - All databases created in OCI are encrypted using transparent data encryption (TDE). - OCI encrypts all managed backups in the object store. Oracle uses the Database Transparent Encryption feature by default for encrypting the backups. and the customers can manage the TDE Wallet after DB Systems are provisioned.

Your company has decided to move a few applications to OCI and you have been asked to design a cloud-based DR solution. One of the requirements is to deploy the DR resources at least 300 miles from the home OCI region and minimize the network latency. What will be the recommended deployment? - Deploy production and DR applications in the same VCN. Create production subnets in one AD, and DR subnets in another AD. - Deploy production and DR applications in 2 separate VCNs in different ADs within your home region, and then use a VCN remote peering connection for connectivity - Deploy production and DR applications in 2 separate VCNs, each in different regions. Connect them using a VCN remote peering connection Deploy production and DR apps in 2 separate VCNs, each in different regions, and then use VCN local peering gateways for connectivity

- Deploy production and DR applications in 2 separate VCNs, each in different regions. Connect them using a VCN remote peering connection Explanation Remote VCN peering is the process of connecting two VCNs in different regions The peering allows the VCNs' resources to communicate using private IP addresses without routing the traffic over the internet or through your on-prem network.

Which service would you use if your big data workload required shared access and NFS-based connectivity ? - Block Volume - Archive Storage - Object Storage - File Storage

- File Storage Explanation File Storage service is designed to meet the needs of applications and users that need an enterprise file system across a wide range of use cases, including the following: General Purpose File Storage: Access to an unlimited pool of file systems to manage growth of structured and unstructured data. Big Data and Analytics: Run analytic workloads and use shared file systems to store persistent data. Lift and Shift of Enterprise Applications: Migrate existing Oracle applications that need NFS storage, such as Oracle EBS and PSFT Databases and Transactional Applications: Run test and development workloads with Oracle, MySQL, or other databases. Backups, Business Continuity, and Disaster Recovery: Host a secondary copy of relevant file systems from on premises to the cloud for backup and disaster recovery purposes. MicroServices and Docker: Deliver stateful persistence for containers. Easily scale as your container-based environments grow.

As the Cloud Architect for your company, you have been tasked with designing a high performance (HPC) cluster in OCI. The following requirements have been defined: * The cluster must be a minimum of three nodes, but may increase to six nodes when demand requires. * The cluster must be resilient to any potential infrastructure failures. * To minimize latency, all nodes must be deployed within the same AD. * Adding or replacing nodes within the cluster should take no more than 30 minutes. Which TWO steps should be performed to satisfy these requirements in OCI? - Deploy the cluster in a single AD with a shared file system that leverages the file storage service (FSS). Deploy a standby cluster in another AD and configure it to use the same shared file system - Deploy the cluster in a single AD. Place each of the nodes in one of the three different fault domains in that AD. - Create a backup of your HPC node compute instance boot volume. Launch new compute instances directly from the backup reduce provisioning time - Create a custom image of your HPC node compute instance. Launch new compute instances using this image to reduce provisioning time - Deploy the cluster in a single AD. Place each of the nodes in a different VCN subnet.

- Deploy the cluster in a single AD. Place each of the nodes in one of the three different fault domains in that AD. - Create a custom image of your HPC node compute instance. Launch new compute instances using this image to reduce provisioning time Explanation A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain contains three fault domains. Fault domains provide anti- affinity: they let you distribute your instances so that the instances are not on the same physical hardware within a single availability domain. A hardware failure or Compute hardware maintenance event that affects one fault domain does not affect instances in other fault domains. In addition, the physical hardware in a fault domain has independent and redundant power supplies, which prevents a failure in the power supply hardware within one fault domain from affecting other fault domains. To control the placement of your compute instances, bare metal DB system instances, or VM DB system instances, you can optionally specify the fault domain for a new instance or instance pool at launch time. If you don't specify the fault domain, the system selects one for you. OCI makes a best-effort anti-affinity placement across different fault domains, while optimizing for available capacity in the availability domain. To change the fault domain for an instance, terminate it and launch a new instance in the preferred fault domain. Use fault domains to do the following things:Protect against unexpected hardware failures or power supply failures. Protect against planned outages because of Compute hardware maintenance.

You have an OCI load balancer distributing traffic via an evenly-weighted round robin policy to your backend web servers. You notice that one of your web servers is receiving more traffic than other web servers. How can you resolve this imbalance? - Check security lists and route tables of your VCN and fix any issues associated with the rules - Create separate listeners for each backend web server - Delete and re-create your OCI load balancer - Disable session persistence on your backend set

- Disable session persistence on your backend set Explanation Session persistence is a method to direct all requests originating from a single logical client to a single backend web server. Backend servers that use caching to improve performance, or to enable log-in sessions or shopping carts, can benefit from session persistence

You are a network architect of an application running on OCI. Your security team has informed you about a security patch that needs to be applied immediately to one of the backend web servers. What should you do to ensure that the OCI load balancer does not forward traffic to this backend server during maintenance? - Drain all existing connections to this backend server and mark the backend web server offline - Create another OCI load balancer for the backend web servers, which are active and handling traffic - Edit the security list associated with the subnet to avoid traffic connectivity to this backend serve - Stop the load balancer for maintenance and restart the load balancer after the maintenance is finished

- Drain all existing connections to this backend server and mark the backend web server offline Explanation - a Load Balancer improves resource utilization, facilitates scaling, and helps ensure high availability. You can configure multiple load balancing policies and application-specific health checks to ensure that the load balancer directs traffic only to healthy instances. - the Load balancer can reduce your maintenance window by draining traffic from an unhealthy application server before you remove it from service for maintenance. - Load Balancing service considers a server marked drain available for existing persisted sessions. New requests that are not part of an existing persisted session are not sent to that server. - Edit Drain State: Opens a dialog box in which you can change the drain state.If you set the server's drain status to true, the load balancer stops forwarding new TCP connections and new non-sticky HTTP requests to this backend server. This setting allows an administrator to take the server out of rotation for maintenance purposes. - Edit Offline State: Opens a dialog box in which you can change the offline status. - If you set the server's offline status to true, the load balance forwards no ingress traffic to this backend server.

Which 2 statements are true about OCI IPSec VPN Connect? - Each OCI IPSec VPN consists of multiple redundant IPSec tunnels - OCI IPSec VPN tunnel supports only static routes to route traffic - OCI IPSec VPN can be configured in tunnel mode only - OCI IPSec VPN can be configured in trans port mode only

- Each OCI IPSec VPN consists of multiple redundant IPSec tunnels - OCI IPSec VPN can be configured in tunnel mode only Explanation VPN Connect provides a site-to-site IPSec VPN between your on-premises network and your VCN. The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives. On general, IPSec can be configured in the following modes: - Transport mode: IPSec encrypts and authenticates only the actual payload of the packet, and the header information stays intact. - Tunnel mode (supported by Oracle): IPSec encrypts and authenticates the entire packet. After encryption, the packet is then encapsulated to form a new IP packet that has different header information. OCI supports only the tunnel mode for IPSec VPNs. Each Oracle IPSec VPN consists of multiple redundant IPSec tunnels. For a given tunnel, you can use either Border Gateway Protocol (BGP) dynamic routing or static routing to route that tunnel's traffic. More details about routing follow.IPSec VPN site-to-site tunnels offer the following advantages: - Public internet lines are used to transmit data, so dedicated, expensive lease lines from one site to another aren't necessary. - Internal IP addresses of the participating networks and nodes are hidden from external users. - The entire communication between the source and destination sites is encrypted, significantly lowering the chances of information theft.

You are running a mission-critical DB app in OCI. You take regular backups of your DB system to OCI object storage. Recently, you notice a failed db backup status in the console. What 2 steps can you take to determine the cause of the backup failure? - Ensure the database archiving mode is set to NOARCHIVELOG - Ensure that your database host can connect to the OCI object storage - Restart the dcsagent program if it has a status of stop or waiting - Make sure that the database is not active and running while the backup is in progress

- Ensure that your database host can connect to the OCI object storage - Restart the dcsagent program if it has a status of stop or waiting Explanation Db backups can fail for various reasons. Typically, a backup fails because either the db host cannot access the object store, or there are problems on the host or with the db configuration. First - need to determine the problem In the Console, a failed database backup either displays a status of Failed or hangs in the Backup in Progress or Creating state. If the error message does not contain enough information to point you to a solution, you can use the database CLI and log files to gather more data. Then, refer to the applicable section in this topic for a solution.

You are about to deploy an e-business app on OCI and one of the requirements is to use a shared file system that supports the NFS protocol. Which storage service would meet this requirement? - Object Storage - Block Volume - Data Transfer Appliance - File Storage

- File Storage Explanation Use the File Storage service when your application or workload includes big data and analytics, media processing, or content management, and you require Portable Operating System Interface (POSIX)-compliant file system access semantics and concurrently accessible storage. The File Storage service is designed to meet the needs of applications and users that need an enterprise file system across a wide range of use cases, including the following: - General Purpose File Storage: Access to an unlimited pool of file systems to manage growth of structured and unstructured data. - Big Data and Analytics: Run analytic workloads and use shared file systems to store persistent data. - Lift and Shift of Enterprise Applications: Migrate existing Oracle applications that need NFS storage, such as Oracle E-Business Suite and PeopleSoft.Databases and Transactional Applications: Run test and development workloads with Oracle, MySQL, or other databases. - Backups, Business Continuity, and Disaster Recovery: Host a secondary copy of relevant file systems from on premises to the cloud for backup and disaster recovery purposes. - MicroServices and Docker: Deliver stateful persistence for containers. Easily scale as your container-based environments grow.

Which statement is true about OCI FastConnect? - For private peering, FastConnect extends your existing infrastructure to allow you to consume object storage from your on-premises data center - For private peering, FastConnect extends your existing infrastructure to a VCN - For public peering, FastConnect extends your existing infrastructure to a VCN - For public peering, a DRG must be configured and attached to the VCN

- For private peering, FastConnect extends your existing infrastructure to a VCN Explanation - with FastConnect, you can choose to use private peering, public peering, or both. • Private Peering: To extend your existing infrastructure into a VCN in OCI (for example, to implement a hybrid cloud, or a lift and shift scenario). Communication across the connection is with IPv4 private addresses (typically RFC 1918). • Public Peering: To access public services in OCI without using the internet. For example, Object Storage, the OCI and APIs, or public load balancers in your VCN. Communication across the connection is with IPv4 public IP addresses. Without FastConnect, the traffic destined for public IP addresses would be routed over the internet.

Your organization has deployed a large, complex application across multiple compute instances in OCI. These compute instances also have block volume storage attached to them. You want to create a time consistent backup of this block volume storage. Which implementation strategy should be used? - Create a manual backup of each volume - Use scripts available in OCI to backup block volume storag - Group volumes in a volume group first and then use available scripts in OCI - Group volumes in a volume group and create a manual backup of the volume group

- Group volumes in a volume group and create a manual backup of the volume group Explanation Block Volume service provides you with the capability to group together multiple volumes in a volume group. A volume group can include both types of volumes, boot volumes, which are the system disks for your Compute instances, and block volumes for your data storage. You can use volume groups to create volume group backups and clones that are point-in-time and crash-consistent. This simplifies the process to create time-consistent backups of running enterprise applications that span multiple storage volumes across multiple instances. You can then restore an entire group of volumes from a volume group backup. To create a backup of the volume group: - Open the navigation menu. Under Core Infrastructure, go to Block Storage and click Volumes Groups. - In the Volume Groups list, click Create Volume Group Backup in the Actions menu for the volume group you want to create a backup for.

Which 3 load-balancing policies can be used with a backend set? (Choose 3.) - throughput - IP hash - weighted round robin - CPR utilization - least connections

- IP hash - weighted round robin - least connections Explanation you can apply policies to control traffic distribution to your backend servers. The Load Balancing service supports three primary policy types: Round Robin, Least Connections, IP Hash.

Which of the following 2 tasks can be performed in the OCI Console for ADW? - Adjust Network Bandwidth - Scale up/down Memory - Increase Storage allocated for Database - Scale up/down CPU

- Increase Storage allocated for Database - Scale up/down CPU Explanation - You can scale up/down your Autonomous Database to scale both in terms of compute (CPU) and storage only when needed, allows people to pay per use. - Oracle allows you to scale compute and storage independently, no need to do it together. these scaling activities fully online (no downtime required) - in Details page ADB in OCI console, click Scale Up/Down. Click on arrow to select a value for CPU Core Count or Storage (TB). - Or Select auto scaling to allow the system to automatically use up to three times more CPU and IO resources to meet workload demand, compared to the database operating with auto scaling disabled.

You are about to upload a large log file (5 TiB size) to OCI object storage and have decided to use multipart upload capability for a more efficient and resilient upload. Larger image Error! Filename not specified. Which two statements are true about multipart upload? - Individual object parts can be as small as 10 MiB or as large as 50 GiB - While a multipart upload is still active, you cannot add parts even if the total number of parts is less than 10,000 - The maximum size for an uploaded object is 10 TiB - You do not have to commit the upload after you have uploaded all the object parts

- Individual object parts can be as small as 10 MiB or as large as 50 GiB - The maximum size for an uploaded object is 10 TiB Explanation - With multipart upload, you split the object you want to upload into individual parts. Individual parts can be as large as 50 GiB or as small as 10 MiB. (Object Storage waives the minimum part size restriction for the last uploaded part.) Decide what part number you want to use for each part. Part numbers can range from 1 to 10,000. You do not need to assign contiguous numbers, but Object Storage constructs the object by ordering part numbers in ascending order. - The maximum size for an uploaded object is 10 TiB - While a multipart upload is still active, you can keep adding parts as long as the total number is less than 10,000.

Which 2 use Dynamic Routing Gateway (DRG) for connectivity? - Remote VCN peering across region - Oracle IPsec VPN - Local VCN peering - OCI FastConnect public peering

- Remote VCN peering across region - Oracle IPsec VPN Explanation You use a DRG when connecting your existing on-premises network to your VCN with one (or both) of these: (1) IPSec VPN (2) OCI FastConnect You also use a DRG when peering a VCN with a VCN in a different region: Remote VCN Peering (Across Regions)

Which 2 actions will occur when a back-end server that is registered with a backend set is marked to drain connections? - It disallows new connections to that backend server - keeps the connections to that instance open and attempts to complete any in-flight requests - redirects the requests to a user-defined error page. - immediately closes all existing connections to that instance - forcibly closes all connections to that instance after a timeout period

- It disallows new connections to that backend server - keeps the connections to that instance open and attempts to complete any in-flight requests Explanation if you set the server's drain status to true, the load balancer stops forwarding new TCP connections and new non-sticky HTTP requests to this backend server. This setting allows an administrator to take the server out of rotation for maintenance purposes.

Which 2 statements are true about the OCI object storage service? - It provides strong consistency - It provides higher lOPS than block storage. - It can be directly attached to or detached from a compute instance - Data is stored redundantly across multiple availability domains (ADs) in a multi-AD region

- It provides strong consistency - Data is stored redundantly across multiple availability domains (ADs) in a multi-AD region Explanation Object Storage provides the following features: - STRONG CONSISTENCY - When a read request is made, Object Storage always serves the most recent copy of the data that was written to the system. - DURABILITY - Object Storage is a regional service. Data is stored redundantly across multiple storage servers. Object Storage actively monitors data integrity using checksums and automatically detects and repairs corrupt data. Object Storage actively monitors and ensures data redundancy. If a redundancy loss is detected, Object Storage automatically creates more data copies. For more details about Durability, see the OCI Obj Storage FAQ - CUSTOM METADATA - You can define your own extensive metadata as key-value pairs for any purpose. For example, you can create descriptive tags for objects, retrieve those tags, and sort through the data. You can assign custom metadata to objects and buckets using the OCI CLI or SDK. See Software Development Kits and Command Line Interface for details - ENCRYPTION - Object Storage employs 256-bit Advanced Encryption Standard (AES-256) to encrypt object data on the server. Each object is encrypted with its own data encryption key. Data encryption keys are always encrypted with a master encryption key that is assigned to the bucket. Encryption is enabled by default and cannot be turned off. By default, Oracle manages the master encryption key. However, you can optionally configure a bucket so that it's assigned an OCI Vault master encryption key that you control and rotate on your own schedule.

You have hired a new employee to run reports from the ADW and are not confident in their SQL writing ability. Into which consumer group will you assign this Individual to minimize the impact of their code? - Low - Lowest - Medium - High - Highest

- Low Explanation in ADW, The tnsnames.ora file provided with the credentials zip file contains three database service names identifiable as high, medium, and low. The predefined service names provide different levels of performance and concurrency for ADW. • High - provides the highest level of resources to each SQL statement resulting in the highest performance, but supports the fewest number of concurrent SQL statements. Any SQL statement in this service can use all the CPU and IO resources in your database. The number of concurrent SQL statements that can be run in this service is 3, this number is independent of the number of OCPUs in your database. • MEDIUM - provides a lower level of resources to each SQL statement potentially resulting a lower level of performance, but supports more concurrent SQL statements. Any SQL statement in this service can use multiple CPU and IO resources in your database. The number of concurrent SQL statements that can be run in this service depends on the number of OCPUs in your database. • LOW - provides the least level of resources to each SQL statement, but supports the most number of concurrent SQL statements. Any SQL statement in this service can use a single CPU and multiple IO resources in your database. The number of concurrent SQL statements that can be run in this service can be up to 300 times the number of OCPUs. - The predefined service names provide different levels of performance and concurrency for Autonomous DB - Choose whichever database service offers the best balance of performance and concurrency. - Use the low database service name. to minimize the impact of their SQLs to by low consumer group

You are designing a lab exercise for your team that has a large number of graphics with large file sizes. The application becomes unresponsive if the graphics are embedded in the application. You have uploaded the graphics to OCI and only added the URL in the application. You need to ensure these graphics are accessible without requiring any authentication for an extended period of time. How can you achieve these requirements? - Create pre-authenticated requests (PAR) and specify 00:00:0000 as the expiration time. - Make the object storage bucket private and all objects public and use the URL found in the Object "Details" - Make the object storage bucket public and use the URL found in the Object "Details" - Create PARs and do not specify an expiration date

- Make the object storage bucket public and use the URL found in the Object "Details" Explanation Pre-authenticated requests provide a way to let you access a bucket or an object without having your own credentials. For example, you can create a request that lets you upload backups to a bucket without owning API keys.When you create a bucket, the bucket is considered a private bucket and the access to the bucket and bucket contents requires authentication and authorization. However, Object Storage supports anonymous, unauthenticated access to a bucket. You make a bucket public by enabling read access to the bucket. pre-authenticated requests have to select expiration date

You are running several Linux based operating systems in your on .premises environment that you want to import to OCI as custom images. You can launch your imported images as OCI compute VMs. Which two modes below can be used to launch these imported Linux VMs? - Native - Mixed - Paravirtualized - Emulated

- Paravirtualized - Emulated Explanation You can use the Console or API to import exported images from Object Storage. To import an image, you need read access to the Object Storage object containing the image.during the Import you can select the Launch mode: - For custom images where the image format is .oci , OCI selects the applicable launch mode based on the launch mode for the source image.For custom images exported from OCI where the image type is QCOW2, select Native Mode. - To import other custom images select Paravirtualized Mode or Emulated Mode. For more information, see Bring Your Own Image (BYOI). ** see Linux Distributions that Support Custom Image Import chart here - https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/Tasks/importingcustomimagelinux.htm

A customer has launched a compute instance In the VCN, which has an internet gateway, a service gateway, a default security lists and a default route table. Customer has opened up Port 22 In the security lists attached to the compute Instance subnet, however is still unable to connect to compute Instances using ssh. Which option would remedy this situation? - Modify the route table associated with the VCN subnet in which the instance resides. Add a following route to the route table. Destination CIDB: 0.0.0.0/0 Target: Internet Gateway <"GM) - Modify the route table associated with the VCN subnet in which the instance resides. Add a following route to the route table. Destination CIDP: 0.0.0.0/0 Target: Dynamic Routing Gateway (DRG) - Modify the security list associated with the VCN subnet In which the Instance resides. Add a stateful egress rule to allow ichp traffic in addition to the port 22 - Modify the route table associated with the VCN subnet In which the Instance resides. Add a following route to the route table. Destination CIDR: 0.0.0.0/0 Target: Service Gateway (SGW)

- Modify the route table associated with the VCN subnet in which the instance resides. Add a following route to the route table. Destination CIDB: 0.0.0.0/0 Target: Internet Gateway <"GM) Explanation You create an internet gateway in the context of a specific VCN. In other words, the internet gateway is automatically attached to a VCN. However, you can disable and re- enable the internet gateway at any time. For traffic to flow between a subnet and an internet gateway, you must create a route rule accordingly in the subnet's route table (for example, destination CIDR = 0.0.0.0/0 and target = internet gateway). If the internet gateway is disabled, that means no traffic will flow to or from the internet even if there's a route rule that enables that traffic. For the purposes of access control, you must specify the compartment where you want the internet gateway to reside. If you're not sure which compartment to use, put the internet gateway in the same compartment as the cloud network.

Which 2 options are available within the service console of ATP? - Monitor the health of the database server including CPU, memory and query performance - Configure resource management rules and reset the admin password - Perform a manual backup of the ATP database - Fine tune a long running query using optimizer hints

- Monitor the health of the database server including CPU, memory and query performance - Configure resource management rules and reset the admin password

You have been notified of an application failure indicating that one or more of the OCI resources have become unavailable. After scanning the Compute and Database consoles, you notice that one of the DD Systems is missing. What would you do to identify the reason for this missing resource? - Navigate to the Audit console and search the previous 24 hours for all Delete actions to get a list of any resource that was deleted in the past 24 hours - Create a serial console connection to the DB System that does not appear in the management console. Connect to the serial console connection, and then review the system logs under /var/log/messages - View the service limits associated with your account to ensure that you have not exceeded the allowable number of DB Systems in your tenancy - Navigate to the Audit console and search the previous 24 hours for all List actions to get a list of every event that occurred in the past 24 hours.

- Navigate to the Audit console and search the previous 24 hours for all Delete actions to get a list of any resource that was deleted in the past 24 hours Explanation You can filter results by request actions to zero in on only the events with operations that interest you. For example, say that you only want to know about instances that were deleted during a specific time frame. Select a delete request action filter to see only the events with delete operations.

Which 2 OCI services use a DRG? - OCI FastConnect Public Peering - Local Peering - OCI FastConnect Private Peering - Internet Gateway - OCI IPSec VPN Connect

- OCI FastConnect Private Peering - OCI IPSec VPN Connect Explanation You can think of a DRG as a virtual router that provides a path for private traffic (that is, traffic that uses private IPv4 addresses) between your VCN and networks outside the VCN's region. you use a DRG when connecting your existing on-premises network to your VCN with one (or both) of these: - IPSec VPN - OCI FastConnect (Private Only) You also use a DRG when peering a VCN with a VCN in a different region: - Remote VCN Peering (Across Regions)

What is a valid option when exporting a custom image? - Object Storage URL - Archive Storage URL - File Storage Service - Block Volume

- Object Storage URL Explanation You can use the Console or API to export images, and the exported images are stored in the OCI Object Storage service. To perform an image export, you need write access to the Object Storage bucket for the image.

Which statement is true about OCI object storage support for server-side encryption? - You must manually enable server-side encryption for each object as you upload to OCI object storage - Objects are automatically encrypted as they are uploaded to object storage and decrypted upon retrieval - You must manually decrypt the data when retrieving from OCI object storage - Only the object data is encrypted and the user-defined metadata that is associated with the object is not encrypted

- Objects are automatically encrypted as they are uploaded to object storage and decrypted upon retrieval Explanation - Oracle Object Storage supports server-side encryption. All data stored in Oracle Object Storage is automatically encrypted- Encryption is automatically enabled for all data with no action required on the part of customers. - Oracle encrypt both the object data and the user-defined metadata associated with the object. Ref : https://www.oracle.com/cloud/storage/object-storage-faq.html

Which 2characteristics do you need to consider when choosing a method to migrate a database to OCI? - On-prem connectivity using remote and local VCN peering - On-prem database character set and application version - On-prem host operating system platform and network bandwidth - On-prem database version and quantity of data, including indexes

- On-prem host operating system platform and network bandwidth - On-prem database version and quantity of data, including indexes Explanation You can migrate your on-premises Oracle Database to an OCI Database service database using a number of different methods that use several different tools. The method that applies to a given migration scenario depends on several factors, including the version, character set, and platform endian format of the source and target databases. Choosing a Migration Method - Not all migration methods apply to all migration scenarios. Many of the migration methods apply only if specific characteristics of the source and destination databases match or are compatible. Moreover, additional factors can affect which method you choose for your migration from among the methods that are technically applicable to your migration scenario. Some characteristics and factors to consider when choosing a migration method: - On-premises database version - Database service database version - On-premises host operating system and version - On-premises database character set - Quantity of data, including indexes - Data types used in the on-premises database - Storage for data staging - Acceptable length of system outage - Network bandwidth To determine which migration methods are applicable to your migration scenario, gather the following info: 1) Database version of your on-premises database: - Oracle Db 12c Release 2 version 12.2.0.1 - Oracle Db 12c Release 1 version 12.1.0.2 or higher - Oracle Db 12c Release 1 version lower than 12.1.0.2 - Oracle Db 11g Release 2 version 11.2.0.3 or higher - Oracle Db 11g Release 2 version lower than 11.2.0.3 2) For on-premises Oracle Database 12c Release 2 and Oracle Database 12c Release 1 databases, the architecture of the database: - Multitenant container database (CDB) - Non-CDB 3) Endian format (byte ordering) of your on-premises database's host platform Some platforms are little endian and others are big endian. Query V$TRANSPORTABLE_PLATFORM to identify the endian format, and to determine whether cross-platform tablespace transport is supported. The OCI Db uses the Linux platform, which is little endian. 4) Database character set of your on-premises database and the OCI Database database.Some migration methods require that the source and target databases use compatible database character sets. 5) Database version of the OCI Database database you are migrating to: - Oracle Db 12c Release 2 - Oracle Db 12c Release 1 - Oracle Db 11g Release 2 - Oracle Database 12c Release 2 and Oracle Database 12c Release 1 databases created on the Database service use CDB architecture. Databases created using the Enterprise Edition software edition are single-tenant, and databases created using the High Performance or Extreme Performance software editions are multi-tenant.

Which statement is true about the OCI File Storage Service Snapshots? - Snapshots are created under the root folder of file system, in a hidden directory named .snapshot - Snapshots are not incremental - You can restore the whole snapshot, but not the individual files - It Is not possible to create snapshots from OCI console, but just the CLI

- Snapshots are created under the root folder of file system, in a hidden directory named .snapshot Explanation The File Storage service supports snapshots for data protection of your file system. Snapshots are a consistent, point-in-time view of your file systems. Snapshots are copy- on-write, and scoped to the entire file system. The File Storage service encrypts all file system and snapshot data at rest. You can take as many snapshots as you need. Data usage is metered against differentiated snapshot data. If nothing has changed within the file system since the last snapshot was taken, the new snapshot does not consume more storage Snapshots are accessible under the root directory of the file system at ".snapshot/name" . For data protection, you can use a tool that supports NFSv3 to copy your data to a different availability domain, region, file system, object storage, or remote location.

Your application consists of 3 OCI compute instances running behind a public load balancer. You have configured the load balancer to perform health checks on these instances, but one of the three instances fails to pass the configured health check. Which of the following action will the load balancer perform? - Stop sending traffic to the instance that failed health check - Terminate the instance that failed health check - Stop the instances that failed health check - Remove the instance that failed the health check from the backend set

- Stop sending traffic to the instance that failed health check Explanation health check A test to confirm the availability of backend servers. A health check can be a request or a connection attempt. Based on a time interval you specify, the load balancer applies the health check policy to continuously monitor backend servers. If a server fails the health check, the load balancer takes the server temporarily out of rotation. If the server subsequently passes the health check, the load balancer returns it to the rotation. You configure your health check policy when you create a backend set. You can configure TCP-level or HTTP-level health checks for your backend servers. -- TCP-level health checks attempt to make a TCP connection with the backend servers and validate the response based on the connection status. -- HTTP-level health checks send requests to the backend servers at a specific URI and validate the response based on the status code or entity data (body) returned.The service provides application-specific health check capabilities to help you increase availability and reduce your application maintenance window.

You have deployed a compute instance (VM.Standard2.24) to run an Oracle database. With this set up, you run into some performance issues and want to leverage an OCI Dense IO shape (VM.DenseIO2.24), with which you get 25.6 TB local NVMe SSD. You do not want to lose the configuration changes you made to the instance. Which of the following TWO steps ARE NOT required to make this transition? - Terminate the VM.Standard2.24 instance and do not preserve the boot volume - Create a new instance using the VM.Dense102.24 shape using the preserved boot volume and move the Oracle Database data to NVMe disks - Terminate the VM.Standard2.24 instance and preserve the boot volume - Create a new instance using a VM.DenseIO2.24 shape using the preserved boot volume and move the Oracle Database data to block volumes

- Terminate the VM.Standard2.24 instance and do not preserve the boot volume - Create a new instance using a VM.DenseIO2.24 shape using the preserved boot volume and move the Oracle Database data to block volumes Explanation You can permanently terminate (delete) instances that you no longer need. Any attached VNICs and volumes are automatically detached when the instance terminates. Eventually, the instance's public and private IP addresses are released and become available for other instances. By default, the instance's boot volume is deleted when you terminate the instance, however you can preserve the boot volume associated with the instance, so that you can attach it to a different instance as a data volume, or use it to launch a new instance. Dense I/O Shapes Designed for large databases, big data workloads, and applications that require high-performance local storage. DenseIO shapes include locally-attached NVMe-based SSDs. so once you create the VM.DenseIO you need to move the Database to locally-attached NVMe-based SSDs

You must implement a backup solution for your ADW that will enable you to restore data as old as one year with a recovery point objective (RPO) of 10 days.Which database backup strategy would you select? - Take weekly manual backups to supplement the automated backups and preserve them for 12 months. - Use the automated backups - Take monthly manual backups to supplement the automated backups and preserve them for 12 months - Take quarterly manual backups to supplement the automated backups and preserve them for 12 months

- Use the automated backups Explanation: - OCI automatically backs up your Autonomous Databases and retains these backups for 60 days. Automatic backups are weekly full backups and daily incremental backups. You can also create manual backups to supplement your automatic backups. Manual backups are stored in an Object Storage bucket that you create, and are retained for 60 days The retention period for manual backups is the same as automatic backups which is 60 days. So we cannot preserve the backup for 12 months https://docs.oracle.com/en/cloud/paas/autonomous-data-warehouse-cloud/user/backup- manual.html#GUID-D95E5D6A-C470-4A68-9545-CC99D937E7D1

You have an app running on OCI. You identified that the read and write operations are slowing your application down enough to impair user access. The application is currently using a VM.Standard1.2 compute without any block storage attached to it. Which 2 options allow you to increase disk performance? - Terminate the compute instance preserving the boot volume. Create a new compute instance using a VM Dense IO shape using the boot volume preserved - Terminate the compute instance preserving the boot volume. Create a new compute instance using a VM Standard shape and attach a new block volume to host your application. - Create a backup of the boot volume. Create a new compute instance using a VM Dense IO shape and restore the backup - Terminate the compute instance and create a backup of the boot volume. Create a new compute instance using a VM Dense IO shape and restore the backup

- Terminate the compute instance preserving the boot volume. Create a new compute instance using a VM Dense IO shape using the boot volume preserved - Terminate the compute instance preserving the boot volume. Create a new compute instance using a VM Standard shape and attach a new block volume to host your application. Explanation You can permanently terminate (delete) instances that you no longer need.By default, the instance's boot volume is deleted when you terminate the instance, however you can preserve the boot volume associated with the instance, so that you can attach it to a different instance as a data volume, or use it to launch a new instance. You can use a boot volume backup to create an instance or you can attach it to another instance as a data volume. However before you can use a boot volume backup, you need to restore it to a boot volume.

You are an administrator with an application running on OCI. The company has a fleet of OCI compute virtual instances behind an OCI Load Balancer. The OCI Load Balancer Backend Set health check API is providing a 'Critical' level warning. You have confirmed that your application is running healthy on the backend servers. What is the possible reason for this 'Critical' warning? - A user does not have correct IAM credentials on the Backend Servers - The Backend Server VCN's Route Table does not include the route for OCI LB - OCI Load Balancer Listener is not configured correctly - The Backend Server VCN's Security List does not include the IP range for the source of the health check requests

- The Backend Server VCN's Security List does not include the IP range for the source of the health check requests Explanation A SECURITY RULE IS MISCONFIGURED. Health status indicators help you diagnose two cases of misconfigured security rules: l All entity health status indicators report OK, but traffic does not flow (as with misconfigured listeners). If the listener is not at fault, check the security rule configuration. l All entity health statuses report as unhealthy. You have checked your health check configuration and your services run properly on your backend servers. In this case, your security rules might not include the IP range for the source of the health check requests. You can find the health check source IP on the Details page for each backend server. You can also use the API to find the IP in the sourceIpAddress field of the HealthCheckResult object

You have created a public subnet in a VCN, and your public subnet has a Route Table, a Security List, and an Internet Gateway. However, none of the compute instances can connect to the Internet. Which two are possible reasons for the connectivity issue? (Choose 2) - There is no DRG associated with the VCN. - The Route Table has no default route for routing traffic to the Internet Gateway - There is no stateful ingress rule in the Security List associated with the public subnet - There is no stateful egress rule in the Security List associated with the public subnet

- The Route Table has no default route for routing traffic to the Internet Gateway - There is no stateful egress rule in the Security List associated with the public subnet Explanation An internet gateway as an optional virtual router that connects the edge of the VCN with the internet. To use the gateway, the hosts on both ends of the connection must have public IP addresses for routing. Connections that originate in your VCN and are destined for a public IP address (either inside or outside the VCN) go through the internet gateway. Connections that originate outside the VCN and are destined for a public IP address inside the VCN go through the internet gateway. Working with Internet Gateways You create an internet gateway in the context of a specific VCN. In other words, the internet gateway is automatically attached to a VCN. However, you can disable and re- enable the internet gateway at any time. Compare this with a DRG, which you create as a standalone object that you then attach to a particular VCN. DRGs use a different model because they're intended to be modular building blocks for privately connecting VCNs to your on-premises network. For traffic to flow between a subnet and an internet gateway, you must create a route rule accordingly in the subnet's route table (for example, destination CIDR = 0.0.0.0/0 and target = internet gateway). If the internet gateway is disabled, that means no traffic will flow to or from the internet even if there's a route rule that enables that traffic. For more information, see Route Tables. For the purposes of access control, you must specify the compartment where you want the internet gateway to reside. If you're not sure which compartment to use, put the internet gateway in the same compartment as the cloud network. For more information, see Access Control. You may optionally assign a friendly name to the internet gateway. It doesn't have to be unique, and you can change it later. Oracle automatically assigns the internet gateway a unique identifier called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers. To delete an internet gateway, it does not have to be disabled, but there must not be a route table that lists it as a target. AS per compute instances can connect to the Internet so you use egress no ingress

What is true about data guard set up with Fast-Start FailOver (FSFO) in OCI? - The best practice for high availability and durability is to run the primary, standby, and observer in separate ADs - When you configure data guard using OCI console, the default mode is set to maxprotection. - You cannot create the standby DB system in a different AD from the primary DB system. - You cannot use database CLI to set up data guard with FSFO.

- The best practice for high availability and durability is to run the primary, standby, and observer in separate ADs Explanation The best practice for high availability and durability is to run the primary, standby, and observer in separate availability domains. The observer determines whether or not to failover to a specific target standby databasehttps://docs.cloud.oracle.com/en- us/iaas/Content/Database/T asks/usingDG.htm#ConfiguringObserverOptional

Which 2 statements are true about adding secondary VNICs to an existing compute instance? - The primary and secondary VNIC association must be in the same AD - You can assign an Ephemeral Public IP to a secondary VNIC - You can remove the primary VNIC after the secondary VNIC's attachment is complete - The primary and secondary VNIC association can be in different VCNs

- The primary and secondary VNIC association must be in the same availability domain - The primary and secondary VNIC association can be in different VCNs Explanation Each secondary VNIC can be in a subnet in the same VCN as the primary VNIC, or in a different subnet that is either in the same VCN or a different one. However, all the VNICs must be in the same availability domain as the instance.Ephemeral Public IP To a VNIC's primary private IP only

You are designing a networking infrastructure in multiple OCI regions and require connectivity between workloads in each region. You have created a DRG and a remote peering connection. However, your workloads are unable to communicate with each other. What are 2 reasons for this? (Choose 2) - The security lists associated with subnets in each VCN do not have the appropriate ingress rules - IAM policies have not been defined to allow connectivity across the two VCNs in different regions - A local peering gateway needs to be created in each VCN with a default route rule added in the route table forwarding the traffic to the local peering gateway - An Internet gateway needs to be created in each VCN with a default route rule added in the route table forwarding the traffic to the Internet Gateway - The route table associated with subnets in each VCN do not have a route rule defined to forward the traffic to their respective DRGs

- The security lists associated with subnets in each VCN do not have the appropriate ingress rules - The route table associated with subnets in each VCN do not have a route rule defined to forward the traffic to their respective DRGs Explanation Setting Up a Remote Peering - Create the RPCs: Each VCN administrator creates an RPC for their own VCN's DRG. - Share information: The administrators share the basic required information. - Set up the required IAM policies for the connection: The administrators set up IAM policies to enable the connection to be established. - Establish the connection: The requestor connects the two RPCs (see Important Remote Peering Concepts for the definition of the requestor and acceptor). - Update route tables: Each administrator updates their VCN's route tables to enable traffic between the peered VCNs as desired. - Update security rules: Each administrator updates their VCN's security rules to enable traffic between the peered VCNs as desired.

Where do you find the tnsnames.ora for your ADW database? - You can download tnsnames.ora from OCI web console under ADW details page - The tnsnames.ora file is included in credentials.zip file that you download from service console of ADW - The ADW database will place the tnsnames.ora file in an object storage bucket - You are automatically prompted to download the tnsnames.ora file upon creation of the ADW database

- The tnsnames.ora file is included in credentials.zip file that you download from service console of ADW Explanation To download client credentials from the ATP Service Console: - From the Service Console click the Administration link. - Click Download Client Credentials (Wallet). - On the Download Client Credentials (Wallet) page, enter a wallet password in the Password field and confirm the password in the Confirm Password field. The password must be at least 8 characters long and must include at least 1 letter and either 1 numeric character or 1 special character. This password protects the downloaded Client Credentials wallet. - Click Download to save the client security credentials zip file. By default the filename is: Wallet_databasename.zip. You can save this file as any filename you want. You must protect this file to prevent unauthorized database access.

You need to create a high performance shared file system, and have been advised to use file storage service (FSS). You have logged into the OCIe console, created a file system, and followed the steps to mount the shared file system on your Linux instance. However, you are still unable to access the shared file system from your Linux instance. What is the likely reason for this? - There are no security list rules for mount target traffic - There is no internet gateway set up for mount target traffic - There is no IAM policy set up to allow you to access the mount target - There is no route in your VCN route table for mount target traffic

- There are no security list rules for mount target traffic Explanation to have access to file system At least one VCN in a compartment. Correctly configured security rules for the file system mount target. Security rules can be created in the security list for the mount target subnet, or in a Network Security Group (NSG) that you add the mount target to. See Security Rules for information about how security rules work in OCI. Use the instructions in Configuring VCN Security Rules for File Storage to set up security rules correctly for your file systems

You have 2 NFS clients running in two different subnets within the same OCI VCN. You have created a shared file system for the two NFS clients who want to connect to the same file system, but you want to restrict one of the clients to have READ access while the other has READ/Write access. Which OCI feature would you leverage to meet this requirement? - Use VCN security rules to control access for the NFS clients - Use OCI Identity Access Management to control access for the NFS clients - Use File Storage NFS Export Options to control access for the NFS clients - Use NFS security to control access for the NES clients

- Use File Storage NFS Export Options to control access for the NFS clients Explanation OCI File Storage service provides a durable, scalable, secure, enterprise-grade network file system. You can connect to a File Storage service file system from any bare metal, VM, or container instance in your VCN. You can also access a file system from outside the VCN using OCI FastConnect and Internet Protocol security (IPSec) VPN. EXPORT Exports control how NFS clients access file systems when they connect to a mount target. File systems are exported (made available) through mount targets. Each mount target maintains an export set which contains one or many exports. A file system must have at least one export in one mount target in order for instances to mount the file system. The information used by an export includes the file system OCID, mount target OCID, export set OCID, export path, and client export options. For more information, see Managing Mount Targets. EXPORT SET Collection of one or more exports that control what file systems the mount target exports using NFSv3 protocol and how those file systems are found using the NFS mount protocol. Each mount target has an export set. Each file system associated with the mount target has at least one export in the export set. EXPORT PATH A path that is specified when an export is created. It uniquely identifies the file system within the mount target, letting you associate up to 100 file systems to a single mount target. This path is unrelated to any path within the file system itself, or the client mount point path. EXPORT OPTIONS NFS export options are a set of parameters within the export that specify the level of access granted to NFS clients when they connect to a mount target. An NFS export options entry within an export defines access for a single IP address or CIDR block range. For more information, see Working with NFS Export Options.

When terminating a compute instance, which statement is true? - The instance needs to be stopped first, and then terminated - The boot volume is always deleted - All block volumes attached to the instance are terminated - Users can preserve the boot volume associated with the instance

- Users can preserve the boot volume associated with the instance Explanation You can permanently terminate (delete) instances that you no longer need. Any attached VNICs and volumes are automatically detached when the instance terminates. Eventually, the instance's public and private IP addresses are released and become available for other instances. By default, the instance's boot volume is deleted when you terminate the instance, however you can preserve the boot volume associated with the instance, so that you can attach it to a different instance as a data volume, or use it to launch a new instance.

You have been tasked with creating one VCN each for 2 LOB apps. LOB A and LOB B will need to communicate with each other. To ensure that you can utilize VCN peering, which network CIDR ranges should be used? - VCN A (10.0.0.0/16) and VCN B (10.1.0.0/16) - VCN A (10.0.2.0/16) and VCN B (10.0.2.0/25) - VCN A (10.0.0.0/16) and VCN B (10.0.16.0/24) - VCN A (172.16.0.0/24) and VCN B (172.16.0.0/28)

- VCN A (10.0.0.0/16) and VCN B (10.1.0.0/16) Explanation VCN A (10.0.0.0/16) will use a range of IPS from 10.0.0.0 to 10.0.255.255 and VCN B (10.1.0.0/16) will use a range of IPS from 10.1.0.0 to 10.1.255.255 so will not be any Overlap between 2 VCNs

You have 2 line of business operations (LOB1, LOB2) leveraging OCI. LOB1 is deployed in VCN1 in the OCI US East region, while LOB2 is deployed in VCN2 in the US West region. You need to peer VCN1 and VCN2 for disaster recovery and data backup purposes. To ensure you can utilize the OCI VCN remote peering feature, which CIDR ranges should be used? - VCN1 (10.0.0.0/16) and VCN2 (10.0.1.0/24) - VCN1 (10.0.0.0/16) and VCN2 (172.16.0.0/16) - VCN1 (172.16.1.0/24) and VCN2 (172.16.1.0/27) - VCN1 (192.168.0.0/16) and VCN2 (192.168.1.0/27)

- VCN1 (10.0.0.0/16) and VCN2 (172.16.0.0/16) Explanation VCN1 (10.0.0.0/16) will use the IP Range from 10.0.0.0 to 10.0.255.255 and the VNC 2 (172.16.0.0/16) will use the IP Range from 172.16.0.0 to 172.16.255.255 the will not be overlap between the 2 VCN

You have created a new compartment called Production to host some production apps. You have also created users in your tenancy and added them to a Group called "production group". Your users are still unable to access the Production compartment. How can you resolve this situation? - Every compartment you create comes with a predefined set of policies, so no further action is needed - Your users get automatic access to all compartments, so no further action is needed - Write an IAM Policy for each specific user granting them access to the production compartment - Write an IAM Policy for "production_group" granting it access to the production compartment

- Write an IAM Policy for "production_group" granting it access to the production compartment Explanation When creating a compartment, you must provide a name for it (maximum 100 characters, including letters, numbers, periods, hyphens, and underscores) that is unique within its parent compartment. You must also provide a description, which is a non-unique, changeable description for the compartment, from 1 through 400 characters. After creating a compartment, you need to write at least one policy for it, otherwise no one can access it (except administrators or users who have permissions set at the tenancy level). When creating a compartment inside another compartment, the compartment inherits access permissions from compartments higher up its hierarchy. When you create an access policy, you need to specify which compartment to attach it to. This controls who can later modify or delete the policy. Depending on how you've designed your compartment hierarchy, you might attach it to the tenancy, a parent, or to the specific compartment itself.

You have a working application in the US East region. The app is a 3-tier app with a database backend - you take regular backups of the database into OCI Object Storage in the US East region. For Business continuity; you are leveraging OCI Object Storage cross-region copy feature to copy database backups to the US West region. Which of the following three steps do you need to execute to meet your requirement? - Write an IAM policy and authorize the Object Storage service to manage objects on your behalf - Specify an existing destination bucket - Specify the bucket visibility for both the source and destination buckets Provide a destination object name - Provide an option to choose bulk copying of objects - Choose an overwrite rule

- Write an IAM policy and authorize the Object Storage service to manage objects on your behalf - Specify an existing destination bucket - Choose an overwrite rule Explanation - You can copy objects to other buckets in the same region and to buckets in other regions.You must have the required access to both the source and destination buckets when performing an object copy. You must also have permissions to manage objects in the source and destination buckets. - Because Object Storage is a regional service, you must authorize the Object Storage service for each region carrying out copy operations on your behalf. For example, you might authorize the Object Storage service in region US East (Ashburn) to manage objects on your behalf. Once you authorize the Object Storage service, you can copy an object stored in a US East (Ashburn) bucket to a bucket in another region. You can use overwrite rules to control the copying of objects based on their entity tag (ETag) values. - Specify an existing target bucket for the copy request. The copy operation does not automatically create buckets.

Which 2 statements are true about an OCI object storage bucket? (choose 2) - You can associate a bucket with multiple compartments - You cannot change a bucket from private to public after it is created - You can associate a bucket with only a single compartment - You cannot edit or append data to an object, but you can replace the entire object

- You can associate a bucket with only a single compartment - You cannot edit or append data to an object, but you can replace the entire object Explanation - A bucket is associated with a single compartment.You can't edit or append data to an object, but you can replace the entire object.

Which 2 statements are true regarding cloning a block volume? - You can change the block volume performance when creating a clone - You can clone block volumes across regions - You can change the block volume size when creating a clone - You can skip block volume encryption when creating a clone

- You can change the block volume performance when creating a clone - You can change the block volume size when creating a clone Explanation - You can create a clone from a volume using the Block Volume service. Cloning enables you to make a copy of an existing block volume without needing to go through the backup and restore process. - A cloned volume is a point-in-time direct disk-to-disk deep copy of the source volume, so all the data that is in the source volume when the clone is created is copied to the clone volume. - You can only create a clone for a volume within the same region, availability domain and tenant. You can create a clone for a volume between compartments as long as you have the required access permissions for the operation.during create a clone you can do the following - If you want to clone the block volume to a larger size volume, check Custom Block Volume Size (GB) and then specify the new size. You can only increase the size of the volume, you cannot decrease the size. If you clone the block volume to a larger size volume, you need to extend the volume's partition. See Extending the Partition for a Block Volume for more information. - If you want to change the elastic performance setting when cloning the volume,check Custom Block Volume Performance and select the elastic performance setting you want the volume clone to use. See Block Volume Elastic Performance for more information. You can also change the elastic performance setting after you have cloned the volume, see Block Volume Elastic Performance. If you leave Custom Block Volume Performance unchecked, the cloned volume will use the same elastic performance setting as the source volume.

Which 2 statements are true about ADW backup ? - You can perform manual backups to OCI object storage in addition to automated backups available on ADW - You can backup ADW database only to a standard bucket type in OCI object storage - OCI recommends backing up ADW databases manually to on-premises storage devices - You must backup ADW database to object storage bucket named ADW_backup

- You can perform manual backups to OCI object storage in addition to automated backups available on ADW - You can backup ADW database only to a standard bucket type in OCI object storage Explanation - ADB automatically backs up your database for you.In addition to automatic backups ADB also allows you take manual backups to your OCI Object Storage. for example if you want to take a backup before a major change to make restore and recovery faster. *Also, Manual backups are only supported with buckets created in the standard storage tier if you provision an ADW instance named ADWC1, the bucket name should be backup_adwc1 (the bucket name is lowercase)

Which two options are true for ATP database? (Choose 2) - You can add/remove Diskgroup in ATP - You can scale storage up or down in ATP - You can scale CPU up or down in ATP - You can add more Pluggable Databases for consolidating multiple databases in ATP - You can add new ORACLE_HOME for bringing older versions of on-premises databases to ATP

- You can scale storage up or down in ATP - You can scale CPU up or down in ATP Explanation - You can scale up/down your Autonomous Database to scale both in terms of compute and storage only when needed, allows people to pay per use. - Oracle allows you to scale compute and storage independently, no need to do it together. these scaling activities fully online (no downtime required) - in Details page Autonomous Database click Scale Up/Down. Click on arrow to select a value for CPU Core Count or Storage (TB). - OR - Select auto scaling to allow the system to automatically use up to three times more CPU and IO resources to meet workload demand, compared to the database operating with auto scaling disabled.

Which statement is true regarding ATP? - a database name cannot be used concurrently for both an ADW and an ATP database - After terminating a database, the database name is available for immediate reuse - a maximum of 8 cores can be enabled for an ATP database - a maximum of 2 TB of storage can be enabled for an ATP database

- a database name cannot be used concurrently for both an ADW and an ATP database Explanation - the DB name must be unique among all ADW and Autonomous Databases in your tenancy in the same region. - Terminating an ATP db permanently deletes the instance and removes all automatic backups. You cannot recover a terminated database. - the max # of CPUs and maximum storage capacity that can be provisioned in Oracle Autonomous Database In the current release up to 128 CPUs and 128TB can be provisioned from the cloud console. Customers requiring more resources need to call their Oracle account team

How can you provide users access to an existing compartment? - by granting users access to a compartment when the compartment is created - by adding users to a group and defining a policy to provide the group access to the compartment - by adding users to a compartment; all users in the compartment will have access to the objects in the compartment. - by granting access directly to the user when the user is created

- by adding users to a group and defining a policy to provide the group access to the compartment Explanation - A policy is a document that specifies who can access which OCI resources that your company has, and how. A policy simply allows a GROUP to work in certain ways with specific types of RESOURCES in a particular COMPARTMENT In general, here's the process an IAM administrator in your organization needs to follow: - Define users, groups, and one or more compartments to hold the cloud resources for your org. - Create 1+ policies, each written in the policy language. - Place users into the appropriate groups depending on the compartments and resources they need to work with. - Provide the users with 1x password that they need in order to access the Console and work with the compartments.

Your app front end consists of several OCI compute instances behind a load balancer. You have configured the load balancer to perform health checks on these instances. If an instance fails to pass the configured health checks, what will happen? - The instance is replaced automatically by the load balancer - The instance is terminated automatically by the load balancer - The instance is taken out of the back end set by the load balancer - The load balancer stops sending traffic to that instance

- load balancer stops sending traffic to that instance Explanation One or more of the backend servers reports as unhealthy.A backend server might be unhealthy or the health check might be misconfigured.

You have provisioned an ATP database and logged into the ATP service console. What are 3 abilities that can be performed from this service console? - scale up/down the CPUs - create ATP database users - reset the admin password - set resource management rules - monitor database activity and SQL queries

- reset the admin password - set resource management rules - monitor database activity and SQL queries Explanation In ATP Service Console, the • ACTIVITY screen - allows you to perform some basic monitor database activity and SQL queries. • • ADMIN screen - allows you to perform some basic administration of the service, like reset the admin password and set resource management rules

Your IT dept wants to cut down storage costs, but also meet compliance requirements as set up by the central audit group. You have a legacy bucket with both Word does (*.docx) and Excel files (*.xlsx). Your auditors want to retain only Excel files for compliance purposes. Your IT departments wants to keep all other files for 365 days only. What 2 steps can you take to meet this requirement? - Create Object Storage Lifecycle rules to archive objects from the legacy bucket after 365 days without any pattern matching - Create Object Storage Lifecycle rules to delete objects from the legacy bucket after 365 days with a filter type - include by pattern: ''.docx - It is not possible to meet this requirement - Create Object Storage Lifecycle rules to delete objects from the legacy bucket after 365 days with a filter type - exclude by pattern: ''.xlsx" - Create Object Storage Lifecycle rules to delete objects from the legacy bucket after 365 days without any pattern matching

1 - Create Object Storage Lifecycle rules to delete objects from the legacy bucket after 365 days with a filter type - include by pattern: ''.docx 2 - Create Object Storage Lifecycle rules to delete objects from the legacy bucket after 365 days with a filter type - exclude by pattern: ''.xlsx" Explanation Object Lifecycle Management lets you automatically manage the archiving and deletion of objects. By using Object Lifecycle Management to manage your ObjectStorage and Archive Storage data, you can reduce your storage costs and the amount of time you spend managing data. Use object name filters to specify which objects the lifecycle rule applies to.You can add object filters in any order. Object Lifecycle Management evaluates the precedence of the rules as follows: - Pattern exclusions - Pattern inclusions - Prefix inclusions

Which 3 items must be configured for a load balancer to accept incoming traffic? - A route table entry pointing to the listener IP address A security list that is open on the listener port - A backend set with at least one backend server - SSL certificate - A listener

1. A route table entry pointing to the listener IP address A security list that is open on the listener port 2. a backend set with at least one backend server 3. a Listener Explanation The essential components for load balancing include: 1- A load balancer with pre-provisioned bandwidth. 2- A backend set with a health check policy. See Managing Backend Sets. 3- Backend servers for your backend set. See Managing Backend Servers. 4- One or more listeners . See Managing Load Balancer Listeners. 5- Load balancer subnet security rules to allow the intended traffic. To learn more about these rules, see Security Rules. Optionally, you can associate your listeners with SSL server certificate bundles to manage how your system handles SSL traffic.

Which 2 statements are true about encryption on OCI? - By default, object storage and block storage are encrypted at rest. - A customer is responsible for data encryption in all services of OCI - By default, DB Systems offers an encrypted database. - By default, NVMe drives are encrypted but the block volume service is not

1. By default, object storage and block storage are encrypted at rest. 2. By default, DB Systems offers an encrypted database.

You have successfully configured identity federation between OCI and IDCS. A new project manager wants access to OCI for her team and provides the name of an existing group within IDCS to use when granting access. How do you configure federation to allow the project team access to OCI resources? - Create a new IAM group in OCI and map it to the existing IDCS group. Create a new policy in IDCS and reference the name of the IAM group. - Create a new Identity and Access Management (IAM) policy in OCI and reference the name of the IDCS group in each policy statement. - Create a new compartment in OCI with the same name as the existing IDCS group. Create an IAM policy that references the new compartment and the name of the IDCS group - Create a new IAM group in OCI and map it to the existing IDCS group. Create a new IAM policy and reference the name of the IAM group in each policy statement.

Create a new IAM group in OCI and map it to the existing IDCS group. Create a new IAM policy and reference the name of the IAM group in each policy statement. Explanation When working with your IdP, your administrator defines groups and assigns each user to one or more groups according to the type of access the user needs. OCI also uses the concept of groups (in conjunction with IAM policies) to define the type of access a user has. As part of setting up the relationship with the IdP, your administrator can map each IdP group to a similarly defined IAM group, so that your company can re-use the IdP group definitions when authorizing user access to OCI resources. Here's a screenshot from the mapping process: (shows IdP Group with arrow to OCI Group & then Submit button

Your company has been running several small applications in OCI and is planning a POC to deploy PSFT. If your existing resources are being maintained In the root compartment, what is the recommended approach for defining security for the upcoming POC ? - Create a new tenancy tor the POC. Provision all new resources Into the root compartment. Grant appropriate permissions to create and manage resources within the root compartment - Provision all new resources Into the root compartment. Grant permissions that only allow for creation and management of resources specific to the POC - Create a new compartment for the POC and grant appropriate permissions to create and manage resources within the compartment. - Provision all new resources into the root compartment. Use defined tags to separate resources that belong to different applications.

Create a new compartment for the POC and grant appropriate permissions to create and manage resources within the compartment. Explanation as per you already had existing resources are being maintained In the root compartment so is the recommended approach for defining security for the upcoming POC to Create a new compartment for the POC and grant appropriate permissions to create and manage resources within the compartment.

Which 2 options are available when setting up DNS for your bare metal and VM DB Systems? • Internet and custom resolver • Google DNS servers • Custom resolver • Internet and VCN resolver

• Custom resolver • Internet and VCN resolver Explanation Choices for DNS in Your VCN • Default Choice: Internet & VCN resolver • Customer Resolver

You have the following compartment structure in your tenancy. Root compartment->Training->Training-subl ->Training-sub2 You create a policy in the root compartment to allow the default admin for the account (Administrators) to manage block volumes in compartment Training-sub2. What policy would you write to meet this requirement? - Allow group Administrators to manage volume-family in root compartment - Allow group Administrators to manage volume-family in compartment Training-sub1 :Training-sub2 - Allow group Administrators to manage volume-family in compartment Training: Training- sub 1 :Training-sub2 - Allow group Administrators to manage volume-family in compartment Training-sub2

xplanation a policy statement must specify the compartment for which access is being granted (or the tenancy). Where you create the policy determines who can update the policy. If you attach the policy to the compartment or its parent, you can simply specify the compartment name. If you attach the policy further up the hierarchy, you must specify the path. The format of the path is each compartment name (or OCID) in the path, separated by a colon: "<compartment_level_1>:<compartment_level_2>: . . . <compartment_level_n>" For example, assume you have a 3-level compartment hierarchy, shown here: *screenshot showing Root, CompartmentA, B, C all as sub-compartments of Compartment directly above it* You want to create a policy to allow NetworkAdmins to manage VCNs in CompartmentC. If you want to attach this policy to CompartmentC or to its parent, CompartmentB, write this policy statement: "Allow group NetworkAdmins to manage virtual-network-family in compartment CompartmentC" However, if you want to attach this policy to CompartmentA (so that only administrators of CompartmentA can modify it), write this policy statement that specifies the path: "Allow group NetworkAdmins to manage virtual-network-family in compartment CompartmentB:CompartmentC" To attach this policy to the tenancy, write this policy statement that specifies the path from CompartmentA to CompartmentC: "Allow group NetworkAdmins to manage virtual-network-family in compartment CompartmentA:CompartmentB:CompartmentC"

In what 2 ways does OCI File Storage service differ from OCI Object Storage and Block Volume services? • File storage mount target does not provide a private IP address, while the object storage bucket provides one • File Storage uses the Network File System (NFS) protocol, whereas block volume uses ISCSI (Small Computer System Interface) • Block volume service is NVMe based, while file storage service is not. • You can move object storage buckets, block volumes and file storage mount targets between compartments

• File Storage uses the Network File System (NFS) protocol, whereas block volume uses ISCSI (Small Computer System Interface) • You can move object storage buckets, block volumes and file storage mount targets between compartments Explanation The mount target provides the IP address or DNS name that is used together with a unique export path to mount the file system. You can move mount targets from one compartment to another.


Related study sets

Carbohydrate Digestion & Absorption

View Set

LIFESPAN FINAL study guide part 3 (chap 5-6)

View Set

Level 2 Unit 1 (Weeks 3&4) - ¿Qué hacer en la ciudad? / Los lugares

View Set