1z0-1124-25 Sample Questions Answers

Goal: Filter Flow Logs for traffic rejected by a specific security list rule.

Option A: “action” = “REJECT” identifies rejected traffic; “securityListRule” with rule ID pinpoints the exact rule—correct.

Option B: “status” and “securityRule” aren’t standard Flow Log fields (“action” and “securityListRule” are)—incorrect.

Option C: “direction” and “port” filter traffic but don’t specify rejection or rule—incorrect.

Option D: “type” and “rule” aren’t valid Flow Log fields—incorrect.

Conclusion: Option A is the precise filtering method.

Oracle states:

"In Flow Logs, use the ‘action’ field (‘REJECT’) and ‘securityListRule’ field (rule ID) to filter traffic rejected by a specific security list rule.”This validates Option A. Reference:Flow Logs Fields - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/flowlogs.htm#fields).

Problem:DNSSEC validation fails post-setup.

DNSSEC Chain:Requires DS record in parent zone for trust.

Evaluate Causes:

A:Low TTL affects caching, not validation; unlikely.

B:Missing DS in parent zone breaks chain; most likely.

C:Resolver config is client-side, not affecting external tools; incorrect.

D:OCI uses standard algorithms; highly unlikely.

Conclusion:Registrar delay in publishing DS is the primary cause.

DNSSEC relies on the parent zone. The Oracle Networking Professional study guide explains, "DNSSEC validation fails if the registrar hasn’t published the DS record in the parent zone, as this breaks the chain of trust" (OCI Networking Documentation, Section: DNSSEC Troubleshooting). This is a common post-enablement issue.

Goal: Minimum BGP setup for private FastConnect peering.

Option A: Public ASN isn’t required; private ASNs work—incorrect.

Option B: Private ASN is allowed, but doesn’t specify IPs—insufficient.

Option C: Public IPs aren’t needed for private peering—incorrect.

Option D: Valid ASNs (public or private) and non-overlapping private IPs are the minimum for BGP—correct.

Conclusion: Option D meets the requirements.

Oracle notes:

"For BGP over FastConnect private peering, provide a valid ASN (public or private) and a non-overlapping IP range for peering."This confirms Option D. Reference:FastConnect BGP Configuration - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#BGP).

Transitive Routing Goal:Traffic from a VCN to an on-premises network via DRG.

DRG Role:Acts as a virtual router connecting VCNs and on-premises networks.

Routing Options:

Static Routes:Manually defined, less scalable for dynamic environments.

Dynamic Routing (BGP):Automatically exchanges routes, ideal for hybrid setups.

Evaluate Options:

A:Static routes work but require manual updates; less efficient.

B:BGP dynamically propagates routes, ensuring correct routing; best fit.

C:LPG is for intra-region peering, not on-premises connectivity; incorrect.

D:Service Gateway is for OCI services, not on-premises; incorrect.

Conclusion:BGP ensures scalable, accurate routing through the DRG.

The DRG supports transitive routing with dynamic protocols like BGP. The Oracle Networking Professional study guide states, "For transitive routing between VCNs and on-premises networks via a DRG, configuring BGP on the DRG and CPE enables automatic route propagation, ensuring traffic is correctly routed" (OCI Networking Documentation, Section: Dynamic Routing Gateway). BGP is preferred over static routes for hybrid cloud scenarios.

Objective:Efficiently propagate on-premises route updates to multiple VCNs.

DRG Capabilities:Supports route distribution to attached VCNs.

Analyze Options:

A:Manual updates are inefficient and error-prone; unsuitable.

B:Centralized DRG with route distribution automates propagation; efficient.

C:Multiple DRGs add complexity and manual effort; inefficient.

D:Service Gateway is for OCI services, not route updates; incorrect.

Conclusion:Centralized DRG with route distribution is the most efficient method.

Route distribution in a DRG simplifies multi-region routing. The Oracle Networking Professional study guide notes, "Using a centralized DRG with route distribution enabled allows routes learned from on-premises networks to be automatically propagated to all attached VCNs, reducing management overhead" (OCI Networking Documentation, Section: DRG Route Distribution). This leverages OCI’s automation capabilities.

Goal: End-to-end encryption (client-to-LB and LB-to-backend).

Option A: HTTP backend set leaves LB-to-backend unencrypted—incorrect.

Option B: HTTPS listener and backend set with certificates ensures full encryption—correct and mandatory.

Option C: Backend-only certificates lack LB termination—incorrect.

Option D: TCP proxy bypasses LB encryption—incorrect.

Conclusion: Option B is mandatory for end-to-end encryption.

Oracle states:

"For end-to-end encryption, configure the HTTPS listener with an SSL certificate and set the backend protocol to HTTPS, requiring certificates on backend instances."This validates Option B. Reference:Load Balancer SSL - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingssl.htm).

Context: Zero Trust assumes no trust, requiring strict isolation (micro-segmentation).

Option A: Bandwidth isn’t increased by segmentation—incorrect.

Option B: Segmentation may increase route tables for granularity, not reduce them—incorrect.

Option C: Micro-segmentation isolates workloads, limiting breach impact (blast radius)—core Zero Trust goal and correct.

Option D: Inter-region connectivity isn’t simplified by micro-segmentation—incorrect.

Conclusion: Option C aligns with Zero Trust principles.

Oracle notes:

"Micro-segmentation in OCI VCNs, using NSGs and security lists, limits the blast radius of breaches by isolating resources, a key Zero Trust principle."This supports Option C. Reference:Zero Trust in OCI - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/zerotrust.htm).

Goal: Force spoke-to-spoke traffic via a network appliance in hub-and-spoke topology.

Option A: Static routes on DRG to appliance ensure transitive routing—correct.

Option B: Service Gateway is for OCI services—incorrect.

Option C: Internet Gateway is public, not hub-and-spoke—incorrect.

Option D: LPG bypasses the appliance—incorrect.

Conclusion: Option A is necessary.

Oracle notes:

"In a hub-and-spoke topology, configure DRG route tables with static routes to the network appliance’s private IP for transitive routing between spokes."This supports Option A. Reference:Hub-and-Spoke Topology - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/hubspoke.htm).

Needs: Secure, reliable hybrid multicloud access.

Option A: Multiple VPNs are secure but complex and less reliable over internet—less optimal.

Option B: Public internet with app security is insecure—incorrect.

Option C: FastConnect to OCI provides a private base; SD-WAN extends securely to AWS/Azure with encryption and HA—correct.

Option D: FastConnect to OCI with VPNs to others risks OCI as a single point of failure—less reliable.

Conclusion: Option C is the most secure and reliable.

Oracle advises:

"For hybrid multicloud, use FastConnect for primary connectivity and SD-WAN to extend securely to other clouds with encryption and policy control."This supports Option C. Reference:Multicloud Best Practices - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/multicloud.htm#bestpractices).

Objective: Identify the OCI resource for private, low-latency VCN-to-VCN connectivity in the same region.

Option A: DRG connects VCNs to external networks (e.g., on-premises) or across regions, not for same-region peering—incorrect.

Option B: LPG is designed for private peering of VCNs within the same region, ensuring low-latency communication—correct.

Option C: Internet Gateway provides public internet access, not private connectivity—incorrect.

Option D: Service Gateway connects VCNs to OCI services, not other VCNs—incorrect.

Conclusion: Option B is the appropriate resource.

Oracle documentation states:

"A Local Peering Gateway (LPG) enables private connectivity between two VCNs in the same region, providing direct, low-latency communication."This confirms Option B. Reference:Local VCN Peering Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/localVCNpeering.htm).

Problem:Packet loss and degradation over OCI-Azure Interconnect.

Typical Causes:Security rules, routing, MTU mismatches.

Evaluate Options:

A:NSGs/Security Lists blocking traffic is a common issue; typical.

B:Routing misconfiguration can drop packets; typical.

C:Pricing tiers affect billing, not interconnect bandwidth; not typical.

D:MTU mismatches cause fragmentation and loss; typical.

Conclusion:Pricing tiers are unrelated to interconnect performance issues.

Interconnect performance issues stem from network configuration, not pricing. The Oracle Networking Professional study guide states, "Troubleshooting multi-cloud interconnects involves checking security rules, routing, and MTU settings, as these directly impact traffic flow" (OCI Networking Documentation, Section: Multi-Cloud Connectivity). Pricing tiers influence resource limits, not interconnect bandwidth.

Goal:Prioritize application traffic over FastConnect for consistent performance.

Features:

VLAN Tagging:Segments traffic, no prioritization.

QoS:Prioritizes traffic based on rules.

BGP Communities:Route policy, not QoS.

Jumbo Frames:Increases MTU, not priority.

Evaluate Options:

A:No prioritization; incorrect.

B:QoS ensures priority; correct.

C:Routing control, not QoS; incorrect.

D:Throughput, not latency control; incorrect.

Conclusion:QoS is the right feature.

FastConnect QoS manages traffic priority. The Oracle Networking Professional study guide explains, "FastConnect Quality of Service (QoS) allows you to prioritize critical traffic over the circuit, ensuring consistent performance despite competing traffic" (OCI Networking Documentation, Section: FastConnect Features). This addresses latency variability effectively.

Goal:Minimize downtime in blue/green deployment with ALB.

ALB Capabilities:Supports weighted routing for gradual traffic shifts.

Evaluate Options:

A:Immediate switch risks downtime if ‘green’ fails; less efficient.

B:Listener swap causes abrupt change; not optimal.

C:Gradual shift with weights ensures smooth transition; most efficient.

D:Forcing ‘blue’ unhealthy is disruptive and hacky; inefficient.

Conclusion:Weighted routing provides the smoothest transition.

ALB supports blue/green via routing rules. The Oracle Networking Professional study guide states, "Application Load Balancer’s routing rules allow weighted traffic distribution between backend sets, enabling blue/green deployments with minimal downtime" (OCI Networking Documentation,Section: Load Balancer Routing). This method ensures stability during updates.

Requirements: Secure, reliable, low-latency, bidirectional access with redundancy.

Option A: VPN via DRG is secure but lacks low latency and redundancy—insufficient.

Option B: FastConnect via DRG offers low latency and security but no redundancy—partial fit.

Option C: Public endpoints are insecure and high-latency—incorrect.

Option D: FastConnect for primary low-latency access, VPN as backup for redundancy—correct and most appropriate.

Conclusion: Option D meets all criteria.

Oracle states:

"FastConnect with DRG provides secure, low-latency hybrid connectivity. Add a Site-to-Site VPN for redundancy to ensure reliability."This supports Option D. Reference:Hybrid Cloud Connectivity - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/hybridcloud.htm).

Requirements: HA and IPv6 support for public web app.

Option A: ULA is private, not routable; NAT for IPv6 is inefficient—incorrect.

Option B: ULA doesn’t support public IPv6 clients—incorrect.

Option C: Public IPv6 CIDR is correct, but IPv4-only LB with NAT lacks direct IPv6—less resilient.

Option D: Public IPv6 CIDR with dual-stack LB and instances ensures full IPv6 support and HA across ADs—correct.

Conclusion: Option D maximizes resilience and connectivity.

Oracle states:

"For public IPv6 applications, use a public IPv6 CIDR block and configure Load Balancers and instances for both IPv4 and IPv6 to ensure resilience."This supports Option D. Reference:IPv6 in OCI - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingIPv6.htm).

Objective: Improve OCI-AWS data transfer performance.

Option A: Region distance affects latency—valid.

Option B: Dedicated interconnect boosts bandwidth and stability—valid.

Option C: Compute pricing doesn’t influence inter-cloud bandwidth—invalid.

Option D: WAN optimization can enhance transfer efficiency—valid.

Conclusion: Option C is not a design consideration for performance.

Oracle notes:

"To optimize OCI-AWS connectivity, consider region proximity, dedicated interconnects, or WAN optimization. Compute pricing is unrelated to network performance."This excludes Option C. Reference:Hybrid Cloud Networking - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/hybridcloud.htm).

Requirements: Private, low-latency cross-region VCN connectivity.

Option A: RPCs with route table updates enable private, direct peering via DRG—correct.

Option B: IPSec VPN adds latency over internet—incorrect.

Option C: Service Gateways are for OCI services—incorrect.

Option D: NAT Gateways use public IPs, not private—incorrect.

Conclusion: Option A is necessary.

Oracle states:

"Use Remote Peering Connections (RPCs) with DRG to connect VCNs across regions privately. Update route tables for CIDR routing."This supports Option A. Reference:Remote VCN Peering - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm).

Requirements: Outbound internet access, no inbound exposure, and private OCIR access.

Option A: Internet Gateway allows inbound traffic, violating the no-exposure rule—incorrect.

Option B: NAT Gateway enables outbound-only internet access, but Internet Gateway adds inbound exposure—incorrect.

Option C: NAT Gateway provides outbound internet access without inbound exposure; Service Gateway enables private OCIR access—correct.

Option D: DRG is for external networks, not internet/OCIR access; Internet Gateway exposes servers—incorrect.

Conclusion: Option C satisfies all requirements.

Oracle states:

"Use a NAT Gateway for outbound internet access from private subnets without inbound connectivity. Use a Service Gateway for private access to OCI services like OCIR."This supports Option C. Reference:NAT and Service Gateway Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/NATgateway.htm & docs.oracle.com/en-us/iaas/Content/Network/Tasks/servicegateway.htm).

Context: Tunnel flapping over FastConnect vs. public internet.

Option A: Congestion/packet loss is less likely over FastConnect’s dedicated link than the unpredictable public internet—correct.

Option B: Mismatched keys/parameters would prevent tunnel establishment, not flapping—equally likely in both.

Option C: MTU issues cause fragmentation in both scenarios—equally likely.

Option D: BGP flapping is more relevant with FastConnect’s dynamic routing—more likely here.

Conclusion: Option A is less likely over FastConnect.

Oracle notes:

"FastConnect provides a stable, dedicated connection, reducing congestion and packet loss compared to public internet VPNs."This supports Option A. Reference:IPSec over FastConnect - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPSec.htm#fastconnect).

Goal: Apply least privilege for Cloud Shell to run diagnostics (ping, traceroute, nc) within a VCN.

Option A: Read permission on all virtual-network-family resources is too broad, granting unnecessary access beyond diagnostics—violates least privilege.

Option B: Instance Principals use temporary credentials tied to the Cloud Shell instance, enhancing security. A dynamic group with “read” and “use” permissions on NSGs and VNICs allows inspecting configurations and running diagnostics (e.g., via VNICs), meeting the exact need—correct.

Option C: Inspect permission only provides metadata access, insufficient for running diagnostics (e.g., no “use” for traffic)—incorrect.

Option D: Use permission on virtual-network-family at tenancy level is overly permissive, granting access to all network resources—violates least privilege.

Conclusion: Option B is the most restrictive and secure, aligning with least privilege.

Oracle states:

"Instance Principals allow services like Cloud Shell to authenticate without static credentials. Policies with ‘read’ and ‘use’ on specific resources (e.g., network-security-groups, vnics) enable diagnostics while adhering to least privilege."This supports Option B. Reference:Instance Principals - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Identity/Tasks/instanceprincipals.htm).

Requirement:Restrict inter-subnet communication unless permitted.

Options Analysis:

A:Removing default route breaks all routing, overly restrictive; incorrect.

B:Separate VCNs are excessive, complex; less practical.

C:NSGs provide granular, explicit control; optimal approach.

D:External firewall adds complexity, not VCN-native; inefficient.

NSG Advantage:Instance-level rules enforce policy within VCN.

Conclusion:NSGs are the most appropriate solution.

NSGs enable precise security within a VCN. The Oracle Networking Professional study guide states, "Network Security Groups (NSGs) allow you to define strict ingress and egress rules for instances, ensuring inter-subnet communication is explicitly permitted as per security policies" (OCI Networking Documentation, Section: Network Security Groups). This is more efficient than VCN separation or external firewalls.

Requirements: Centralized DRG with tenant isolation.

Option A: Separate DRGs complicate management—incorrect.

Option B: NSGs work but are less secure than routing isolation—less optimal.

Option C: Single DRG with per-VCN route tables restricting routes to FastConnect only ensures isolation at the routing level—correct.

Option D: Compartments don’t isolate traffic at DRG—incorrect.

Conclusion: Option C is the most effective.

Oracle states:

"Use separate DRG route tables per VCN attachment to isolate traffic. Include only FastConnect routes to prevent VCN-to-VCN communication."This supports Option C. Reference:DRG Route Tables - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm).

Requirements:End-to-end encryption, no public internet for Object Storage access.

Options Analysis:

Service Gateway:Private access to Object Storage.

NAT Gateway:Public internet access; unsuitable.

Private Endpoint:Alternative private access, but newer feature.

HTTPS:Ensures in-transit encryption.

Evaluate Options:

A:Encryption at rest doesn’t cover transit; incomplete.

B:NAT uses public internet; violates policy; incorrect.

C:Service Gateway with HTTPS ensures full encryption and privacy; correct.

D:Private Endpoint with HTTPS is valid but less common than Service Gateway; slightly less optimal historically.

Conclusion:Service Gateway with HTTPS is most secure and compliant.

Service Gateway is standard for private Object Storage access. The Oracle Networking Professional study guide states, "A Service Gateway with HTTPS API calls ensures end-to-end encrypted traffic to Object Storage without public internet traversal" (OCI Networking Documentation, Section: Service Gateway). This meets security mandates effectively.

Requirements:Low latency, high bandwidth, multi-region VCNs via one FastConnect, minimal cost/overhead.

DRG Strategy:

Multiple DRGs:Increases cost and complexity.

Single DRG:Centralizes management, reduces FastConnect attachments.

Evaluate Options:

A:Multiple DRGs and FastConnects; costly and complex; incorrect.

B:Remote peering connections imply RPC, not standard DRG attachments; less precise.

C:Single DRG with remote peering attachments; efficient and correct terminology; optimal.

D:LPGs are intra-region, not cross-region; incorrect.

Conclusion:Single DRG with remote peering attachments is most efficient.

A single DRG optimizes multi-region setups. The Oracle Networking Professional study guide notes, "For connecting multiple VCNs across regions to a single FastConnect, use one DRG with remote peering attachments to minimize cost and management overhead" (OCI Networking Documentation, Section: DRG with FastConnect). Option C aligns with OCI’s recommended architecture.

Requirements:App tier (public) needs internet; DB tier (private) must not.

Components:

Internet Gateway:Full internet access for public subnets.

NAT Gateway:Outbound-only internet for private subnets.

Service Gateway:Private OCI service access.

Evaluate Options:

A:Reversed roles; public subnet doesn’t need Service Gateway; incorrect.

B:NAT for public is unnecessary with Internet Gateway; inefficient.

C:NAT for public is wrong; Service Gateway doesn’t block DB internet; incorrect.

D:Internet Gateway for app, NAT for DB if needed, aligns with policy; correct.

Conclusion:Option D is most secure and efficient.

Subnet roles dictate gateway use. The Oracle Networking Professional study guide states, "Public subnets use an Internet Gateway for full internet access, while private subnets can use a NAT Gateway for outbound-only access, ensuring no direct internet exposure" (OCI Networking Documentation, Section: VCN Gateways). Option D balances security and functionality.

Objective:Enable DNSSEC to secure OCI DNS against spoofing.

DNSSEC Process:Requires enabling on the zone, generating keys, and updating the registrar.

Evaluate Options:

A:Steering policies manage traffic, not DNSSEC; incorrect.

B:OCI DNS auto-generates keys; manual upload unnecessary; incorrect.

C:Enabling DNSSEC starts the process, provides DS record; correct first step.

D:Resolver validation is client-side, not enabling DNSSEC; incorrect.

Conclusion:Enabling DNSSEC on the zone is the critical first step.

DNSSEC setup begins at the zone level. The Oracle Networking Professional study guide states, "The first step to enable DNSSEC in OCI DNS is to activate it on the zone, which generates keys and provides a DS record to share with your registrar" (OCI Networking Documentation, Section: DNSSEC Configuration). This establishes the chain of trust.

Requirement Analysis: Strict compliance mandates logging all user access to private resources in a multi-tier setup.

Option A Assessment: Dynamic port forwarding with no logging fails compliance, as it provides no audit trail.

Option B Assessment: Managed Bastion sessions in OCI offer detailed logging (e.g., session start/end times, user IDs), integrated with OCI Logging. This meets compliance needs with a managed, scalable solution.

Option C Assessment: SSH port forwarding with minimal logs doesn’t provide the detailed auditing required for strict compliance.

Option D Assessment: A jump server with manual logging is error-prone, lacks scalability, and isn’t a managed OCI service, making it less suitable.

Conclusion: Option B provides the most robust, compliance-ready solution with detailed logging.

From Oracle’s Bastion documentation:

"OCI Bastion provides managed SSH sessions with detailed logging capabilities, capturing user access details for audit and compliance. Enable session logging to record all activities."This supports Option B as the best choice. Reference:Bastion Service Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Bastion/Concepts/bastionoverview.htm).

Goal:Minimize maintenance of Bastion session configurations.

Bastion Options:

Individual Sessions:High maintenance per instance.

Dynamic Port Forwarding:Flexible but user-managed, prone to errors.

Centralized Service:Predefined targets, low maintenance.

Separate Hosts:Increases complexity and overhead.

Evaluate Options:

A:Per-instance sessions require constant updates; inefficient.

B:SOCKS5 shifts burden to users; moderate maintenance.

C:Centralized with managed sessions reduces effort; optimal.

D:Multiple hosts multiply management tasks; worst option.

Conclusion:Centralized Bastion with managed sessions is most efficient.

OCI Bastion service supports centralized management. The Oracle Networking Professional study guide notes, "A centralized Bastion service with managed sessions and predefined target configurations minimizes administrative overhead by streamlining access to private subnet resources" (OCI Networking Documentation, Section: Bastion Service). This approach leverages OCI’s automation capabilities.

Goal: Ensure OCI-Azure traffic during BGP disruption.

Option A: Static routes bypass BGP dependency, maintaining connectivity—correct.

Option B: Disabling BGP stops routing—incorrect.

Option C: Notification doesn’t ensure connectivity—incorrect.

Option D: Keepalive timers delay detection, not prevent disruption—incorrect.

Conclusion: Option A is most critical.

Oracle notes:

"For uninterrupted OCI-Azure Interconnect traffic during BGP maintenance, configure static routes between VCNs and VNets."This supports Option A. Reference:OCI-Azure Interconnect - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/ociazureinterconnect.htm).

Objective:Filter BGP routes on OCI to accept only specific on-premises prefixes.

BGP Attributes Overview:

AS Path Prepending:Lengthens AS path to influence route preference, not filtering.

MED:Influences exit point selection, not route acceptance.

RD/RT:Used in MPLS VPNs for tenant isolation, not simple prefix filtering.

Prefix Lists:Directly filter prefixes based on IP ranges.

Evaluate Options:

A:AS Path Prepending affects preference, not filtering; unsuitable.

B:MED influences path selection, not route rejection; incorrect.

C:RD/RT is for VPN contexts, not applicable here.

D:Prefix Lists explicitly allow/deny prefixes, meeting the requirement.

Conclusion:Prefix Lists on the FastConnect virtual circuit provide precise control over accepted routes.

Prefix Lists are the most effective BGP tool for filtering routes in OCI. The Oracle Networking Professional study guide notes, "Prefix Lists can be applied to FastConnect virtual circuits to filter BGP advertisements, ensuring only approved prefixes are learned by OCI" (OCI Networking Documentation, Section: FastConnect and BGP). This prevents routing conflicts by rejecting unwanted prefixes, aligning with the security and control requirements.

Concern:IPSec overhead reduces effective MTU.

MTU Impact:Must avoid fragmentation, which degrades performance.

Evaluate Factors:

A:Bandwidth doesn’t dictate MTU; incorrect.

B:Smallest MTU in path (path MTU) prevents fragmentation; most critical.

C:Ethernet MTU is a factor but not the limiting one; incomplete.

D:DRG fragmentation settings are secondary to path MTU; incorrect.

Conclusion:Path MTU is the key determinant to avoid fragmentation.

IPSec reduces MTU due to headers. The Oracle Networking Professional study guide explains, "When configuring IPSec over FastConnect, the most important factor is the smallest MTU supported along the entire path to prevent fragmentation and ensure efficient traffic flow" (OCI Networking Documentation, Section: IPSec over FastConnect). Path MTU discovery is critical.

Objective: Securely transition from self-signed to trusted CA certificates.

Option A: Importing self-signed certificates into OCI Certificates doesn’t improve security—incorrect.

Option B: Immediate replacement risks outages if clients don’t trust the new CA—unrecommended.

Option C: Gradual replacement with OCI Certificates, updating client truststores, ensures security and minimizes disruption—correct.

Option D: Bypassing validation via WAF weakens security—incorrect.

Conclusion: Option C is the most secure and recommended method.

Oracle advises:

"Replace self-signed certificates with OCI Certificates from a trusted CA. Perform a phased rollout and update client truststores to avoid disruptions."This validates Option C. Reference:OCI Certificates Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Security/Certificates/overview.htm).

Context: Inter-tenancy VCN peering connects VCNs across different OCI tenancies using Remote Peering Connections (RPCs).

Option A: Authentication of the root user is handled by IAM policies, not the peer ID, which is a technical identifier—incorrect.

Option B: The peer ID is the OCID of the RPC created by the requesting tenancy. It uniquely identifies the RPC, allowing the accepting tenancy to target and establish the peering—correct.

Option C: CIDR blocks are part of VCN configuration and shared separately, not via thepeer ID—incorrect.

Option D: Security rules are defined by NSGs or security lists, not the peer ID—incorrect.

Conclusion: The peer ID’s purpose is to identify the requesting tenancy’s RPC, making Option B the correct answer.

From Oracle’s documentation:

"For inter-tenancy peering, the requesting tenancy provides the OCID of its Remote Peering Connection (RPC), known as the peer ID, to the accepting tenancy. The accepting tenancy uses this ID to establish the peering."This confirms Option B. Reference:Remote VCN Peering Across Tenancies - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm#cross-tenancy).