Free Practice Questions for Oracle 1z0-1124-25 Exam

Problem Context: BGP session is established, but no routes are exchanged, and basic config (ASNs, IPs) is correct.

Option A Analysis: Misconfigured keepalive timers would cause the session to drop intermittently. Since the session is confirmed as established, this is unlikely. Keepalives affect session stability, not route exchange.

Option B Analysis: A mismatch in BGP authentication keys (e.g., MD5 passwords) would prevent the session from establishing. Given the session is up, this is not the issue.

Option C Analysis: BGP prefix lists or route maps filter advertised routes. If either the on-premises router or OCI applies a filter (intentionally or misconfigured), it could block route advertisements despite an established session. This is a common issue in BGP setups and aligns with the symptoms.

Option D Analysis: MTU mismatches could cause packet loss or fragmentation, but BGP uses TCP (small packets), and session establishment indicates MTU isn’t the primary issue. Route exchange failures are more likely due to filtering than MTU.

Conclusion: Option C is the most likely cause, as filtering directly prevents route exchange without affecting session status.

From Oracle’s FastConnect documentation:

"Once a BGP session is established, routes are exchanged based on the prefixes advertised by each side. Route maps, prefix lists, or filters on either the CPE or OCI side can restrict which routes are advertised or accepted."

"If no routes appear in the routing table despite an active session, verify that no filters are blocking advertisements."This supports Option C as the most likely cause. Reference:FastConnect Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm).

Goal: Verify routing for inter-region VCN peering via DRG.

Option A: Cloud Guard monitors security, not routing—incorrect.

Option B: Audit Logs track changes, not current routing state—incorrect.

Option C: DRG Route Tables define routing rules, directly showing misconfigurations—correct.

Option D: Network Visualizer shows topology but not detailed routing rules—less effective.

Conclusion: DRG Route Tables are most effective.

Oracle states:

"DRG Route Tables are the primary tool for verifying and troubleshooting routing configurations for inter-region VCN peering."This validates Option C. Reference:DRG Troubleshooting - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm#troubleshooting).

Problem:Private subnet instances can’t access Object Storage via Service Gateway.

Setup Check:Route rules point to Service Gateway; NSGs allow traffic.

Evaluate Causes:

A:Incorrect CIDR labels block Object Storage access; likely.

B:Internet Gateway irrelevant for Service Gateway; incorrect.

C:NSGs confirmed open, security lists secondary; less likely.

D:NAT Gateway not used here; incorrect.

Conclusion:Misconfigured Service Gateway CIDR is the most likely issue.

Service Gateway requires specific CIDR labels. The Oracle Networking Professional study guide states, "For private subnets to access Object Storage via a Service Gateway, the gateway must be configured with the correct regional Oracle Services CIDR label" (OCI Networking Documentation, Section: Service Gateway Configuration). Misconfiguration prevents access despite proper routing.

Requirements:App tier (public) needs internet; DB tier (private) must not.

Components:

Internet Gateway:Full internet access for public subnets.

NAT Gateway:Outbound-only internet for private subnets.

Service Gateway:Private OCI service access.

Evaluate Options:

A:Reversed roles; public subnet doesn’t need Service Gateway; incorrect.

B:NAT for public is unnecessary with Internet Gateway; inefficient.

C:NAT for public is wrong; Service Gateway doesn’t block DB internet; incorrect.

D:Internet Gateway for app, NAT for DB if needed, aligns with policy; correct.

Conclusion:Option D is most secure and efficient.

Subnet roles dictate gateway use. The Oracle Networking Professional study guide states, "Public subnets use an Internet Gateway for full internet access, while private subnets can use a NAT Gateway for outbound-only access, ensuring no direct internet exposure" (OCI Networking Documentation, Section: VCN Gateways). Option D balances security and functionality.

Objective: Reduce latency for remote users accessing private resources via Bastion.

Option A: Single Bastion increases latency for distant users—incorrect.

Option B: Multiple regional Bastions minimize latency by proximity—correct.

Option C: Dynamic port forwarding doesn’t address geographic latency—incorrect.

Option D: Load balancer aids HA, not latency reduction—incorrect.

Conclusion: Option B optimizes latency.

Oracle notes:

"Deploy Bastion hosts in multiple regions to reduce latency for geographically dispersed users accessing private resources."This supports Option B. Reference:Bastion Service Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Bastion/Concepts/bastionoverview.htm).

Goal: Apply least privilege for Cloud Shell to run diagnostics (ping, traceroute, nc) within a VCN.

Option A: Read permission on all virtual-network-family resources is too broad, granting unnecessary access beyond diagnostics—violates least privilege.

Option B: Instance Principals use temporary credentials tied to the Cloud Shell instance, enhancing security. A dynamic group with “read” and “use” permissions on NSGs and VNICs allows inspecting configurations and running diagnostics (e.g., via VNICs), meeting the exact need—correct.

Option C: Inspect permission only provides metadata access, insufficient for running diagnostics (e.g., no “use” for traffic)—incorrect.

Option D: Use permission on virtual-network-family at tenancy level is overly permissive, granting access to all network resources—violates least privilege.

Conclusion: Option B is the most restrictive and secure, aligning with least privilege.

Oracle states:

"Instance Principals allow services like Cloud Shell to authenticate without static credentials. Policies with ‘read’ and ‘use’ on specific resources (e.g., network-security-groups, vnics) enable diagnostics while adhering to least privilege."This supports Option B. Reference:Instance Principals - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Identity/Tasks/instanceprincipals.htm).

Requirement: OCI-AWS traffic must stay in the US for sovereignty compliance.

Option A: A FastConnect partner guaranteeing US-only transit ensures compliance via a private, controlled path—correct.

Option B: DRG and VGW with VPN don’t guarantee US-only routing over public internet—incorrect.

Option C: Generic VPN can’t control internet paths despite US gateways—incorrect.

Option D: Public internet with DNS restrictions doesn’t enforce routing—incorrect.

Conclusion: Option A is the most critical consideration.

Oracle states:

"Choose a FastConnect partner that can guarantee geographic routing constraints, such as US-only transit, to meet data sovereignty requirements."This supports Option A. Reference:FastConnect Compliance - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#compliance).

Goal: Restrict subnet traffic to a specific on-premises IP range via FastConnect.

Option A: Internet Gateway is for public access, not FastConnect—incorrect.

Option B: Default security list applies broadly, lacking granularity; NSGs are more effective—less optimal.

Option C: Custom route table with DRG ensures FastConnect routing; NSGs provide precise, instance-level traffic restriction—correct.

Option D: LPG is for same-region VCN peering, not on-premises—incorrect.

Conclusion: Option C is the most effective method.

Oracle notes:

"Use a custom route table with a DRG route rule for FastConnect traffic. NSGs offer granular control to restrict traffic to specific IP ranges."This supports Option C. Reference:FastConnect and NSG Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm & docs.oracle.com/en-us/iaas/Content/Network/Concepts/NSGs.htm).

Requirements: App tier only initiates to DB; web tier to app tier only.

Option A: NSGs with forced routing through app tier adds complexity and latency—less effective.

Option B: Single NSG lacks subnet-level isolation—incorrect.

Option C: Separate security lists per subnet with ingress/egress rules enforce isolation; route tables ensure proper VCN routing—correct and effective.

Option D: Security lists are good, but routing web-to-DB via app tier is unnecessary—incorrect.

Conclusion: Option C achieves isolation efficiently.

Oracle states:

"Use separate security lists per subnet with ingress/egress rules to isolate tiers. Route tables manage intra-VCN traffic without forced hops."This supports Option C. Reference:Security Lists Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/securitylists.htm).

Requirement Analysis:The solution must ensure private access to Object Storage without public internet traversal, while being cost-effective.

Evaluate OCI Components:

Internet Gateway:Provides public internet access, unsuitable for private connectivity.

NAT Gateway:Allows outbound internet access from private subnets, but traffic still exits OCI.

Service Gateway:Enables private access to OCI services like Object Storage within the same region.

DRG with FastConnect:Used for on-premises connectivity, not intra-OCI service access.

Option Assessment:

A:Uses public internet, violating the security policy.

B:HTTPS encrypts data, but traffic traverses the internet via NAT, violating the policy.

C:Service Gateway keeps traffic within OCI’s private network, meeting security and cost goals.

D:Overly complex and costly, with public endpoints contradicting the requirement.

Conclusion:Service Gateway with regional Object Storage endpoints ensures private, secure, and cost-effective access.

The Service Gateway is designed for private access to OCI services like Object Storage, avoiding the public internet. The Oracle Networking Professional study guide states, "A Service Gateway allows instances in a private subnet to access supported OCI services without an Internet Gateway or NAT Gateway, ensuring traffic remains within the Oracle network" (OCI Networking Documentation, Section: Service Gateway). Using the Oracle Services Network service CIDR label for the region ensures compatibility with Object Storage endpoints, optimizing cost and security.