You work for a public health care company based in the United States. Their existing patient records system
runs in an on-premise data center and the customer is sending tape backups offsite as part of their disaster
recovery planning.
You developed an alternative archival solution using Oracle Cloud Infrastructure (OCI) that will save the
company a significant amount of money on a yearly basis. The solution involves storing data in an OCI
Object Storage bucket. After reviewing your solution with the customer Global Risk and Compliance (GRC)
team, they highlighted four security requirements:
• All data less than 1 year old must be accessible within 2 hours
• All data must be retained for at least 10 years and be accessible within 48 hours
• All data must be encrypted at rest
• No data may be transmitted across the public internet
Which two options meet the requirements outlined by the customer GRC team? Create a VPN connection between your on-premises data center and OCI. Create a Virtual Cloud
Network (VCN) along with an OCI Service Gateway for OCI Object Storage. Provision a FastConnect link to the closest OCI region and configure a public peering virtual circuit. Create an OCI Object Storage Standard tier bucket. Configure a lifecycle policy to delete any object
that is older than 7 years. Create an OCI Object Storage Standard tier bucket. Configure a lifecycle policy to archive any object
that is older than 365 days. Provision a FastConnect link to the closest OCI region and configure a private peering virtual circuit.
You are working for a Travel company and your travel portal application is a collection of microservices that
run on Oracle Cloud Infrastructure Container Engine for Kubernetes. As per the recent security overview, you
have noticed that Oracle has published a newer image of the Operating System used by the worker nodes.
You want to make sure that your application doesn't face any downtime but at the same time the worker
nodes gets upgraded to the latest version of the Operating System.
What should you do to get this upgrade done without application downtime? 1. Run kubectl cordon <node name> against all the worker nodes in the old pool to stop any new application pods to get scheduled
2. Run kubectl drain <node name> --delete-local-data --force --ignore-daemonsets to evict any Pods that are running
3. Download the patches for the new Operating System image
4. Patch the worker nodes to the latest Operating System image 1. Create a new node pool using the latest available Operating System image
2. Run kubectl cordon <node name> against all the worker nodes in the old pool to stop any new application pods to get scheduled
3. Run kubectl drain <node name> --delete-local-data --force --ignore-daemonsets to evict any Pods that are running
4. Delete the old node pool 1. Shutdown the worker nodes
2. Create a new node pooI
3. Manually schedule the pods on the newly built node pool 1. Create a new node pool using the latest available Operating System image
2. Run ku.bectl taint nodes --al1 node-role.kubernetes.io/master
3. Delete the old node pool.
Your company has recently deployed a new web application that uses Oracle Functions. Your manager
instructed you to implement monitoring metrics to manage your systems more effectively. You know that
Oracle Functions automatically monitors functions on your behalf and reports metrics through Service
Metrics.
Which two metrics are collected and made avaìlable by this feature? number of times a function is removed amount of CPU used by a function umber of concurrent connections length of time a function runs number of times a function is invoked.
You are creating a compute instance using Oracle Cloud Infrastructure (OCI) Console. You decide to use Oracle provided image for the compute instance launch.
Which option is TRUE when using Oracle provided images? On Windows images, custom user data scripts are executed using cloud-init to perform various tasks such as enabling GPU support. Oracle provided images do not support the ability to supply a custom metadata during instance launch. For a Linux based image, access to host over the internet is permitted only via SSH protocol and all other remote access is disabled. If you choose a non-Windows image, the only way to download and update packages is by running apt or yum commands.
Your customer recently provisioned a 1-Gbps FastConnect connection in ap-tokyo-1 region of Oracle Cloud
Infrastructure (OCI). They will use this to connect to one Virtual Cloud Network (VCN) in their production
ocr tenancy compartment and another VCN in their development OCI tenancy.
How should you configure the connectivity between on-premises and the two VCNs ln ocr using the single
FastConnect connection? Provision a Dynamic Routing Gateway (DRG) and create a private virtual circuit for the FastConnect
connection. Create one additional route table in your production VCN that includes two route rules.
One with a destination of the on-premises network using the DRG, and a second with a destination of
the development VCN, also using the DRG. Create two private virtual circuits on the FastConnect I ink. Create two Dynamic Routing Gateways, one
for each VCNs. Attach the virtual circuits to the dynamic routing gateways. Create a single private virtual circuit over FastConnect and attach Fastconnect to either of the VCN's
DRG. Use Remote Peering to peer production and development VCNs. Create a hub-VCN that uses DRG to communicate with the on-premises network over FastConnect.
Connect the hub-VCN to the production VCN spoke and with development VCN spoke, each peered via
their respective Local Peering Gateway (LPG).
Your company will soon start moving critical systems into Oracle Cloud Infrastructure (OCT) platform. These systems will reside in the us-phoenix-1 and us-ashburn-1 regions. As part of the migration planning, you are reviewing the company's existing security policies and written guidelines for the OCI platform usage within the company.
Your security processes for critical systems require that al I data is encrypted at rest using CustomerManaged Keys.
Which two options ensure compliance with this policy? When you create a new OCI Object Storage bucket through OCI console, you need to choose "ENCRYPT USING CUSTOMER-MANAGED KEYS" option. You do not need to perform any additional actions because the OCI Block Volume service always encrypts all block volumes, boot volumes, and volume backups at rest by using the Advanced Encryption Standard (AES) algorithm with 256-bit encryption. When you create a new block volume through oci console, select "Encrypt using Customer-Managed Keys" checkbox and use encryption keys generated and stored in OCI Vault. When you create a new compute instance through OCI console, you use the default options for "configure boot volume" to speed up the process to create this compute instance. When you create a new compute instance through OCI console, you use the default shape to speed up the process to create this compute instance.
An automobile company wants to deploy their CRM application for Oracle Database on Oracle Cloud Infrastructure (OCI) DB Systems for one of its major clients. In compliance with the business continuity program of the client, they need to provide a Recovery Point Objective (RPO) of 24 hours and a Recovery Time Objective (RTO) of 1 hour. The CRM application should be available even in the event that an entire OCI Region is down.
Which approach meets these requirements in the most cost effective manner? Deploy a 1 node VM Oracle database in one region and replicate the database to a 1 node VM Oracle database in another region using a manual setup and configuration of Oracle Data Guard Deploy an Autonomous Transaction Processing database in one region and replicate it to an Autonomous Transaction Processing database in another region using Oracle GoldenGate Deploy a 1 node VM Oracle database in one region. Manually Configure a Recovery Manager (RMAN) database backup schedule to take hourly database backups. Asynchronously copy the database backups to object storage in another OCI region. If the primary OCI region is unavailable, launch a new 1 node VM Database in the other OCI region and restore the production database from the
backup. Deploy a 2 node Virtual Machine (VM) Oracle RAC database in one region and replicate the database to a 2 node VM Oracle RAC database in another region using a manual setup and configuration of Oracle Data Guard.
A data analytics company has been buiIding its next generation big data and analytics platform on Oracle Cloud infrastructure (OCI) in the US East (Ashburn) region. They need a storage service that provides the scale and performance that their big data applications require such as high throughput to compute nodes coupled with low latency file operations.
In addition, they need to allow concurrent connections from multiple compute instances hosted in multiple Availability Domains and want to be able to quickly restore a previous version of the data in case of a need to roll back any major update.
Which option can they use to meet these requirements in the most cost effective way? Create an Object Storage bucket with object versioning enabled. Provision a compute instance to host the Storage Gateway and share the bucket via NFS. Mount the NFS into all the required compute instances Create a file system and mount target in the OCI File Storage service. Mount it into all the required compute Instances. Take snapshots of the file system before each update. Create a connection with the on-premises data center via FastConnect. Mount the shared NFS hosted on-premises. Create block volume, attach it with read/write, shareable access type to all the required compute instances. Take a backup of the volume before each update.
You are managing a compute instance that currently resides in the Compute compartment. The Virtual Cloud Network (VCN) into which the compute instance was originally deployed, also resides in this compartment. To support a project-related task, you need to move just the compute Instance to the SysTest-Team compartment. You log into your Oracle Cloud Infrastructure (OCI) account and use the Move
Resource option to place the compute instance in the new compartment.
What will be the result of your attempt to move the compute instance to the new compartment? The move will fail and you will be prompted to move the VCN first. Once VCN is moved to the target compartment, the compute instance can be moved. The move will be successful. The compute instance's public and private IP addresses will stay the same. The compute instance will remain associated with the VCN from the source compartment The move will be successful. However, the compute instance's public and private IP addresses will change, and it will be associated to the first VCN that was created in the new, target compartment. After moving the compute Instance, you must move the compute instance VNIC as a separate action. The public and private IP addresses of the instance will remain unchanged and it will still be associated with the VCN from the source compartment.
A large London based eCommerce company is running Oracle DB Systems Virtual Machine RAC database on Oracle Cloud Infrastructure (OCI) for their eCommerce application in the uk-london-1 region. They are currently taking automatic backups of the database, as configured during the database provisioning activity.
They are launching a new product soon, which is expected to sell in large quantities all over the world. The application architecture should have minimal cost, no data loss, no performance impacts during the database backup windows and should have minimal downtime.
What is the most efficient and cost-effective mechanism of modifying the database deployment architecture to meet these application goals? Turn off automatic backups from the eCommerce database, implement Oracle Active Data Guard with the standby database deployed on another availability domain, and take backups from the standby database Turn off automatic backups from the eCommerce database, implement Oracle Data Guard with the standby database deployed on another availability domain, take backups from the standby database. Launch a new VM RAC database in another availability domain, launch a compute instance, deploy Oracle GoldenGate on it and then configure bi-directional replication from the eCommerce Database over to the new VM RAC database using GoldenGate. Take backups from the new VM RAC database. Launch a new VM RAC database in another availability domain, launch a compute instance, deploy Oracle GoldenGate on it and then configure lt to replicate the data from the eCommerce Database over to the new VM RAC database using GoldenGate. Take backups from the new VM RAC database.
A civil engineering company is running an online portal in which engineers can upload their constructions photos, videos, and other digital files. There is a new requirement for you to implement: the online portal must offload the digital content to an Object Storage bucket for a period of 72 hours. After the provided time limit has elapsed, the portal will hold all the digital content locally and wait for the next offload period.
Which option fulfills this requirement? Create a pre-authenticated URL for the entire Object Storage bucket to write content with an expiration of 72 hours. Create a pre-authenticated URL for the entire Object Storage bucket to read and list the content with an expiration of 72 hours. Create a Dynamic Group with matching rule for the portal compute instance and grant access to the Object Storage bucket for 72 hours. Create a pre-authenticated URL for each object that is uploaded to the Object Storage bucket with an expiration of 72 hours.
You have an Oracle database system in a virtual cloud network (VCN) that needs to be accessible on port 1521 from your on-premises network CIDR 172.17.0.0/24.
You have the following configuration currently:
• Virtual cloud network (VCN) is associated with a Dynamic Routing Gateway (DRG), and DRG has an active IPSec connection with your on-premises data center.
• Oracle database system is hosted in a private subnet.
• The private subnet route table has following configuration.
____________________________________________________________________________
o | Destination | Target Type | Target
-------------------------------------------------------------------------------------------------------------------------------
o. 172.17.0.0/24 Dynamic Routing Gateways ASH-DAG
-------------------------------------------------------------------------------------------------------------------------------
The private subnet security list has following INGRESS security rule.
____________________________________________________________________________________________________________
o | Stateless | Source | IP Protocol | Source Port Range | Destination Port Range | Type and Codes | Allows
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
o. Yes 172.17.0.0/24 TCP All 1521 TCP traffic for ports: 1521
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The Oracle database system is part of a network security group with following security rules.
____________________________________________________________________________________________________________
o | Direction | Source or Destination | Protocol | Details | Description
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
o. Direction : ingress Source Type: Service Allow: All traffic for all ports
Stateless : No Source : All IAD Services in All Protocols
Oracle Services Network
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
However, you are still unable to connect to the Oracle Database system.
Which action will resolve this issue? (Choose the best answer.) Add an EGRESS rule in private subnet security list as following. Add an EGRESS rule in network security group as following. Add a route rule in the private subnet route table as following. Add an Egress rule in private subnet security list as following. .
All three Data Guard configurations are fully supported on Oracle Cloud Infrastructure (OCI). You want to deploy a maximum availability architecture (MAA) for database workload.
Which option should you consider while designing your Data Guard configuration to ensure best RTO and RPO without causing any data loss? Configure "Maximum Scalability" mode which provides the highest level of scalability without compromising the availability of the primary database. Configure "Maximum Protection" mode which provides zero data loss if the primary database fails. Configure "Maximum Availability" mode in SYNC mode between two availability domains (same region)1 and use the Maximum Availability mode in ASYNC mode between two regions. Configure "Maximum Performance" mode in SYNC mode between two availability domains (same
region) which provides the highest level of data protection that is possible without affecting the
performance of the primary database.
A retail company has several on-premise data centers which span multiple geographical locations. They plan to move many of their business critical applications to Oracle Cloud Infrastructure (OCI). These applications require highly available network connections between on-premises and OCI.
Which option provides the highest level of redundancy? Use transit routing by deploying a hub Virtual Cloud Network (VCN) in OCI peered with application VCNs as spoke and with an on-premises edge device with two redundant tunnels in VPN Connect. Set up FastConnect with the colocation with Oracle option, and a compatible edge device on-premises Use either a VPN Connect or FastConnect connection to connect to an on-premises edge device, since OCI provides network redundancy by default. Set up VPN Connect IPSec VPN connection with two redundant tunnels from the on-premises edge device to OCI. Set up both IPSec VPN and FastConnect connections from OCI to separate edge devices on-premises.
An online stock trading appl.ication is deployed to multiple Availability Domains in the us-phoenix-1 region.
Considering the high volume of financial transactions that the trading application handles, the company has
hired you to ensure that the data stored by the application is scalable, highly-available, and disaster
resilient. ln the event of failure, the Recovery Time Objective (RTO) must be less than 2 hours to meet
regulatory compliance requirements.
Which Disaster Recovery strategy should be used to achieve the RTO requirement in the event of system
failure? Configure hourly block volumes backups using the Oracle Cloud Infrastructure (OCI) Command Line Interface (CLI). Store hourly block volumes backup to NVMe device under a compute instance and generate a custom image every 5 minutes. Configure your application to use synchronous master-slave data replication between Availability Domains. Configure hourly block volumes backups through the Storage Gateway service.
Your organization is using Oracle Cloud Infrastructure (OCI) and wants to setup a disaster recovery plan by
copying block volume backups to another region at regular intervals. This makes it easier to rebuild
applications and data in the destination region if a region wide disaster occurs in the source region.
Which IAM Policy statement allows the VolumeAdmins group to copy volume backups between regions? Allow group VolumeAdmins to inspect volumes-family in tenancy Allow group VolumeAdmins to manage volumes in tenancy Allow group VolumeAdmins to copy volume-backups in tenancy Allow group VolumeAdmins to use backups in tenancy.
After performing maintenance on an Oracle Línux compute instance the system is returned to a running state
You attempt to connect using SSH but are unable to do so. You decide to create an instance console
connection to troubleshoot the issue.
Which three tasks would enable you to connect to the console connection and begin troubleshooting? Use SSH to connect to the public IP address of the compute instance and provide the console connection OCID as the usemame. Upload an API signing key for console connection authentication Edit the Linux boot menu to enable access to console Reboot the compute instance using the Oracle Cloud Infrastructure (OCI) Management Console Stop the compute instance using the Oracle Cloud Infrastructure (OCI) Command Line Interface (CLI) Use SSH to connect to the service endpoint of the console connection service.
You are working with a customer who has an IOPS requirement that exceeds the maximum amount offered
by a single block volume within Oracle Cloud Infrastructure Block Volume service.
Which option allows the customer to overcome that limit? Make sure that the filesystem is set to use XFS Reattach the block volume in a paravirtualized mode Use OCI File System instead of Block Volume service Attach multiple block volumes in a RAID 0 configuration.
You are tasked with building a highly available, fault tolerant web application for your current employer. The
security team ls concerned about an increase in malicious web-based attacks across the internet and asked
what you can do to add a higher level of security to the website.
How should you architect the solution on Oracle Cloud Infrastructure (OCI) to meet all requirements defined
by your organization? Deploy at least 3 web application servers, each ln a different fault domain, using a regional public
subnet. Ensure that each web application server is assigned a public IP address. Deploy a Web
Application Firewall (WAF) and configure one Origin for each public IP address. Deploy at; least 3 web application servers, each in a different fault domain, using a regional private
subnet. Place a public load balancer in a regional public subnet and create a backend set for all of the
web application servers. Create a Geolocation steering policy in Traffic Management and add an
answer pool that directs to the public IP address of the load balancer. Configure a global catch-all rule
to use this answer pool. Deploy at least 3 web application servers, each in a different fault domain, using a regional public
subnet. Use the ocr Traffic Management service to create a load balancing policy that will resolve
DNS evenly between all web servers. Deploy at least 3 web application servers, each in a different fault domain, using a regional private
subnet. Place a public load balancer in a regional public subnet and create a backend set for all of the
web application servers. Deploy a Web Application Firewall (WAF) and configure the load balancer
public IP address as the origin.
Your company needs to migrate a business critical application from your data center to Oracle Cloud
Infrastructure (OCI). The application runs on Oracle Database and both the application and database servers
run on Oracle Linux version 7. The application server is WebLogic server running on multiple 4-core servers
and the database is deployed as an Oracle Database Enterprise Edition RAC database on 2 servers (4-cores
each).
Which method of database migration should you choose so that the application has minimal impact? Deploy Autonomous Transaction Processing Database on ocr and use the MV2ADB tool for the
database migration. Deploy Exadata Cloud Service Base rack and use Oracle Data Pump tool to migrate the data from
customer on-premises to ocr Deploy Virtual Machine RAC DB system on OCI and use the ZDM tool for the database migration Deploy Virtual Machine RAC DB system on OCI and use the Oracle Database Backup module with
RMAN to migrate the data from customer on-premises to OCI.
You work for a bank as the lead Oracle Cloud Infrastructure architect. You designed a highly scalable solution for your company's banking application. The architecture Includes a load balancer, application servers with autoscaling configuration based on CPU utilization and an Autonomous Database with Transaction Processing workload type running in a Virtual Cloud Network (VCN).
During the peak utilization period, the application users complain that the application runs slow.
What are two possible reasons for the application running slow at times? Instance pool in autoscaling configuration for the Autonomous Database did not scale out due to
misconfigured scaling policy. The load balancer is not configured correctly to send traffic to all the listeners of the application
servers in the backend set. Instance pool in autoscaling configuration for the application servers did not scale out due to compartment quota breach of the VM shapes used by the application servers. The VCN does not have a Network Security Group configured to allow traffic from the load balancer to
all the application servers in the backend set. Instance pool in autoscaling configuration for the application servers did not scale out due to service
limit breach of the VM shapes used by the application servers.
You are working as a solution architect with a global automotive provider who is looking to create a multicloud solution. They want to run their application tier ln Microsoft Azure while utilizing the Oracle DB Systems in the Oracle Cloud Infrastructure (OCI).
What is the most-fault tolerant and secure solution for this customer? Use an OCI Virtual Cloud Network remote peering connection to create a remote network connection
between the application tier running ìn Microsoft Azure Virtual Network and Oracle Databases running
in the oci Virtual Cloud Network (VCN). Create an encrypted, Virtual Private Network connection between the Microsolt Azure Virtual Network
that contains the application tier and the ocr Virtual Cloud Network {VCN) that contains the Oracle
Databases. Create a FastConnect virtual circuit with Microsoft Azure as the provider to establish a private
interconnect between the application tier running in the Azure Virtual Network and the OCI VCN that
contains the Oracle Databases. Deploy the Oracle database system into a public subnet in your VCN and assign a public IP address.
Connect your application tier running in Azure to the public IP address of the database system over
the internet.
A company has an application that processes confidential data. The data is currently stored in an onpremises data center. A solution architect needs to move this data to Oracle Cloud Infrastructure (OCI) Object Storage and ensure data is encrypted in-transit to OCI.
Which two steps should the solution architect perform to set up the most cost-effective connection between on-premises data center and OCI? Set up private endpoint for accessing Object Storage. Attach an Internet Gateway to Virtual Cloud network(VCN). Configure a service gateway accessing Object Storage. Set up an IPsec tunnel between the customer equipment and software VPN on an oci instance Configure a private peering connection on the Oracle Fastconnect Set up VPN Connect between the customer equipment and the Dynamic Routing Gateway.
A company has an urgent requirement to migrate 300 TB of data to Oracle Cloud Infrastructure (OC!) in two
weeks. Their data center has been recently struck by a massive hurricane and the building has been badly
damaged, although sti 11 operational. They have a 100 Mbps Internet I ine but the connection is intermittent
due to the damages caused to the electrical grid.
In this scenario, what is the most effective service to use to migrate the data to OC! given the time
constraints? Setup an ocr Storage Gateway to connect your data center and your VCN. Once the connection has
been established, upload all data to ocr. Setup a hybrid network by launching a 1Gbps FastConnect virtual circuit between your data center and
OCI. Use OCI Object Storage multipart upload tool to automate the migration of your data to ocr Upload the data to ocr using OCI Object Storage multipart upload tool. Use multiple OCI Data Transfer Appliances to transfer data to OCI Setup a ocr Storage Gateway to connect your data center and your VCN. Once the connection has
been established, upload all data to ocr using ocr Storage Gateway Cloud Sync tool.
You developed a microservices based application that runs on Oracle Cloud Infrastructure (OCI) Container
Engine for Kubernetes (OKE). Your security team wants to use SSL termination for this application.
What should you do to create a secure SSL termination for this application using fewest steps? Create a self-signed certificate and it's corresponding key. Create a Kubernetes secret using the
certificate and the key. Then add these annotations to the Kubernetes service:
annotations:
service.beta.kubernetes.io/oci-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/oci-load-balancer-security-list-management-mode:"Frontend" Generate a self-signed certificate using Let's Encrypt. Use that certificate on OCI Load Balancer.
Create the Kubernetes service using this load balancer. Add these annotations to the Kubernetes service:
annotations:
service.beta.kubernetes.io/oci-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/oci-load-balancer-ssl-secret-key: ssl-secret-key Create a self-signed certificate and it's corresponding key. Create a Kubernetes secret using the
certificate and the key, then add these annotations to the Kubernetes service.
You work for a large bank where your main application is a payment processing gateway API. You deployed
the application on Oracle Container Engine for Kubernetes (OKE) and used API Gateway with several policies
to control the access of the API endpoint.
However, your customers are complaining about the unavailability of the API endpoint. Upon checkingr you
noticed that the Gateway URL is throwing Service Unavailable error. You need to check the backend
latency and backend responses when this error started last night.
What should you do to get this data? Go to Governance Menu and click on Audit to see the Audit log for the API Gateway. Filter it using
Start and End date with a 503 response status. Go to Monitoring and click on Service Metrics. Choose the Metric Namespace as oci_apigateway.
Change the Start and End time accordingly. Add a Dimension and select httpStatus.code: 503.
Check the backend latency and backend responses metric Check with the application owner and search the log file for the container to get the metrics from the
log file. Go to Developer Services and click on API Gateway. Go to the detail page of the gateway and select
Metrics. Change the Start and End time to filter the metrics.
You work as a solutions architect for an onlfne retail store creating a portal to allow the users to pay for
their groceries using credit cards. Since the application is not fully compliant with the Payment card Industry
Data Security Standard (PCI DSS), your company is looking to use a third-party payment service to process
credit card payments.
The third-party service allows a maximum of 5 public IP addresses at a time. However, your website is using
Oracle Cloud Infrastructure (OCI) Instance Pool Auto Scaling policy to create up to 15 instances during peak
traffic demand, which are launched in VCN private subnets and attached to an OCI public Load Balancer.
Upon user payment, the portal connects to the payment service over the Internet to complete the
transaction.
What solution can you implement to make sure that all 15 compute instances can connect to the third party
system to process the payments during peak traffic demand? Whitelist the Internet Gateway Public IP on the third party service and route all payment requests
through the Internet Gateway. Route credit card payment request from the compute instances through the NAT Gateway. On the
third-party services, whitelist the public IP associated with the NAT Gateway. Create an oci Command Line Interface (CLI) script to automatically reserve public IP address for the
compute instances. On the third-party services, whitelist the Reserved public IP. Route payment request from the compute instances through the OCI Load Balancer, which will then be
routed to the third party service.
You are a solutions architect for a global health care company which has numerous data centers around the
globe. Due to the ever growing data that your company is storing, you were instructed to set up a durable,
cost-effective solution to archive your data from your existing on-premises tape-based backup infrastructure
to Oracle Cloud Infrastructure (OCI).
What is the most-effective mechanism to implement this requirement? Setup an on-premises OCI Storage Gateway which will back up your data to OCI Object Storage
Archive tier. Setup an on-premises ocr Storage Gateway which will back up your data to OCI Object Storage
Standard tier. Use the File Storage Service in OCI and copy the data from your existing tape-based backup to the
shared file system. Setup FastConnect to connect your on-premises network to your ocr VCN and use rsync tool to copy
your data to ocr Object Storage Archive tier. Setup an on-premises OCI Storage Gateway which will back up your data to OCI Object Storage
Standard tier. Use Object Storage life cycle policy management to move any data older than 30 days
from Standard to Archive tier.
You are advising the database administrator responsible for managing non-production environment for
Oracle Autonomous Database running on Oracle Cloud Infrastructure. You need to help the database
administrator ensure that the non-productîon environments have a copy of the current data from the
production environment in a manner that is most time-efficient.
Which method should you recommend? Create a full clone of the production Autonomous Database and create the non-production database
from it. Take a Data Pump export of the production Autonomous database and import into the non-production
database. Create a metadata clone of the production Autonomous Database and create the non-production
database from it Take a full database backup of the production Autonomous database and create the non-production
database from it.
A company runs a public-facing application that uses a Java-based web service via a RESTful API in their onpremises
data center. Use of the API is expected to double with a new product launch. The business wants
to migrate their applícation to Oracle Cloud Infrastructure (OCI) to meet the scale and reliability
requirements.
In order to achieve this, they will divert only 40% of the traffic to the new Apache Tomcat web servers
running on OCI and serve the remaining 60% traffic through their on-premises infrastructure. Once the
mig,·ation is complete and application works fine, they will divert all traffic to OCI.
How can these requirements be met with the LEAST amount of effort? Use OCI Traffic management service with Failover steering policy and distribute traffic between
OCI and on-premises infrastructure. Use OCI Load Balancing service to distribute traffic between OCI and on-premises infrastructure. Setup a VPN connectivity between on-premises Infrastructure and oci and create routing tables to
distribute traffic between them. Use oci Traffic management service with Load Balancing steering policy and distribute traffic
between OCI and on-premises infrastructure.
You are the security architect for a medium size e-commerce company who runs all of their applications in
Oracle Cloud Infrastructure (OCI). Currently, there are 14 unique applications, each deployed and secured in
their own compartment. The Operations team has procured a new monitoring tool that will be deployed
throughout the OCI ecosystem. A requirement is that they will need to deploy one management node into
each compartment.
Currently, the Operations team IAM group has the following policy associated:
allow group OpsTeam to READ all-resources in tenancy
Once the new monitoring nodes are deployed, the Operations team may need to stop, start, or reboot them
occasionally.
What is the most efficient solution to allow the Operations team to fully manage the monitoring nodes,
without allowing them to alter other resources across the tenancy? Create a new policy in the root compartment with the following policy statement:
allow group OpsTeam to manage instance-family in tenancy where ANY {request.operation
- 'Updateinstance', request.operation= 'InstanceAction'} In each of the 14 compartments, create a new policy with the following statement:
allow group OpsTeam to manage instance-family in compartment XXX Tag all of the monitoring nodes with the defined tag AllPolicy:AllowAccess:OpsTeam and write the
following IAM policy:
allow group OpsTeam to manage instance-family in tenancy where target.resource.tag.AllPolicy.AllowAccess = 'OpsTeam' Tag all of the monitoring nodes with the free-form tag AllowAccess:OpsTeam and write the following
IAM policy:
allow group OpsTeam to manage instance-family in tenancy where target.resource.tag.AllowAccess = 'OpsTeam'.
A large E-commerce company is looking to run seasonal workloads ln Oracle Cloud Infrastructure. The Oracle
database used by their E-commerce application can use up to 52 cores at peak workloads. Due to the
seasonal nature of the business, the database will be not be used for 10 months in a year and can also be
shut down during non-business hours.
Which database service is the most economical for this scenario? Oracle Cloud Infrastructure Bare Metal DB Systems Autonomous Transaction Processing with shared Exadata infrastructure Oracle Cloud Infrastructure Virtual Machine DB Systems Oracle Cloud Infrastructure Exadata DB Systems.
Your company developed a function that needs to access the Oracle Database to inject some data to it at runtime. You are tasked to move this function to the Oracle Cloud Infrastructure (OCI) and use Oracle Functions and access Oracle Autonomous Database. You created a Dockerfile below to run this function, however, you are getting this error "cx_Oracle.DatabaseError: ORA""12560: TNS:protocol adapter error".
What should you do to make sure that Oracle Functions can run this Dockerfile properly? (Choose the best answer.) Add these two lines to your Dockerfile:
groupadd --gid 1000 fn && \
adduser --uid 1000 --gid fn fn Use """"privileged flag while running the Docker container to add runtime privilege Use """"cap""add=ALL flag while running the Docker container to add runtime capability You need to run this Container as root, so add this line: USER root.
You work for a large bank where security and compliance are critical. As part of the security overview meeting, your company decided to minimize the installation of local tools on your laptop. You have been running Ansible and kubectl to spin up Oracle Container Engine for Kubernetes (OKE) clusters and deployed your application.
For authentication, you are using an Oracle Cloud Infrastructure (OCI) CLI config file that contains OCIDs, Fingerprint, and a locally stored PEM file. Your security team doesn’t want you to store any local API key and certificate, or any other local tools.
Which two actions should you perform to spin up the OKE cluster and interact with it? (Choose two.) Create a developer workstation on OCI. Install Ansible and kubectl on it. Use resource principal to authenticate against OCI API and create the OKE Cluster. Develop your own code using OCI SDK to deploy the OKE cluster. Work on OCI Cloud Shell to use built-in Ansible and kubectl to deploy the OKE cluster. Use OCI_CLI_AUTH=instance_obo_user environment variable to authenticate using built-in token. Work on OCI Cloud Shell to use built-in Ansible and kubectl to deploy the OKE cluster. Bring in your own config file and certificate to authenticate against OCI API. Create a developer workstation on OCI. Install Ansible and kubectl on it. Use instance principal to authenticate against OCI API and create the OKE Cluster.
You are using the Oracle Cloud Infrastructure (OCI) OS Management service to manage updates and patches
for the Oracle Linux 8 environments on your compute instances in OCI. You have verified that the OS
Management Service Agent (osms-agent) is installed and running properly in the instances.
One of the compute instances is not getting the updates from OS Management Service. You use the
following command to validate that your instance cannot reach the OS Management Ingestion service by
running curl https://ingestion.osms.<region>.oci.oraclecloud.com/
Which ls NOT a possible reason for this issue? The instance Is in a private subnet with a NAT gateway. The instance is in a private subnet with a private endpoint with security rules configured to access the
OS Management ingestion service The instance is in a private subnet with a service gateway that uses the All <region> Services in
Oracle Services Network CIDR label. The Instance is in a public subnet with an Internet gateway.
You work for a retail company and they developed a Microservices based shopping application that needs to access Oracle Autonomous Database from the application. As an Architect, you have been tasked to treat all of the application components as Kubernetes native objects, such as the Microservices, Oracle Autonomous database, Kubernetes services, etc.
What should you do to make sure that you can use Kubernetes constructs to manage the life cycle of the
application components, including Oracle Autonomous Database? Create an Oracle Cloud Infrastructure (OCI) Service Gateway and connect to the Oracle Autonomous Database using the private IP address from the microservice. Provision an Oracle Autonomous Database and then use OCI Service Broker to access the database as a native component to your Kubernetes cluster. Create a service from the Kubernetes cluster and point to the Oracle Autonomous Database using its FQDN. Install and secure the OCI Service Broker for Kubernetes. Then provision and bind to the required Oracle Cloud Infrastructure services.
You developed a microservices based application that runs on Oracle Cloud Infrastructure (OCI) Container Engine for Kubernetes (OKE). It has multiple endpoints that needs to be exposed to the public internet.
What Is the most cost-effective way to expose multiple application endpoints without adding complexity to the application? Use clusterIP service type in Kubernetes for each of your service endpoint and use a load balancer
to expose the endpoints. Use separate load balancer instance for each service, but use the 100 Mbps load balancer option. Deploy a Ingress controller and use it to expose each endpoint with its own routing endpoint. Use NodePort service type in Kubemetes for each of your service endpoint and use node's public IP
address to access the applications.
You are developing a Serverless function for your company's IoT project. This function should access Oracle
Cloud Infrastructure (OCI) Object Storage to store some files. You choose Oracle Functions to deploy this
function on OCI. However, your security team doesn't allow you to carry any API Token or RSA Key to
authenticate the function against the OC! API to access the Object Storage.
What should you do to get this function to access OCI Object Storage without carrying any static
authentication files? There is no way that you can access the oci resources from a running function. Add these two policy statements for your compartment to give your function automatic access to all
other OCI resources:
Allow group <group-name> to manage fn-app in compartment <compartment-name>
A.llow group <group-name> to manage fn-function in compartment <compartment-name> Set up a Dynamic Group using the format below:
ALL {resource.type= 'fnfunc', resource.compartment.id -
' ocid1. compartment. oc1 .. aaaaaaaa2 3 sm.wa' }
Create a policy using the format below to give access to OCI Object Storage:
allow dynamic-group aCII1e-func-dyn-grp to manage objects in compartment acme-storagecompartment
where all {target.bucket.name='acme-functions-bucket'}
Include a call to a 'resource principal provider' in your function code as below:
signer= oci.auth.signers.get_resource_principals_signer() Add these two policy statements for your compartment and then fnclude a call to a 'resource
principal provider' ln your function code:.
To serve web traffic for a popular product, your cloud engineer has provisioned four BM.Standard2.52
instances, evenly spread across two availability domains in the us-ashburn-1 region; LoadBalancer is used to
deliver the traffic across instances.
After several months, the product grows even more popular and you need additional compute capacity. As a
result, an engineer provisioned two additional VM.Standard2.8 instances.
You register the two VM.Standard2.8 instances with your Load Balancer Backend set and quickly find that
the VM.Standard2.8 instances are now running at 100º/oof CPU utilization but the BM.Standard2.52
instances have significant CPUcapacity that's unused.
Which option is the most cost effective and uses instances capacity most effectively? Configure LoadBalancer with two v·M.Standard2.8 instances and use Autoscaling instance pool to add
up to two additional VM.Standard2.8 instances. Shut off BM.Standard2.52 instances. Route traffic to BM.Standard2.52 and VM.Standard2.8 instances directly using DNS and Health Checks.
Shut off the Load Balancer Configure your Load Balancer with weighted round robin policy to distribute traffic to the compute
instances, with more weight assigned to bare metal instances. Configure Autoscaling instance pool with LoadBalancer to add up to 3 more BM.Standard2.52 instances
when triggered. Shut off VM.Standard2.8 instances.
You are the Solution Architect that designed this Oracle Cloud Infrastructure (OCI) compartment layout for your organization:
The development team has deployed quite a few instances under 'Compute' Compartment and the operations team needs to list the instances under the same compartment for their testing. Both teams, development and operations are part of a group called 'Eng-group'.
You have been looking for an option to allow the operations team to list the instances without access any confidential information or metadata of the resources.
Which IAM policy should you write based on these requirements? Allow group Eng-group to inspect instance-family in compartment Dev-Team: Compute and attach the policy to 'SysTest Team' Compartment Allow group Eng-group to read instance-family in compartment Compute and attach the policy to 'Engineering' Compartment Allow group Eng-group to read instance-family in compartment Dev-Team-:Compute and attach the policy to'Dev-Team' Allow group Eng-group to inspect instance-family in compartment Dev-Team:Compute and attach the policy to ‘Engineering’ Compartment.
You designed and deployed your Autonomous Data Warehouse (ADW) so that it is accessible from your on-premise data center and servers running on both private and public networks in Oracle Cloud Infrastructure (OCI).
As you are testing the connectivity to your ADW database from the different access paths, you notice that the server running on the private network is unable to connect to ADW.
Which two steps do you need to take to enable connectivity from the server on the private network to ADW? (Choose two.) Add an entry in the Security List of the ADW allowing ingress traffic for CIDR block 10.2.2.0/24 Add an entry in the route table (associated with the private subnet) with destination of 0.0.0.0/0; target type of NAT Gateway, add a stateful egress rule to the security list (associated with the private subnet) with destination of 0.0.0.0/0 and for all IP protocols. Add an entry in the access control list of ADW for IP address 129.146.160.11 Add an entry in the route table (associated with the private subnet) with destination of 0.0.0.0/0; target type of Internet Gateway, add a stateful egress rule to the security list (associated with the private subnet) with destination of 0.0.0.0/0 and for all IP protocols. Add an entry in the access control list of ADW for CIDR block 10.2.2.0/24.
A company has an urgent requirement to migrate 100 TB of data to Oracle Cloud Infrastructure (OCI) in two weeks. They have a 100 Mbps Internet line but the connection is intermittent due to problems with their internet provider.
In this scenario, what is the most time-efficient mechanism to migrate data to OCI? Setup an OCI Storage Gateway to connect your data center to your Virtual Cloud Network and upload data. Upload data using OCI Object Storage multipart upload capability Setup an IPSec VPN tunnel between your data center and OCI. Upload all data to OCI using OCI Storage Gateway. Use OCI File Storage service to copy data from your data center to OCI Setup a hybrid network by launching a 1 Gbps FastConnect virtual circuit between your data center and OCI. Use OCI Object Storage multipart upload capability to automate the migration of your data to oci.
You are responsible for migrating your on-premises legacy databases on 11.2.0.4 version to Autonomous Transaction Processing - Dedicated (ATP-O) in Oracle Cloud Infrastructure (OCI). As a solution architect, you need to plan your migration approach.
Which two options do you need to implement together to migrate your on-premises databases to OCI? Use Oracle GoldenGate replication to keep on-premises database online during migration. Retain changes to Oracle shipped privileges, stored procedures or views in the on-premises databases. Use Oracle Data Guard to keep on-premises database always active during migration Retain all legacy structures and unsupported features (e.g. legacy LOBs) in the on-premises databases for migration Convert on-premises databases to PDB, upgrade to 19c, and encrypt.
You are designing the network infrastructure for two application servers: appserver-1 and appserver-2 running in two different subnets inside the same Virtual Cloud Network (VCN) in Oracle Cloud Infrastructure (OCI). You have a requirement where your end users will access appserver-1 frorn the internet and appserver-2 from the on-premises network. The on-premises network is connected to your VCN over a FastConnect virtual circuit.
How should you design your routing configuration to meet these requirements? Configure a single routing table (Route Table-1) that has two sets of rules. One that has route to internet via the Internet Gateway and another that propagates specific routes for the on-premise network via the Dynamic Routing Gateway. Associate the routing table with all. the VCN subnets. Configure two routing tables (Route Table-1 & Route Table-2) that have rule to route all traffic via the Dynamic Routing Gateway (DRG). Associate the two routing tables with all the VCN subnets. Configure a single routing table (Route Table-1) that has two sets of rules: one that has route to internet via the Internet Gateway and another that propagates specific routes for the on-premise network via Dynamic Routing Gateway (DRG). Associate the routing table with the VCN. Configure two routing tables: Route Table-1 that has a route to internet via the Internet gateway. Associate this route table to the subnet containing appserver-1. Route Table-2 that propagate specific routes for the on-premises network via the Dynamic Routing Gateway (DRG). Associate this route table to subnet containing appserver-2.
A hospital in Austin has hosted its web-based medical records portal entirely in Oracle Cloud Infrastructure(OCI) using compute instances for its web-tier and DB System database for its data tier. To validate compliance with Health Insurance Portability and Accountability (HIPAA), the hospital hired an IT security professional to check their systems.
It was found that there were a lot of unauthorized requests coming from a set of IP addresses originating from a country in Southeast Asia.
Which option can mitigate this type of attack? Block the attacking IP addresses by creating a Network Security Group rule to deny access to the compute instance where the web server is running. Block the attacking IP addresses by creating a Security List rule to deny access to the subnet where the web server is running Block the attacking IP addresses by implementing an OCI Web Application Firewall policy using Access Control Rules. Implementing a OCI Web Application Firewall Bot Management policy to identify the attacking IP addresses and mitigate the threat.
A digital marketing company is planning to host a website on Oracle Cloud Infrastructure (OCI) and leverage OCI Container Engine for Kubernetes (OKE). These web servers will make API calls to access OCI Object Storage to store all images uploaded by users.
For security purposes, you must ensure that the credentials used by the web server to allow access to OCI Object Storage are not stored in the compute instance.
What solution results in an implementation with the least-effort for this scenario? Configure the credentials using Instance Principal to allow the web server to make API calls to OCl Object Storage Configure the credentials using OCI Registry (OC1R) which will automatically connect with OKE allowing the web server to make API calls to OCI Object Storage Configure the credentials to use Transparent Data Encryption (TDE) which will automatically allow the web server to make API calls to OCl Object Storage Configure the credentials using OCI Key Management to allow an instance to make API calls and grant access to OCl Object Storage.
A small business specializing in video processing wants to leverage cloud storage in order to lower its costs. They are looking to backup all video data generated, from an existing on-premises file server to Oracle Cloud Infrastructure (OCI). The requirement is to setup continuous data sync as changes are made to on-premises file server.
What is the most cost effective solution for this scenario? Set up File Storage Service on OCI and mount the File system to an instance running on-premises. Move all the data to this on-premises instance and then sync the videos to the shared file system. Set up a Fast connect virtual circuit and nightly back up all videos to OCI Archive storage Setup an on-premises OCI Storage Gateway Cloud Sync to back up videos to OCI Object Storage Archive tier. Set up a VPN Connect connection and back up all videos to Object Storage Standard bucket. Create a lifecycle policy to move files older than 30 days to Archive Storage.
Your team is conducting a root cause analysis (RCA) following a recent, unplanned outage. One of the block volumes attached to your production WebLogic server was deleted and you have been tasked with identifying the source of the action. You search the Audit logs and find several Delete actions that occurred in the previous 24 hours. Given the sample excerpt of this event:
Which item from the event log helps you identify the individual or service that initiated the DeleteVolume API call? (Choose the best answer.) eventId requestAgent eventSource requestOrigin principalId.
A telecom company has an application running in Oracle Cloud Infrastructure (OCI) Germany Central (eu-frankfurt-1) region. They want to configure Disaster Recovery (DR) site in the OCI UK South (uk-london-1) region.
Which is the most cost effective option to help set up application and persistence layers in the DR site? Application layer: configure Traffic Management steering policy with Failover policy between servers in eu-frankfurt-1 and uk-london-1 regions.
Persistence layer: set up policy to schedule cross-region automated backups of file systems in File Storage service between eu-frankfurt-1 and uk-london-1 regions. Application layer: configure Events service rule in eu-frankfurt-1 region to filter Health Checks event failure and route traffic to uk-london-1 region in the event of a disaster.
Persistence layer: set up policy to schedule cross-region automated backups of block volumes between eu-frankfurt-1 and uk-london-1 regions. Application layer: set up a public load balancer in the eu-frankfurt-1 region. Create a backend set with instances running in both uk-frankfurt-1 and uk-london-1 regions.
Persistence layer: set up OCI Object Storage repIication from eu-frankfurt-1 region to uk-london-1 region. Applicatlon layer: configure Traffic Management steering policy with Load Balancing policy between servers in eu-frankfurt-1 and uk-london-1 regions.
Persistence layer: set up policy to schedule cross-region automated backups of block volumes between eu-frankfurt-1 and uk-london-1 regions.
Your customer has gone through a recent department restructure. As part of this change, they are organizing their Oracle Cloud Infrastructure (OCI) compartment structure to align with the company and new organizational structure.
They have made the following change:
Compartment x Is moved, and its parent compartment is now compartment c.
Policy defined in compartment A: Allow group networkadmins to manage subnets in compartment X
Policy defined in root compartment: Allow group admins to read subnets in compartment Finance:A:X .
After the compartment move, which action will provide users of group networkadmins and admins with similar privileges as before the move? Define a policy in Compartment C as follows: Allow group networkadmins to read subnets in compartment X. Define a policy in compartment HR as follows: Allow group networkadmins to manage subnets in compartment C:X Defìne a policy in the root compartment as follows: Allow group networkadmins to manage subnets in compartment Finance:X Define a policy in the root compartment as follows: Allow group admins to read subnets in compartment HR:C:X.
You are running a mission-critical database application in Oracle Cloud Infrastructure (OCI). You take regular backups of your DB system to OCI object storage. Recently, you notice a failed database backup status in the console.
What two steps can you take to determine the cause of the backup failure? (Choose two.) Ensure the database archiving mode is set to NOARCHIVELOG Ensure that your database host can connect to the OCI object storage Restart the dcsagent program if it has a status of stop or waiting Make sure that the database is not active and running while the backup is in progress.
|
