Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exc65

You are responsible for managing the network infrastructure of a multi-tenant SaaS application deployed on OCI. Each tenant has their own dedicated VCN. To simplify management and provide a centralized point for connectivity to your on-premises network via FastConnect, you are using a DRG. However, you need to ensure that tenants are logically isolated from each other, and no traffic can flow directly between tenant VCNs through the DRG. How can you achieve tenant isolation while still allowing each tenant to connect to your on-premises network through the centralized DRG?

A.

Create a separate DRG for each tenant and attach the respective tenant VCN to its DRG. Configure static routes on each DRG to direct traffic appropriately.

B.

Utilize a single DRG and attach all tenant VCNs to it. Implement Network Security Groups (NSGs) on each tenant VCN to explicitly block all traffic to and from other tenant VCNs.

C.

Utilize a single DRG and attach all tenant VCNs to it. For each VCN attachment, use a DRG route table that only contains a route to the FastConnect attachment. Do not include any routes to other VCN attachments in any DRG route table.

D.

Utilize a single DRG and attach all tenant VCNs to it. Create a separate compartment for each tenant VCN. This will automatically isolate tenant traffic at the DRG level.

Which of the following is a disadvantage of using a public internet-based VPN connection for migrating large datasets from another cloud provider to OCI?

A.

VPN connections are inherently less secure than dedicated private connections

B.

VPN connections cannot be automated using Infrastructure as Code (IaC) tools

C.

The throughput of a VPN connection is limited by the available bandwidth and latency of the public internet

D.

VPN connections are not compatible with all OCI services

You are using the OCI Application Load Balancer (ALB) for your web application. You want to implement a blue/green deployment strategy to minimize downtime during application updates. You have two backend sets: 'blue' (the current version) and 'green' (the new version). What is the most efficient way to switch traffic from the 'blue' backend set to the 'green' backend set using the ALB's traffic management capabilities?

A.

Update the listener to point directly to the 'green' backend set.

B.

Create a new listener that points to the 'green' backend set and delete the old listener.

C.

Use the ALB's routing rules to gradually shift traffic from the 'blue' backend set to the 'green' backend set based on a percentage weight.

D.

Update the health check policy of the 'blue' backend set to mark all servers as unhealthy, forcing the ALB to send traffic to the 'green' backend set.

You are automating the deployment of a highly available OKE cluster across multiple availability domains (ADs) using Terraform. The OKE cluster needs to communicate with a database service running on a Compute instance in a separate private subnet within the same VCN. During the Terraform deployment, you encounter an error indicating that the Kubernetes pods cannot resolve the private IP address of the database instance. You’ve verified that DNS resolution works correctly for other resources within the VCN. What is the MOST probable reason for this DNS resolutionfailure?

A.

The CoreDNS pods within the OKE cluster are not configured to use the VCN’s DNS resolver.

B.

The security list associated with the database subnet does not allow ingress traffic from the OKE cluster’s node pool subnet on port 53 (DNS).

C.

The OKE cluster was created with a public endpoint only, and therefore cannot resolve private IP addresses.

D.

The OKE cluster’s node pool subnet is not associated with a route table that has a rule for the VCN’s DNS resolver.

A company wants to leverage a best-of-breed approach for their application stack. They plan to use OCI for its Autonomous Database, Azure for its container orchestration (AKS), and AWS for its object storage (S3). Considering cost optimization and minimizing data egress charges, which strategy is the MOST efficient for transferring large datasets between these services?

A.

Moving data directly between OCI Autonomous Database, Azure AKS, and AWS S3 using public internet, as this is the most cost-effective option

B.

Establishing a hub-and-spoke model, using a central cloud provider as the data transfer hub, incurring egress charges from each cloud to the hub and then ingress charges from the hub to the destination cloud

C.

Utilizing a third-party data integration platform that is strategically located at a network peering point between OCI, Azure, and AWS

D.

Using Storage Gateway service on each cloud and replicate data from one gateway to the other

For a multi-tier architecture with a strict compliance requirement to log all user access to private resources, which Bastion service configuration is most suitable?

A.

Dynamic port forwarding sessions with no logging enabled.

B.

Managed Bastion sessions with detailed session logging enabled.

C.

SSH port forwarding sessions with minimal audit logs.

D.

Using a jump server with manually configured logging.

When using Service Connector Hub to route VCN Flow Logs to Object Storage for long-term analysis, which Service Connector Hub task type is essential for ensuring the logs are correctly processed and stored?

A.

Ingest Logs

B.

Process Logs

C.

Deliver Logs

D.

Transform Logs

You are using Terraform to deploy a multi-tier application architecture consisting of a public subnet hosting a load balancer, a private subnet hosting application servers, and another private subnet hosting a database. The Terraform code successfully creates all the required infrastructure, including route tables and security lists. However, after deployment, you realize that the load balancer cannot reach the application servers in the private subnet. You have verified that the load balancer is healthy and the application servers are running. What is the most likely cause of this connectivity problem?

A.

The security list associated with the application server subnet does not allow ingress traffic from the load balancer's IP address range.

B.

The route table associated with the application server subnet has a default route pointing to the Internet Gateway, which is incorrect for a private subnet.

C.

The Network Address Translation (NAT) Gateway is misconfigured, preventing the application servers from initiating connections back to the load balancer.

D.

The load balancer's security list is not configured to allow egress traffic to the application server subnet on the required ports (e.g., port 8080).

You are tasked with migrating a critical, latency-sensitive application from Azure to OCI. Due to compliance requirements, all data must be encrypted in transit. Which connectivity option provides the BEST combination of security and performance for this migration?

A.

Configure a Site-to-Site VPN between Azure’s Virtual Network Gateway and OCI’s Dynamic Routing Gateway (DRG), relying on the built-in IPSec encryption

B.

Utilize Azure ExpressRoute and OCI FastConnect through a colocation provider, then implement application-level encryption using TLS

C.

Leverage Azure Data Factory to transfer data to OCI Object Storage via HTTPS

D.

Employ Azure VPN Gateway in conjunction with an OCI Load Balancer with SSL termination for the incoming connections from Azure

You have configured DNSSEC for your domain hosted on OCI DNS. You understand the importance of regularly rotating your Key Signing Key (KSK) to maintain security best practices. Which of the following statements regarding KSK rotation in OCI DNS is TRUE?

A.

KSK rotation is a fully automated process managed by OCI DNS and requires no manual intervention.

B.

You must manually generate a new KSK and ZSK pair and upload them to OCI DNS to initiate a KSK rotation.

C.

KSK rotation in OCI DNS involves enabling a "KSK Rollover" feature, which automatically handles the key rotation process while minimizing disruption to DNS resolution.

D.

KSK rotation is not supported in OCI DNS; you must migrate your DNS zone to another provider if you require KSK rotation.