Arch22 - April 23

You are running a mission-critical database application in Oracle Cloud Infrastructure (OCI). You take regular backups of your DB system to OCI object storage. Recently, you notice a failed database backup status in the console. What two steps can you take to determine the cause of the backup failure? (Choose two.). Ensure the database archiving mode is set to NOARCHIVELOG. Ensure that your database host can connect to the OCI object storage. Restart the dcsagent program if it has a status of stop or waiting. Make sure that the database is not active and running while the backup is in progress.

You are using the Oracle Cloud Infrastructure (OCI) OS Management service to manage updates and patches for the Oracle Linux 8 environments on your compute instances in OCI. You have verified that the OS Management Service Agent (osms-agent) is installed and running properly in the instances. One of the compute instances is not getting the updates from OS Management Service. You use the following command to validate that your instance cannot reach the OS Management ingestion service by running curl https://ingestion.osms.oci.oraclecloud.com/ Which Is NOT a possible reason for this issue?. The instance Is in a private subnet with a NAT gateway. The instance is in a private subnet with a private endpoint with security rules configured to access the OS Management ingestion service. The instance is in a private subnet with a service gateway that uses the All <region> Services in Oracle Services Network CIDR label. The Instance is in a public subnet with an Internet gateway.

A retail company runs their online shopping platform entirely on Oracle Cloud Infrastructure (OCI). This is a 3-tier web application that includes a 100 Mbps Load Balancer, Virtual Machine Instances for web and application tiers, and an Oracle DB Systems Virtual Machine. Due to unprecedented growth, they noticed an increase in the incoming traffic to their website and all users start getting 503 (Service Unavailable) errors. What is the potential problem in this scenario?. You did not configure a Service Gateway to allow connection between web servers and Load Balancer. The Traffic Management Policy is not set to Load Balancer the traffic to the web servers. The Database is down hence users cannot access the web site. All the web servers are too busy and not able to answer any request from users. The Load Balancer health check status indicates critical situation for half of the backend web servers.

After performing maintenance on an Oracle Linux compute instance, the system is returned to a running state. You attempt to connect using SSH, but are unable to do so. You decide to create an instance console connection to troubleshoot the issue. Which THREE tasks would enable you to connect to the console connection and begin troubleshooting?. Edit the Linux boot menu to enable access to console. Reboot the compute instance using the Oracle Cloud Infrastructure (OCI) Management Console. Use SSH to connect to the service endpoint of the console connection service. Upload an API signing key for console connection authentication. Stop the compute instance using the Oracle Cloud Infrastructure (OCI) Command Line Interface (CLI). Use SSH to connect to the public IP address of the compute instance and provide the console connection OCID as the username.

You work as a solutions architect for an online retail store creating a portal to allow the users to pay for their groceries using credit cards. Since the application is not fully compliant with the Payment Card Industry Data Security Standard (PCI DSS), your company is looking to use a third-party payment service to process credit card payments. The third-party service allows a maximum of 5 public IP addresses at a time. However, your website is using Oracle Cloud Infrastructure (OCI) Instance Pool Auto Scalling policy to create up to 15 instances during peak traffic demand, which are launched in VCN private subnets and attached to an OCI public Load Balancer. Upon user payment, the portal connects to the payment service over the Internet to complete the transaction. What solution can you implement to make sure that all 15 compute instances can connect to the third party system to process the payments during peak traffic demand?. Create an OCI Command Line Interface (CLI) script to automatically reserve public IP address for the compute instances. On the third-party services, whitelist the Reserved public IP. Route payment request from the compute instances through the OCI Load Balancer, which will then be routed to the third party service. Whitelist the Internet Gateway Public IP on the third party service and route all payment requests through the Internet Gateway. Route credit card payment request from the compute instances through the NAT Gateway. On the third-party services, whitelist the public IP associated with the NAT Gateway.

You have two Virtual Cloud Networks (VCN) that need to be peered. The set up is as follows: • The VCNS are in different tenancies. • Peering has to be via Local Peering Gateway (LPG) because one of the VCNs needs to be added to an existing Hub and Spoke configuration that consists of a hub and two spokes. • There is a CIDR overlap. The VCN that serves as the Hub VCN has a 172.19.0.0/16 CIDR prefix. The other VCN to be added as a Spoke VCN has a 172.19.128.0/17 CIDR prefix. • The other two spokes have 10.0.0.0/16 and 192.168.0.0/16 prefixes, respectively. What is a possible solution to this problem?. Use Dynamic Routing Gateway (DRG) instead. Add another CIDR prefix to the VCN that is integrating with the Hub and Spoke and does not overlap. Use that CIDR for the LPG connection. Review the subnets in the hub VCN. If they all have the third octet under 128, change the VCN prefix to /17. Review the subnets in the hub VCN. If they all have the third octet above 128, change the VCN prefix to /17. Review all subnets in the hub VCN. If one of them has the third octet at 128, change the VCN prefix to /17.

You are a Lead Architect at one of the leading consulting firms. Your firm has workloads deployed in both Oracle Cloud Infrastructure (OCI) and Microsoft Azure, You are asked to design a solution where workloads on both clouds can communicate directly and efficiently. You would like to set up a private interconnection between OCI and Microsoft Azure. What are the steps you need to perform on the OCI side to set up the interconnection?. Create a Virtual Cloud Network (VCN) with subnets and attach a Virtual Network Gateway to the VCN. Create a FastConnect connection of the connection type "FastConnect Partner" and select "Microsoft Azure: ExpressRoute" as the Partner. Create a private virtual circuit, provide details of the Dynamic Routing Gateway (DRG) and add the "partner interconnect key" provided by Microsoft Azure. Provide the BGP IP addresses. Configure OCI VCN Security Lists and Route Tables. Create a VCN with subnets and attach a DRG to the VCN. Create a FastConnect connection of the connection type "FastConnect Partner" and select "Microsoft Azure: ExpressRoute" as the Partner. Create a public virtual circuit, provide details of the DRG and add the "partner connection key" provided by Microsoft Azure. Configure OCI VCN Security Lists and Route Tables. Create a VCN with subnets and attach a DRG to the VCN. Create a FastConnect connection of the connection type "FastConnect Partner" and select "Microsoft Azure: ExpressRoute" as the Partner. Create a private virtual circuit, provide details of the DRG and add the "partner service key" provided by Microsoft Azure. Provide the BGP IP addresses. Configure OCI VCN Security Lists and Route Tables. Create a VCN with subnets and attach a DRG to the VCN. Create a FastConnect connection of the connection type "FastConnect Direct". Create a Cross-Connect Group, provide details of the DRG and add the "partner secret key" provided by Microsoft Azure. Provide the BGP IP addresses. Configure OCI VCN Security Lists and Route Tables.

A consulting company that employs Oracle Cloud Infrastructure (OCI) architects has successfully completed resource migration from Microsoft Azure to OCI, and no longer requires the OCI FastConnect circuit to Azure. The project manager has asked you to delete all resources involved in this inter-cloud connectivity. From the Azure side, you delete the Resource Group. After a while, you notice that all Azure resources have been deleted, except for the Azure Express Route circuit. What could be a potential reason for this issue?. You need to remove all routes that point to the inter-cloud connection on both OCI and Azure before you can delete the circuit. You need to remove the Azure Express Route Partner Service Key from the OCI FastConnect circuit, and then you can delete the ExpressRoute virtual circuit. Your bill from the OCI side needs to be paid in full before you can remove the Azure Express Route circuit. You need to first delete the OCI FastConnect circuit for the ExpressRoute circuit to be decommissioned, and then you can delete the Express Route virtual circuit.

You are a DevOps engineer working for a high tech company, and are using Terraform to maintain your Oracle Cloud Infrastructure (OCI) resources. You have created a Terraform script that would create the infrastructure for deploying a web service. But want to tune in some settings within the OCI Instances using a shell script. How should you write your Terraform script to run the shell script on OCI instance?. Use provisioner "remote-exec" in your code to run the shell script. Use provisioner "local-exec" in your code to run the shell script. Use provisioner "oci-remote-exec" in your code to run the shell script. Use resource "oci_core_instance" to create the instance and run the shell script.

A cloud consultant is working on a implementation project on Oracle Cloud Infrastructure (OCI). As part of the compliance requirements, the objects placed in OCI Object Storage should be automatically archived first and then deleted. He is testing a lifecycle policy on Object Storage and created a policy as below: [ { "name": “Archive_doc”, "action": "ARCHIVE", "objectNameFilter": { "inclusionPrefixes": [ “doc”] }, "timeAmount": 5, “timeUnit”: “DAYS”, "isEnabled": true }, { "name": “Delete_doc”, "action": "DELETE", "objectNameFilter": { "inclusionPrefixes": [ “doc”] }, "timeAmount": 5, “timeUnit”: “DAYS”, “isEnabled": true } ] What will happen after this policy is applied?. All the objects having file extension "doc" will be archived 5 days after object creation. All the objects with names starting with "doc" will be archived 5 days after object creation and will be deleted 5 days after archival. All the objects having file extension "doc" will be archived for 5 days and will be deleted 10 days after object creation. All objects with names starting with "doc" will be deleted after 5 days of object creation.

You work for a public health care company based in the United States. Their existing patient records system runs in an on-premise data center and the customer sends their tape backups offsite as part of their disaster recovery plan. You develop an alternative archival solution using Oracle Cloud Infrastructure (OCI) that will save the company a significant amount of money on a yearly basis. The solution involves storing data in an OCI Object Storage bucket. After reviewing your solution with their customer Global Risk and Compliance (GRC) team, they highlight four security requirements: • All data less than 1 year old must be accessible within 2 hours • All data must be retained for at least 10 years and be accessible within 48 hours • All data must be encrypted at rest • No data may be transmitted across the public Internet Which TWO options meet the requirements outlined by the customer GRC team?. Provision a FastConnect link to the closest OCI region and configure a private peering virtual circuit. Provision a FastConnect link to the closest OCI region and configure a public peering virtual circuit. Create an OCI Object Storage Standard tier bucket. Configure a lifecycle policy to archive any object that is older than 365 days. Create an OCI Object Storage Standard tier bucket. Configure a lifecycle policy to delete any object that is older than 7 years. Create a VPN connection between your on-premises data center and OCI. Create a Virtual Cloud Network (VCN) along with an OCI Service Gateway for OCI Object Storage.

Your customer needs to move their on-premises applications to Oracle Cloud Infrastructure (OCT). One of their applications is running on an NGINX server and a 2-node Oracle Real Application Clusters (RAC) database. What is the most cost-effective mechanism to migrate the customer application to OCI and set up regular automated backups?. Launch a compute instance and run an NGINX server to host the application. Deploy Autonomous Database and import the database using Oracle Data Pump. Launch a compute instance and run an NGINX server to host the application. Deploy a 2-node VM DB Systems with Oracle RAC enabled. Import the on-premises database to OCI VM DB Systems using Oracle Data Pump and then enable automatic backups. Launch a compute instance for both the NGINX application server and the database server. Attach block volumes on the database server compute instance and enable backup policy to backup the block volumes. Launch a compute instance and run an NGINX server to host the application. Deploy a 1-node VM DB Systems with Oracle RAC enabled. Import the on-premises database to OCI VM DB Systems using data pump and then enable automatic backups.

A company has an urgent requirement to migrate 300 TB of data to Oracle Cloud Infrastructure (OCI) in two weeks. Their data center has been recently struck by a massive hurricane and the building has been badly damaged, although still operational. They have a 100 Mbps Internet line but the connection is intermittent due to the damages caused to the electrical grid. In this scenario, what is the most effective configuration to use to migrate the data to OCI given the time constraints?. Use multiple OCI Data Transfer Appliances to transfer data to OCI. Setup an OCI Storage Gateway to connect your data center and your VCN. Once the connection has been established, upload all data to OCI. Setup a hybrid network by launching a 1Gbps FastConnect virtual circuit between your data center and OCI. Use OCI Object Storage multipart upload tool to automate the migration of your data to OCI. Setup an OCI Storage Gateway to connect your data center and your VCN. Once the connection has been established, upload all data to OCI using OCI Storage Gateway Cloud Sync tool. Upload the data to OCI using OCI Object Storage multipart upload tool.

Your company needs to migrate a business critical application from your data center to Oracle Cloud Infrastructure (OCI). The application runs on Oracle Database and both the application and database servers run on Oracle Linux version 7. The application server is WebLogic server running on multiple 4-core servers and the database is deployed as an Oracle Database Enterprise Edition RAC database on 2 servers (4-cores each). Which method of database migration should you choose so that the application has minimal impact?. Deploy Virtual Machine RAC DB system on OCI and use the Oracle Database Backup module with RMAN to migrate the data from customer on-premises to OCI. Deploy Virtual Machine RAC DB system on OCI and use the ZDM tool for the database migration. Deploy Autonomous Transaction Processing Database on OCI and use the MV2ADB tool for the database migration. Deploy Exadata Cloud Service Base rack and use Oracle Data Pump tool to migrate the data from customer on-premises to OCI.

A digital marketing company is planning to host a website on Orade Cloud Infrastructure (OCI) and leverage OCI Container Engine for Kubernetes (OKE). These web servers will make API calls to access OCI Object Storage to store all images uploaded by users. For security purposes, you must ensure that the credentials used by the web server to allow access to OCI Object Storage are not stored in the compute instance. What solution results in an implementation with the least-effort for this scenario?. Configure the credentials using OCI Registry (OCIR) which will automatically connect with OKE allowing the web server to make API calls to OCI Object Storage. Configure the credentials using Instance Principal to allow the web server to make API calls to OCI Object Storage. Configure the credentials using OCI Key Management to allow an instance to make API calls and grant access to OCI Object Storage. Configure the credentials to use Transparent Data Encryption (TDE) which will automatically allow the web server to make API calls to OCI Object Storage.

You developed a microservices based application that runs on Oracle Cloud Infrastructure (OCI) Container Engine for Kubernetes (OKE). Your security team wants to use SSL termination for this application. What should you do to create a secure SSL termination for this application using fewest steps?. Create a self-signed certificate and it's corresponding key. Create a Kubernetes secret using the certificate and the key. Then add these an notations to the Kubernetes service: annotations: service.beta.kubernetes.io/oci-load-balancer-ssl-ports: '443' service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode:'Frontend'. Generate a self-signed certificate using Let's Encrypt. Use that certificate on OCI Load Balancer. Create the Kubernetes service usingthis load balancer. Add these annotationsto the Kubernetes service: annotations: service.beta.kubernetes.io/oci-load-balancer-ssl-ports: '443' service.beta.kubernetes.io/oci-load-balancer-ssl-secret-key: ssl-secret-key. Create a self-signed certificate and it's corresponding key. Create a Kubernetes secret using then add these annotationsto the Kubernetes service. Service.beta.kubernete.io/oci-load-balancer-ssl-ports: '443' Service.beta.kubernete.io/oci-load-balancer-tls-secret:ssl-certificate-secret.

You developed a microservices based application that runs on Oracle Cloud Infrastructure (OCI) Container Engine for Kubernetes (OKE). It has multiple endpoints that needs to be exposed to the public internet. What is the most cost-effective way to expose multiple application endpoints without adding complexity to the application?. Use clusterlP service type in Kubernetes for each of your service endpoint and use a load balancer to expose the endpoints. Use separate load balancer instance for each service but use the 100 Mbps load balancer option. Deploy an Ingress controller and use it to expose each endpoint with its own routing endpoint. Use NodePort service type in Kubernetes for each of your service endpoint and use node's public IP address to acccess the applications.

Which three scenarios are suitable for the use of Oracle Cloud Infrastructure (OCI) Autonomous Transaction Processing-Serverless (ATP-S) deployment?. A manufacturing company is running Oracle E-Business Suite application on-premises. They are looking to move this application to OCI and they want to use a managed database offering for their database tier. A midsize company is considering migrating its legacy on-premises MongoDB database to Oracle Cloud Infrastructure (OCI). The database has significantly higher workloads on weekends than weekdays. A small startup is deploying a new application for eCommerce and it requires a database to store customers' transactions. The team is unsure of what the load will look like since it is a new application. A well-established, online auction marketplace is running an application where there is database usage 24x7, but also has peaks of activity that are hard to predict. When the peaks happen, the total activities may reach 3 times the normal activity level. A developer working on an internal project needs to use a database during work hours but doesn't need it during nights or weekends. The project budget requires her to keep costs low.

19) You designed and deployed your Autonomous Data Warehouse (ADW) so that it is accessible from your on-premise data center and servers running on both private and public networks in Oracle Cloud Infrastructure (OCI). <image> As you are testing the connectivity to your ADW database from the different access paths, you notice that the server running on the private network is unable to connect to ADW. Which two steps do you need to take to enable connectivity from the server on the private network to ADW? (Choose two.). Add an entry in the Security List of the ADW allowing ingress traffic for CIDR block 10.2.2.0/24. Add an entry in the route table (associated with the private subnet) with destination of 0.0.0.0/0; target type of Internet Gateway, add a stateful egress rule to the security list (associated with the private subnet) with destination of 0.0.0.0/0 and for all IP protocols. Add an entry in the access control list of ADW for IP address 129.146.160.11. Add an entry in the access control list of ADW for CIDR block 10.2.2.0/24. Add an entry in the route table (associated with the private subnet) with destination of 0.0.0.0/0; target type of NAT Gateway, add a stateful egress rule to the security list (associated with the private subnet) with destination of 0.0.0.0/0 and for all IP protocols.

A large E-commerce company is looking to run seasonal workloads in Oracle Cloud Infrastructure. The Oracle database used by their E-commerce application can use up to 52 cores at peak workloads. Due to the seasonal nature of the business, the database will not be used for 10 months in a year and can also be shut down during non-business hours. Which database service is the most economical for this scenario?. Autonomous Transaction Processing with shared Exadata infrastructure. Oracle Cloud Infrastructure Exadata DB Systems. Oracle Cloud Infrastructure Virtual Machine DB Systems. Oracle Cloud Infrastructure Bare Metal DB Systems.

Which of the two options are true for an autonomous database in dedicated infrastructure deployment?. You can modify maintenance schedule of the AVM after provisioning, to match your organization maintenance schedules. The new resource model consists of autonomous exadata infrastructure, autonomous container database and autonomous database. Unlike autonomous database in shared infrastructure, you can customize the maintenance schedule of the autonomous databases in dedicated infrastructure in OCI public cloud. Network selection, License model and certificate management are resources configured at AVM level.

A cloud engineer needs to enable routing between two Virtual Cloud Networks (VCN) from his tenancy. The VCNS are in the same region but in different compartments. After reviewing the IPv4 CIDR prefixes of the two VCNS, he notices that there are no overlapping CIDR blocks. Which THREE are valid Oracle Cloud Infrastructure (OCI) options for connecting and routing between the two VCNs?. Create two DRGs in the tenancy. Attach one VCN to one of the DRGs; attach the other VCN to the second DRG. In each one of the DRGs, create a Virtual Circuit Attachment. Select FastConnect Partner as the FastConnect type. Select any vendor from the list and complete the circuit at the partner site. Once the FastConnect IPv4 BGP field is in the UP state in each one of the Virtual Circuits, add a route rule in each one of the VCNs' route table to the other VCN using the DRG as the next hop. Create two DRGs in the tenancy. Attach one VCN to one of the DRGs; attach the other VCN to the second DRG. In each one of the DRGs, create a Remote Peering Connection (RPC). Establish a connection from one RPC to the other. In each one of the VCNs' route table, add a route rule to the other VCN using the DRG as the next hop. Create a DRG in the tenancy; add one of the VCN as a VCN attachment. In the other VCN, create a Local Peering Gateway (LPG). Peer the DRG to the LPG. In the VCN attached to the DRG, add a route rule in the route table that points to the DRG as the next hop. In the other VCN, add a route rule in the route table that points to the LPG as the next hop. Add an LPG to each one of the VCNs. In one of the LPG, establish a Peering Connection to the other LPG. In each one of the VCN route table, add a route rule to the other VCN using the LPG as the next hop. Create a DRG in the tenancy; add one of the VCNs as a VCN attachment. In the other VCN, create a Local Peering Gateway (LPG). Peer the DRG to the LPG. In the VCN attached to the DRG, enable BGP routing for the route to propagate to the VCN. In the other VCN add a route rule in the route table that points to the LPG as the next hop. Create a Dynamic Routing Gateway (DRG) in the tenancy, add the two VCNs as VCN attachments and add routes in each one of the VCN route tables with the DRG as the next hop for the CIDR prefix of the other VCN.

A SaaS startup that hosts its application on-premises is experiencing rapid growth. Due to cost and flexibility considerations, they have decided to run some module of their application in the cloud with a multi-cloud approach. The proposed solution architecture has the application entry point on-premises, where a load balancer redirects the request to the appropriate module and provides a failover mechanism. In each location, the module instances are exposed via a public IP. You have been asked to review the above architecture and avoid any 'single point of failure'. How can you change your architecture to meet the above requirement?. Create a DNS zone in Oracle Cloud Infrastructure (OCI) for your application. Add a CNAME record for each module. Create a Load Balancer Service instance with the least connection policy. Configure the path routing to redirect the traffic based on the CNAME records. Create a DNS zone in Oracle Cloud Infrastructure (OCI) for your application. Create an A record for each module public IP. Create a Load Balancer Service instance with a Virtual Hostname associated with each A record domain name. Configure different weight to each backend server. Create a Traffic Management Steering policy with IP Prefix Steering policy type for each module. Add an Answer Group for each datacenter location with a type A answer to point to the module public IP. Setup the rule to redirect the traffic to the appropriate datacenter location. Create a DNS zone in Oracle Cloud Infrastructure (OCI) for your application. Create a Traffic Management Steering Failover policy for each module. Add an Answer Group for each datacenter location with a type A answer to point to the module public IP. Adopt the policy domain as the entry point for each module.

A company runs a public-facing application that uses a Java-based web service via a RESTful API in their on-premises data center. Use of the API is expected to double with a new product launch. The business wants to migrate their application to Oracle Cloud Infrastructure (OCI) to meet the scale and reliability requirements. In order to achieve this, they will divert only 40% of the traffic to the new Apache Tomcat web servers running on OCI and serve the remaining 60% traffic through their on-premises infrastructure. Once the migration is complete and application works fine, they will divert all traffic to OCI. How can these requirements be met with the LEAST amount of effort?. Set up a VPN connectivity between on-premises infrastructure and OCI and create routing tables to distribute traffic between them. Use OCI Traffic management service with Failover steering policy and distribute traffic between OCI and on-premises infrastructure. Use OCI Traffic management service with Load Balancing steering policy and distribute traffic between OCI and on-premises infrastructure. Use OCI Load Balancing service to distribute traffic between OCI and on-premises.

A retail company has recently adopted a hybrid architecture. They have the following requirements for their end-to-end connectivity model between their on-premises data center and the Oracle Cloud Infrastructure (OCI) region. • Highly available connection with service level redundancy; • Dedicated network bandwidth with low latency; Which connectivity setup is the most cost-effective solution for this scenario?. Setup FastConnect virtual circuit as your primary connection, and an IPSec VPN as a backup connection. Use separate edge devices in your on-premises data center for each connection. From your edge devices, advertise more specific routes through FastConnect virtual circuit, and less specific routes through the backup IPSec VPN path. Setup IPSec VPN as your primary connection, and a FastConnect virtual circuit as a backup connection. Use separate edge devices in your on-premises data center for each connection. From your edge devices, advertise more specific routes through IPSec VPN, and less specific routes through the backup FastConnect virtual circuit. Setup FastConnect virtual circuit as your primary connection, and a second FastConnect virtual circuit as a backup connection. Make sure your FastConnect physical connectivity is redundant. Use a single edge device in your on-premises data center for each connection. From your edge device, advertise more specific routes via primary FastConnect virtual circuit, and less specific routes through the backup FastConnect virtual circuit. Setup IPSec VPN as your primary connection, and a second IPSec VPN as a backup connection. Use separate edge devices in your on-premises data center for each connection. From your edge devices, advertise more specific routes via primary IPSec VPN, and less specific routes through the backup IPSec VPN.

You are designing the network infrastructure for an application consisting of a web server (server-1) and a Domain Name Server (server-2) running in two different subnets inside the same Virtual Cloud Network (VCN) in Oracle Cloud Infrastructure (OCI). You have a requirement where your end users will access server- 1 from the internet and server-2 from your customer's on-premises network. The on-premises network is connected to your VCN over a FastConnect virtual circuit. How should you design your routing configuration to meet these requirements?. Configure a single routing table (Route Table-1) that has two sets of rules: one that has route to internet via the Internet Gateway and another that propagates specific routes for the on-premise network via Dynamic Routing Gateway (DRG). Associate the routing table with the VCN. Configure two routing tables (Route Table-1 & Route Table-2) that have rule to route all traffic via the Dynamic Routing Gateway (DRG). Associate the two routing tables with all the VCN subnets. Configure two routing tables: Route Table-1 that has a route to internet via the Internet gateway. Associate this route table to the subnet containing appserver-1. Route Table-2 that propagate specific routes for the on-premises network via the Dynamic Routing Gateway (DRG). Associate this route table to subnet containing appserver-2. Configure a single routing table (Route Table-1) that has two sets of rules. One that has route to internet via the Internet Gateway and another that propagates specific routes for the on-premise network via the Dynamic Routing Gateway. Associate the routing table with all the VCN subnets.

You work for a Travel company and your travel portal application is a collection of microservices that run on Oracle Cloud Infrastructure (OCI) Container Engine for Kubernetes (OKE). You have noticed that Oracle has published a newer Image of the Operating System (OS) for worker nodes, You want to upgrade your worker nodes to the latest version of the OS, at the same time ensuring that the application does not face any downtime. Which procedure should you follow to upgrade without application downtime?. 1. Create a new node pool using the latest available Operating System image 2. Run kubectl taint nodes --all node- role.kubernetes.io/master- 3. Delete the old node pool. 1. Create a new node pool using the latest available Operating System image 2. Run kubectl cordon <node name> against all the worker nodes in the old pool to stop any new application pods to get scheduled 3. Run kubectl drain <node name> --delete-local-data --force --ignore-daemonsets to evict any Pods that are running 4. Delete the old node pool. 1. Run kubectl cordon <node name> against all the worker nodes in the old pool to stop any new application pods to get scheduled 2. Run kubectl drain <node name> --delete-local-data --force --ignore-daemonsets to evict any Pods that are running 3. Download the patches for the new Operating System image 4. Patch the worker nodes to the latest Operating System image. 1. Shutdown the worker nodes 2. Create a new node pool 3. Manually schedule the pods on the newly built node pool.

You are a cloud architect at a financial organization. The development team is tasked with creating a cloud native application to be hosted on Oracle Cloud Infrastructure (OCI). The development team has followed a microservices-based approach and created containerized images of the cloud-native application and pushed them to OCI Registry (OCIR). How can you deploy a load balanced application to your OCI Container Engine for Kubernetes (OKE) duster using these images?. Add the location of the docker image to the manifest file, deploy the manifest file. All applications are load-balanced by default in OKE. Create a load balancer using the OCI load balancer service, add the load balancer service IP in the the manifest file, add the location of the docker image to the manifest file, and deploy the manifest file. Create an auth token, add the auth token to the manifest file, add the location of the docker image to the manifest file, add the service of type LoadBalancer, in the manifest file, and deploy the manifest file. Create a named secret, add the secret to the manifest file, add the location of the docker image to the manifest file, add the service of type LoadBalancer in the manifest file, and deploy the manifest file.

Your organization needs to migrate legacy monolithic applications into cloud-native containerized RESTful microservices. The development team is testing the use of packaged procedures with containers in a fully serverless environment. Before migrating the existing code to production, the team decides to perform a lift and shift of the monolithic application and code the new features that are essential for serverless microservices. You want to carry out a steady migration to the Oracle Cloud Infrastructure (OCI) platform, making the new microservice functionalities available while maintaining the monolithic application for all the other activities. You also want to integrate the legacy monolithic application with the new microservices to have a single interface with simplified management for auditing and monitoring while meeting operational and compliance requirements. How can you meet this requirement?. Push the container image to OCIR, build a serverless function using the OCI Functions service BYOD (Bring-Your-Own-Dockerfile) feature, build an API deployment specification with serverless functions as the back-end, and use an OCI API gateway to provide front-end access to that function. Push the container image to the OCI code repository, build a serverless function using the OCI Functions service BYOD feature, build an API deployment specification with serverless functions as the back-end, and use an OCI API gateway to provide front-end access to that function. Push the container image to OCIR, create an instance template with a Docker container running the image, and create an instance pool with autoscaling configuration. Use the OCI load balancer to provide an API endpoint to connect with the microservice. Push the container image to the OCI code repository, create an instance template with a Docker container running the image, and create an instance pool with autoscaling configuration. Use the OCI load balancer to provide an API endpoint to connect with the microservice.

You are developing a Serverless function for your company's loT project. This function should access Oracle Cloud Infrastructure (OCI) Object Storage to store some files. You choose Oracle Functions to deploy this function on OCI. However, your security team doesn't allow you to carry any API Token or RSA Key to authenticate the function against the OCI API to access the Object Storage. What should you do to get this function to access OCI Object Storage without carrying any static authentication files?. There is no way that you can access the OCI resources from a running function. Set up a Dynamic Group using the format below: ALL {resource.type = 'fnfunc', resource.compartment.id = 'ocid1.compartment.oc1..aaaaaaaa23______smwa'} Create a policy using the format below to give access to OCI Object Storage: allow dynamic-group acme-func-dyn-grp to manage objects in compartment acme-storage-compartment where all {target.bucket.name='acme-functions-bucket'} Include a call to a 'resource principal provider' in your function code as below: signer = oci.auth.signers.get_resource_principals_signer(). Add these two policy statements for your compartment and then include a call to a 'resource principal provider' in your function code: Allow group acme-functions-developers to inspect repos in tenancy Allow group acme-functions-developers to manage repos in tenancy where all {target.repo.name=/acme-web-app*/ }. Add these two policy statements for your compartment to give your function automatic access to all other OCI resources: Allow group <group-name> to manage fn-app in compartment <compartment-name> Allow group <group-name> to manage fn-function in compartment <compartment-name>.

Your company will soon start moving critical systems into the Oracle Cloud Infrastructure (OCI) platform. These systems will reside in the us-phoenix-1 and us-ashburn-1 regions. As part of the migration plan, you review the company's existing security policies and written guidelines for the OCI platform usage within the company. Your security processes for critical systems require that all data be encrypted at rest using Customer- Managed Keys. Which TWO options ensure compliance with this policy?. When you create a new compute instance through the OCI console, use the default shape to speed up the process of creating this compute instance. When you create a new compute instance through the OCI console, use the default options for "configure boot volume" to speed up the process of creating this compute instance. When you create a new block volume through the OCI console, select the "Encrypt using Customer-Managed Keys" checkbox and use the encryption keys generated and stored in OCT Vault. You do not need to perform any additional actions because the OCI Block Volume service always encrypts all block volumes, boot volumes, and volume backups at rest by using the Advanced Encryption Standard (AES) algorithm with 256-bit encryption. When you create a new OCI Object Storage bucket through the OCI console, you need to choose the "ENCRYPT USING CUSTOMER-MANAGED KEYS" option.

You are the security architect for a medium size e-commerce company who runs all of their applications arar pers Res in Oracle Cloud Infrastructure (OCI). Currently, there are 14 unique applications, each deployed and secured in their own compartment. The Operations team has procured a new monitoring tool that will be deployed throughout the OCI ecosystem. A requirement is that they will need to deploy one management node into each compartment. Currently, the Operations team IAM group has the following policy associated: allow group OpsTeam to READ all-resources in tenancy Once the new monitoring nodes are deployed, the Operations team may need to stop, start, or reboot them occasionally. What is the most efficient solution to allow the Operations team to fully manage the monitoring nodes, without allowing them to alter other resources across the tenancy?. Tag all of the monitoring nodes with the defined tag AllPolicy:AllowAccess:OpsTeam and write the following IAM policy: allow group OpsTeam to manage instance-family in tenancy where target.resource.tag.AllPolicy.AllowAccess = 'OpsTeam'. Tag all of the monitoring nodes with the free-form tag AllowAccess:OpsTeam and write the following IAM policy: allow group OpsTeam to manage instance-family in tenancy where target.resource.tag.AllowAccess = 'OpsTeam'. In each of the 14 compartments, create a new policy with the following statement: allow group OpsTeam to manage instance-family in compartment XXXWhere XXX is the name of the compartment where you are creating the policy. Create a new policy in the root compartment with the following policy statement: allow group OpsTeam to manage instance-family in tenancy where ANY {request.operation = 'UpdateInstance', request.operation = 'InstanceAction'}.