Oracle 1z0-1124-25 Oracle Cloud Infrastructure 2025 Networking Professional Exam Practice Test

Requirements: Outbound internet access, no inbound exposure, and private OCIR access.

Option A: Internet Gateway allows inbound traffic, violating the no-exposure rule—incorrect.

Option B: NAT Gateway enables outbound-only internet access, but Internet Gateway adds inbound exposure—incorrect.

Option C: NAT Gateway provides outbound internet access without inbound exposure; Service Gateway enables private OCIR access—correct.

Option D: DRG is for external networks, not internet/OCIR access; Internet Gateway exposes servers—incorrect.

Conclusion: Option C satisfies all requirements.

Oracle states:

"Use a NAT Gateway for outbound internet access from private subnets without inbound connectivity. Use a Service Gateway for private access to OCI services like OCIR."This supports Option C. Reference:NAT and Service Gateway Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/NATgateway.htm & docs.oracle.com/en-us/iaas/Content/Network/Tasks/servicegateway.htm).

Requirement: IAM permission to accept cross-tenancy LPG peering.

Option A: “Manage” allows creating and accepting peering—correct.

Option B: “Use” permits using existing LPGs, not accepting requests—incorrect.

Option C: “Inspect” is read-only, insufficient—incorrect.

Option D: “Read” on virtual-network-family doesn’t cover LPG management—incorrect.

Conclusion: Option A is required.

Oracle states:

"To accept a cross-tenancy peering request, the target tenancy needs ‘manage local-peering-gateways’ permission."This confirms Option A. Reference:Local VCN Peering - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/localVCNpeering.htm).

Concern:IPSec overhead reduces effective MTU.

MTU Impact:Must avoid fragmentation, which degrades performance.

Evaluate Factors:

A:Bandwidth doesn’t dictate MTU; incorrect.

B:Smallest MTU in path (path MTU) prevents fragmentation; most critical.

C:Ethernet MTU is a factor but not the limiting one; incomplete.

D:DRG fragmentation settings are secondary to path MTU; incorrect.

Conclusion:Path MTU is the key determinant to avoid fragmentation.

IPSec reduces MTU due to headers. The Oracle Networking Professional study guide explains, "When configuring IPSec over FastConnect, the most important factor is the smallest MTU supported along the entire path to prevent fragmentation and ensure efficient traffic flow" (OCI Networking Documentation, Section: IPSec over FastConnect). Path MTU discovery is critical.

Requirement: Private, IAM-secured access to Object Storage.

Option A: Public subnet with Internet Gateway uses public IPs—violates policy.

Option B: NAT Gateway is for internet access, not private OCI services—incorrect.

Option C: Service Gateway enables private access to Object Storage, paired with IAM for auth—correct.

Option D: Public subnet with firewall still relies on public IPs—incorrect.

Conclusion: Option C meets all requirements.

Oracle states:

"Use a Service Gateway for private access to OCI Object Storage from a private subnet, with IAM policies for authentication and authorization."This supports Option C. Reference:Service Gateway Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/servicegateway.htm).

Problem:OKE web tier pods cannot reach the application tier.

Traffic Flow:Web tier (OKE) initiates outbound (egress) traffic to application tier (port 8080).

NSG Role:Controls traffic at VNIC level; must allow egress from OKE and ingress to app tier.

Evaluate Options:

A:Missing egress rule on OKE NSG blocks traffic; plausible but incomplete context.

B:Ingress on OKE NSG affects incoming traffic, not outbound to app tier; incorrect.

C:No ingress on OKE NSG doesn’t block egress to app tier; incorrect.

D:Egress limited to internet blocks app tier access (port 8080); most likely.

Conclusion:Missing egress rule to app tier NSG is the primary issue.

NSGs require explicit egress rules for outbound traffic. The Oracle Networking Professional study guide notes, "For OKE pods to communicate with other tiers, the node pool’s NSG must include egress rules to the destination NSG or CIDR on the required ports" (OCI Networking Documentation, Section: Network Security Groups with OKE). Option D reflects a common misconfiguration in IaC setups.

Purpose:Secure access to private subnet resources via Bastion.

Placement Considerations:Must be internet-accessible yet isolated.

Evaluate Options:

A:Private subnet lacks internet access for Bastion; incorrect.

B:Dedicated public subnet balances accessibility and isolation; correct.

C:Separate VCN adds complexity, unnecessary; less optimal.

D:Ambiguous phrasing, but implies exposure; less precise than B.

Conclusion:Dedicated public subnet is the best placement.

OCI Bastion requires public access with security. The Oracle Networking Professional study guide notes, "Place the Bastion host in a public subnet with a dedicated configuration to allow secure SSH access to private subnet resources without exposing them directly" (OCI Networking Documentation, Section: Bastion Host Placement). Option B ensures this balance.

Requirements:Secure, scalable authentication for Cloud Shell scripting.

Methods:

API Keys:Manual, less secure if stored.

Instance Principals:Credential-less, dynamic.

Terraform with Vault:Secure but complex for scripting.

Evaluate Options:

A:API keys in script are insecure; not scalable.

B:Persistent storage risks exposure; less secure.

C:Instance Principals use IAM, no credentials; best fit.

D:Overkill for simple scripting, better for IaC; less suited.

Conclusion:Instance Principals offer security and scalability.

Instance Principals simplify automation. The Oracle Networking Professional study guide states,"Instance Principals allow Cloud Shell to authenticate via dynamic groups without storing credentials, ideal for secure, scalable scripting" (OCI Networking Documentation, Section: Authentication in Cloud Shell). This avoids key management issues.

Goal: End-to-end encryption (client-to-LB and LB-to-backend).

Option A: HTTP backend set leaves LB-to-backend unencrypted—incorrect.

Option B: HTTPS listener and backend set with certificates ensures full encryption—correct and mandatory.

Option C: Backend-only certificates lack LB termination—incorrect.

Option D: TCP proxy bypasses LB encryption—incorrect.

Conclusion: Option B is mandatory for end-to-end encryption.

Oracle states:

"For end-to-end encryption, configure the HTTPS listener with an SSL certificate and set the backend protocol to HTTPS, requiring certificates on backend instances."This validates Option B. Reference:Load Balancer SSL - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingssl.htm).

Requirement:Private access to Object Storage from a private subnet.

Components:

Internet Gateway:Public internet access; unsuitable.

NAT Gateway:Outbound internet; unsuitable.

Service Gateway:Private OCI service access; fits requirement.

Network Firewall:Security, not routing; incorrect.

Evaluate Options:

A:Public internet; violates policy.

B:Public internet; violates policy.

C:Keeps traffic in OCI network; correct.

D:Doesn’t enable access; incorrect.

Conclusion:Service Gateway ensures private access.

Service Gateway is designed for private OCI service access. The Oracle Networking Professional study guide explains, "A Service Gateway allows private subnet instances to access Object Storage without traversing the public internet, ensuring secure data transfer within OCI" (OCI Networking Documentation, Section: Service Gateway). This meets the security requirement.

Requirement:Restrict inter-subnet communication unless permitted.

Options Analysis:

A:Removing default route breaks all routing, overly restrictive; incorrect.

B:Separate VCNs are excessive, complex; less practical.

C:NSGs provide granular, explicit control; optimal approach.

D:External firewall adds complexity, not VCN-native; inefficient.

NSG Advantage:Instance-level rules enforce policy within VCN.

Conclusion:NSGs are the most appropriate solution.

NSGs enable precise security within a VCN. The Oracle Networking Professional study guide states, "Network Security Groups (NSGs) allow you to define strict ingress and egress rules for instances, ensuring inter-subnet communication is explicitly permitted as per security policies" (OCI Networking Documentation, Section: Network Security Groups). This is more efficient than VCN separation or external firewalls.

Objective: Block all outbound internet traffic from a private subnet, ensuring compliance despite misconfigurations.

Option A: ALLOW to 0.0.0.0/0 permits all traffic, contradicting the requirement.

Option B: DROP to NAT Gateway IP only blocks traffic to the NAT Gateway, not all internet traffic (e.g., misconfigured routes bypassing NAT).

Option C: REJECT to 0.0.0.0/0 blocks all outbound traffic to any IP, sending an ICMP unreachable message. This ensures no internet access, even if misconfigured, and aids troubleshooting.

Option D: ALLOW to Service Gateway permits OCI service access, not internet blocking.

Conclusion: Option C is the most comprehensive and compliant solution.

Oracle’s Network Firewall guide states:

"Use REJECT with a destination of 0.0.0.0/0 to block all outbound traffic and notify the source, ideal for strict egress control."This matches Option C’s purpose. Reference:Network Firewall Policies - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/NetworkFirewall/Tasks/managingpolicies.htm).

Requirements: HA and redundancy for on-premises-to-OCI connectivity.

Option A: Single FastConnect lacks redundancy—incorrect.

Option B: Single VPN over internet has no redundancy and poor performance—incorrect.

Option C: Dual FastConnect with diverse paths ensures HA and redundancy via separate routes—correct.

Option D: Internet Gateway with public IPs isn’t dedicated or redundant—incorrect.

Conclusion: Option C is the recommended approach.

Oracle advises:

"For high availability, use dual FastConnect connections with diverse paths to eliminate single points of failure in hybrid connectivity."This supports Option C. Reference:FastConnect High Availability - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#ha).

Requirements: Private, low-latency cross-region VCN connectivity.

Option A: RPCs with route table updates enable private, direct peering via DRG—correct.

Option B: IPSec VPN adds latency over internet—incorrect.

Option C: Service Gateways are for OCI services—incorrect.

Option D: NAT Gateways use public IPs, not private—incorrect.

Conclusion: Option A is necessary.

Oracle states:

"Use Remote Peering Connections (RPCs) with DRG to connect VCNs across regions privately. Update route tables for CIDR routing."This supports Option A. Reference:Remote VCN Peering - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm).

Objective:Enable transitive routing via a network appliance (e.g., firewall) between VCNs.

Transitive Routing Setup:DRG connects VCNs; appliance processes traffic.

Key Requirement:DRG must route traffic to the appliance’s private IP.

Evaluate Options:

A:Service Gateway is for OCI services, not transitive routing; incorrect.

B:Static routes on DRG to appliance ensure correct traffic flow; essential.

C:Load Balancer is optional, not essential for routing; incorrect.

D:LPG is for intra-region VCN peering, not appliance-DRG connection; incorrect.

Conclusion:DRG static routes to the appliance are critical for transitive routing.

Transitive routing with a network appliance requires explicit routing configuration. The Oracle Networking Professional study guide notes, "To enable transitive routing through a network appliance, configure static routes in the DRG route table pointing to the appliance’s private IP as the next hop" (OCI Networking Documentation, Section: Transitive Routing with DRG). This ensures traffic is processed by the appliance between VCNs.

Problem:VPN instability during peak hours due to latency and packet loss.

Evaluate Actions:

A:Optimizing IKE/IPSec reduces overhead; improves stability.

B:QoS prioritizes VPN traffic; enhances reliability.

C:Increasing MTU may worsen fragmentation if path MTU isn’t matched; least effective.

D:Dedicated interconnect eliminates internet issues; most effective.

MTU Insight:Raising MTU without path MTU discovery risks more fragmentation, not less.

Conclusion:Increasing MTU is least likely to help.

VPN stability requires addressing network conditions. The Oracle Networking Professional study guide notes, "Adjusting IKE/IPSec parameters or using QoS can stabilize VPN tunnels, while increasing MTU without path MTU alignment may exacerbate fragmentation" (OCI Networking Documentation, Section: VPN Troubleshooting). Dedicated interconnects are ideal, but MTU adjustment is risky here.

Goal:Inspect NSG rules for a VNIC from Cloud Shell.

Command Flow:

Get instance → Extract VNIC → List NSGs → Get NSG details.

Evaluate Options:

A:Direct NSG fetch lacks VNIC linkage; incomplete.

B:Full pipeline from instance to NSG details; precise and correct.

C:Grep is too basic, misses structure; incorrect.

D:Awk parsing is fragile, less reliable than jq; less optimal.

Conclusion:Option B provides the most robust inspection.

CLI with jq ensures accurate NSG retrieval. The Oracle Networking Professional study guide notes, "To troubleshoot NSG rules, use the OCI CLI to fetch instance VNIC details and associated NSG configurations, piping through jq for structured output" (OCI Networking Documentation, Section: CLI Troubleshooting). Option B follows this methodology.

Objective: Identify the service for Load Balancer traffic logs.

Option A: Flow Logs capture VCN traffic, not specific to Load Balancer—incorrect.

Option B: Service Logs are generic, not Load Balancer-specific—incorrect.

Option C: Load Balancer Logs provide detailed client and health check data—correct.

Option D: Audit Logs track API actions, not traffic—incorrect.

Conclusion: Load Balancer Logs are the best fit.

Oracle states:

"Load Balancer Logs offer detailed insights into client connections and backend health checks for Network Load Balancers.”This validates Option C. Reference:Load Balancer Logging - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managinglogs.htm).

Goal: Automate DNSSEC health monitoring with alerts.

Option A: Vulnerability Scanning is for compute instances, not DNSSEC—incorrect.

Option B: Monitoring Service tracks metrics and logs, supports custom DNSSEC metrics, and provides alarms—correct.

Option C: Audit Service logs API calls, not DNSSEC health—incorrect.

Option D: Logging Analytics analyzes logs but lacks direct alerting—less effective than Monitoring.

Conclusion: Option B is the most effective for automated monitoring and alerts.

Oracle documentation notes:

"OCI Monitoring Service allows you to monitor metrics and logs, including DNSSEC-related data, and set alarms for proactive notifications."This supports Option B. Reference:Monitoring Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Monitoring/Concepts/monitoringoverview.htm).

Requirements:App tier (public) needs internet; DB tier (private) must not.

Components:

Internet Gateway:Full internet access for public subnets.

NAT Gateway:Outbound-only internet for private subnets.

Service Gateway:Private OCI service access.

Evaluate Options:

A:Reversed roles; public subnet doesn’t need Service Gateway; incorrect.

B:NAT for public is unnecessary with Internet Gateway; inefficient.

C:NAT for public is wrong; Service Gateway doesn’t block DB internet; incorrect.

D:Internet Gateway for app, NAT for DB if needed, aligns with policy; correct.

Conclusion:Option D is most secure and efficient.

Subnet roles dictate gateway use. The Oracle Networking Professional study guide states, "Public subnets use an Internet Gateway for full internet access, while private subnets can use a NAT Gateway for outbound-only access, ensuring no direct internet exposure" (OCI Networking Documentation, Section: VCN Gateways). Option D balances security and functionality.

Requirements:VCN isolation, inter-VCN traffic via on-premises appliances.

DRG Role:Central hub for VCN and FastConnect connectivity.

Evaluate Options:

A:DRG routes inter-VCN traffic via FastConnect to on-premises; meets isolation and inspection needs.

B:Transit Routing allows direct VCN-to-VCN communication, bypassing on-premises; incorrect.

C:Bypassing DRG with VPNs is complex and unsupported; incorrect.

D:LPG is for intra-region peering, not DRG-to-FastConnect; incorrect.

Conclusion:Option A enforces the policy via DRG route tables.

DRG route tables control traffic flow. The Oracle Networking Professional study guide states, "To force inter-VCN traffic through an on-premises network via FastConnect, configure DRG route tables to route VCN-destined traffic to the FastConnect attachment, ensuring isolation and inspection" (OCI Networking Documentation, Section: DRG Routing). This setup leverages a single DRG effectively.

Requirements: Centralized DRG with tenant isolation.

Option A: Separate DRGs complicate management—incorrect.

Option B: NSGs work but are less secure than routing isolation—less optimal.

Option C: Single DRG with per-VCN route tables restricting routes to FastConnect only ensures isolation at the routing level—correct.

Option D: Compartments don’t isolate traffic at DRG—incorrect.

Conclusion: Option C is the most effective.

Oracle states:

"Use separate DRG route tables per VCN attachment to isolate traffic. Include only FastConnect routes to prevent VCN-to-VCN communication."This supports Option C. Reference:DRG Route Tables - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm).

Goal: Maximum security and isolation for IPSec over FastConnect.

Option A: Direct IPSec between on-premises networks bypasses OCI, ensuring complete isolation—correct and most secure.

Option B: NSGs/security lists control traffic but allow OCI traversal, less isolated—incorrect.

Option C: Third-party firewall adds complexity and OCI dependency, reducing isolation—incorrect.

Option D: Flow logs monitor, don’t isolate—incorrect.

Conclusion: Option A provides the highest isolation.

Oracle notes:

"For maximum isolation with third-party networks, configure IPSec directly between on-premises endpoints, avoiding OCI traversal."This supports Option A. Reference:IPSec over FastConnect - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPSec.htm#fastconnect).

Problem: Instances with IPv6-only traffic can’t ping external IPv6 addresses despite FastConnect and IPv6 prefixes.

Option A: OCI supports Bring Your Own IP (BYOIP) for IPv6, including global unicast addresses, so this is incorrect.

Option B: NAT Gateways are for IPv4 outbound traffic, not IPv6—irrelevant here.

Option C: For IPv6-only instances to reach external IPv6 addresses (beyond FastConnect),an Internet Gateway (IGW) is required with a default route (::/0) in the subnet route table. This enables public IPv6 connectivity—correct.

Option D: Service Gateway is for OCI services, not general IPv6 internet access—incorrect.

Conclusion: Option C fixes the issue by enabling IPv6 internet access.

Oracle states:

"To enable IPv6 traffic to the internet, attach an Internet Gateway to the VCN and add a route rule for ::/0. OCI supports BYOIP for public IPv6 prefixes."This aligns with Option C. Reference:IPv6 in OCI - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingIPv6.htm).

Requirement: Private communication between VCNs in different OCI regions via DRG.

Option A: LPGs are for same-region VCN peering, not cross-region—incorrect.

Option B: Service Gateways are for OCI service access, not VCN-to-VCN routing—incorrect.

Option C: Attaching both VCNs to a single DRG (via Remote Peering Connections implicitly) and configuring route tables enables cross-region communication over OCI’s backbone. This is the standard approach.

Option D: Internet Gateways use public IPs, which is insecure and not private—incorrect.

Conclusion: Option C is the necessary configuration for DRG-based cross-region connectivity.

Oracle documentation confirms:

"To connect VCNs in different regions, attach each to a DRG using Remote Peering Connections (RPCs). Configure DRG route tables to route traffic between VCN CIDRs."Option C reflects this setup (RPCs are implied). Reference:VCN Peering Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm).

Goal:Automate certificate renewal in OCI Certificates.

Feature Check:OCI Certificates supports automatic renewal.

Evaluate Options:

A:Manual renewal risks disruption; inefficient.

B:Automatic Renewal with DNS validation automates process; best fit.

C:Vault stores secrets, no renewal automation; incorrect.

D:False; OCI Certificates has auto-renewal; incorrect.

Conclusion:Automatic Renewal is the optimal feature.

OCI Certificates offers automated renewal. The Oracle Networking Professional study guide states, "Enable the 'Automatic Renewal' option in OCI Certificates and configure DNS validation to ensure certificates are renewed before expiration, preventing disruptions" (OCI Networking Documentation, Section: OCI Certificates). This leverages OCI’s built-in automation.

Context: Zero Trust assumes no trust, requiring strict isolation (micro-segmentation).

Option A: Bandwidth isn’t increased by segmentation—incorrect.

Option B: Segmentation may increase route tables for granularity, not reduce them—incorrect.

Option C: Micro-segmentation isolates workloads, limiting breach impact (blast radius)—core Zero Trust goal and correct.

Option D: Inter-region connectivity isn’t simplified by micro-segmentation—incorrect.

Conclusion: Option C aligns with Zero Trust principles.

Oracle notes:

"Micro-segmentation in OCI VCNs, using NSGs and security lists, limits the blast radius of breaches by isolating resources, a key Zero Trust principle."This supports Option C. Reference:Zero Trust in OCI - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/zerotrust.htm).

Requirements:Private subnet, no internet, access to other VCN subnets, HA database.

Analyze Components:

Public Subnet:Internet-exposed, against policy.

Private Subnet:No internet, aligns with policy.

Service Gateway:For OCI services, not ADB connectivity.

DRG:For inter-VCN routing.

NSGs:Granular traffic control.

Evaluate Options:

A:Public subnet violates no-internet policy; incorrect.

B:Service Gateway for Object Storage/Yum irrelevant to ADB; incomplete.

C:Private subnet, NSGs, DRG, and CIDR planning meet all needs; correct.

D:Public subnet with internet access; violates policy.

Conclusion:Option C is the most effective approach.

Autonomous Database requires private deployment for security. The Oracle Networking Professional study guide notes, "For Autonomous Database on Dedicated Exadata, use a private subnet with NSGs for access control and a DRG for inter-VCN connectivity, reserving CIDR for scalability" (OCI Networking Documentation, Section: Autonomous Database Networking). Service Gateway isn’t used for ADB access, but the private setup ensures compliance.

Goal: Balance security and performance with encryption in a VCN.

Option A: TLS only to the load balancer leaves internal traffic unencrypted, risking exposure—insufficient security.

Option B: mTLS everywhere maximizes security but adds significant overhead (e.g., certificate management), impacting performance—overkill.

Option C: NSGs/Security Lists control access but don’t encrypt traffic—lacks protection for sensitive data.

Option D: TLS between OKE and Compute secures app-tier communication. Oracle Database Vault ensures ADB traffic is encrypted efficiently, leveraging built-in features—balanced approach.

Conclusion: Option D optimizes security and performance.

Oracle states:

"Use TLS for application traffic between tiers. Autonomous Database with Database Vaultprovides encryption in transit and at rest, minimizing overhead."This supports Option D. Reference:Security in OCI Networking - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/securityoverview.htm).

Requirements: High bandwidth, low latency, leveraging direct fiber connectivity.

Option A: Site-to-Site VPN uses the public internet, lacking consistency and bandwidth—incorrect.

Option B: Internet Gateway is for public access, not dedicated connections—incorrect.

Option C: FastConnect Colocation uses direct fiber at Oracle locations, ensuring high bandwidth and minimal latency—correct.

Option D: DRG with remote peering is for VCN-to-VCN connectivity, not optimized for on-premises fiber—incorrect (DRG is part of FastConnect but not the service itself).

Conclusion: FastConnect Colocation is the most suitable.

Oracle states:

"FastConnect Colocation with Oracle leverages direct fiber connections at Oracle facilities, providing consistent, high-bandwidth, and low-latency access to OCI."This supports Option C. Reference:FastConnect Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#colocation).

Symptoms:VPN tunnel drops intermittently despite stable internet and IKE settings.

VPN Components:Requires IKE (UDP 500/4500) and ESP (IP 50) traffic.

Evaluate Options:

A:Incorrect CPE IP would prevent tunnel establishment, not intermittent drops; incorrect.

B:DRG outage would cause full downtime, not intermittent; unlikely.

C:Security rules blocking IKE/ESP intermittently (e.g., rate limiting) is common; most likely.

D:NAT-Traversal issues typically prevent initial setup, not intermittent drops; less likely.

Conclusion:Security rule misconfiguration is the most probable cause.

VPN stability depends on unblocked IKE and ESP traffic. The Oracle Networking Professional study guide notes, "Intermittent VPN tunnel drops are often caused by security rules or firewalls blocking IKE (UDP 500/4500) or ESP (IP Protocol 50) traffic" (OCI Networking Documentation, Section: Site-to-Site VPN Troubleshooting). This aligns with the scenario’s symptoms.

Objective: Identify the true statement about KSK rotation in OCI DNS.

Option A: OCI DNS automates much of the process but requires user initiation, not fully automated—incorrect.

Option B: OCI DNS generates keys internally; manual generation and upload aren’t required—incorrect.

Option C: OCI DNS offers a “KSK Rollover” feature that, once enabled, automates the rotation process, ensuring minimal disruption—correct.

Option D: KSK rotation is supported via the rollover feature—incorrect.

Conclusion: Option C accurately describes OCI DNS KSK rotation.

Oracle documentation confirms:

"OCI DNS supports KSK rotation through the KSK Rollover feature. Enable it to automatically rotate keys while maintaining DNS resolution continuity."This validates Option C. Reference:DNSSEC in OCI DNS - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/DNS/Tasks/managingdnssec.htm).

Goal: Filter Flow Logs for traffic rejected by a specific security list rule.

Option A: “action” = “REJECT” identifies rejected traffic; “securityListRule” with rule ID pinpoints the exact rule—correct.

Option B: “status” and “securityRule” aren’t standard Flow Log fields (“action” and “securityListRule” are)—incorrect.

Option C: “direction” and “port” filter traffic but don’t specify rejection or rule—incorrect.

Option D: “type” and “rule” aren’t valid Flow Log fields—incorrect.

Conclusion: Option A is the precise filtering method.

Oracle states:

"In Flow Logs, use the ‘action’ field (‘REJECT’) and ‘securityListRule’ field (rule ID) to filter traffic rejected by a specific security list rule.”This validates Option A. Reference:Flow Logs Fields - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/flowlogs.htm#fields).

Goal: Support Zero Trust with packet flow monitoring.

Option A: Static routing defines paths, not monitoring—incorrect.

Option B: Security lists control access, not monitor—incorrect.

Option C: Flow logs track traffic; audit trails log actions—essential for Zero Trust—correct.

Option D: Public IPs enable access, not monitoring—incorrect.

Conclusion: Option C is essential.

Oracle states:

"Flow logs and audit trails provide continuous monitoring and verification of packet flows, critical for Zero Trust Packet Routing."This supports Option C. Reference:Zero Trust in OCI - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/zerotrust.htm).

Goal: Restrict subnet traffic to a specific on-premises IP range via FastConnect.

Option A: Internet Gateway is for public access, not FastConnect—incorrect.

Option B: Default security list applies broadly, lacking granularity; NSGs are more effective—less optimal.

Option C: Custom route table with DRG ensures FastConnect routing; NSGs provide precise, instance-level traffic restriction—correct.

Option D: LPG is for same-region VCN peering, not on-premises—incorrect.

Conclusion: Option C is the most effective method.

Oracle notes:

"Use a custom route table with a DRG route rule for FastConnect traffic. NSGs offer granular control to restrict traffic to specific IP ranges."This supports Option C. Reference:FastConnect and NSG Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm & docs.oracle.com/en-us/iaas/Content/Network/Concepts/NSGs.htm).

Requirement: Low-latency, direct access to an on-premises SQL Server via FastConnect.

Option A: Internet Gateway with a public endpoint exposes the SQL Server to the internet, increasing latency and security risks—incorrect.

Option B: Service Gateway is for OCI services (e.g., Object Storage), not on-premises resources—incorrect.

Option C: FastConnect with a DRG provides a private, low-latency link. No additional OCI endpoint is needed; the SQL Server’s private IP is accessed directly via DRG routing—correct.

Option D: Private Endpoints are for OCI services within the VCN (e.g., ADB), not on-premises resources—incorrect.

Conclusion: Option C leverages FastConnect and DRG for direct, secure access.

Oracle documentation notes:

"FastConnect with a DRG enables private, low-latency connectivity to on-premises networks. Configure route tables to access on-premises resources directly; no additional endpoints are required."This supports Option C. Reference:FastConnect Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm).

Objective: Reduce latency for remote users accessing private resources via Bastion.

Option A: Single Bastion increases latency for distant users—incorrect.

Option B: Multiple regional Bastions minimize latency by proximity—correct.

Option C: Dynamic port forwarding doesn’t address geographic latency—incorrect.

Option D: Load balancer aids HA, not latency reduction—incorrect.

Conclusion: Option B optimizes latency.

Oracle notes:

"Deploy Bastion hosts in multiple regions to reduce latency for geographically dispersed users accessing private resources."This supports Option B. Reference:Bastion Service Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Bastion/Concepts/bastionoverview.htm).