1z0-1124-25 Oracle Cloud Infrastructure 2025 Networking Professional Questions and Answers

Goal: Apply least privilege for Cloud Shell to run diagnostics (ping, traceroute, nc) within a VCN.

Option A: Read permission on all virtual-network-family resources is too broad, granting unnecessary access beyond diagnostics—violates least privilege.

Option B: Instance Principals use temporary credentials tied to the Cloud Shell instance, enhancing security. A dynamic group with “read” and “use” permissions on NSGs and VNICs allows inspecting configurations and running diagnostics (e.g., via VNICs), meeting the exact need—correct.

Option C: Inspect permission only provides metadata access, insufficient for running diagnostics (e.g., no “use” for traffic)—incorrect.

Option D: Use permission on virtual-network-family at tenancy level is overly permissive, granting access to all network resources—violates least privilege.

Conclusion: Option B is the most restrictive and secure, aligning with least privilege.

Oracle states:

"Instance Principals allow services like Cloud Shell to authenticate without static credentials. Policies with ‘read’ and ‘use’ on specific resources (e.g., network-security-groups, vnics) enable diagnostics while adhering to least privilege."This supports Option B. Reference:Instance Principals - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Identity/Tasks/instanceprincipals.htm).

Requirements:Dedicated, high-bandwidth, low-latency, no Oracle FastConnect location, third-party provider.

FastConnect Models:

Direct Cross-Connect:Requires Oracle location; unsuitable.

Partner:Uses third-party network to Oracle; fits scenario.

Hosted:Third-party hosts, less common term; less precise.

Public Peering:Internet-based; doesn’t meet dedicated need.

Evaluate Options:

A:Needs Oracle presence; incorrect.

B:Third-party to Oracle; correct.

C:Similar but less standard term; less optimal.

D:Public internet; incorrect.

Conclusion:FastConnect Partner is most suitable.

Partner model extends FastConnect reach. The Oracle Networking Professional study guide states, "FastConnect Partner model leverages third-party providers to connect on-premises networks to OCI in regions without direct Oracle FastConnect locations" (OCI Networking Documentation, Section: FastConnect Models). This ensures dedicated connectivity.

Objective:Enable transitive routing via a network appliance (e.g., firewall) between VCNs.

Transitive Routing Setup:DRG connects VCNs; appliance processes traffic.

Key Requirement:DRG must route traffic to the appliance’s private IP.

Evaluate Options:

A:Service Gateway is for OCI services, not transitive routing; incorrect.

B:Static routes on DRG to appliance ensure correct traffic flow; essential.

C:Load Balancer is optional, not essential for routing; incorrect.

D:LPG is for intra-region VCN peering, not appliance-DRG connection; incorrect.

Conclusion:DRG static routes to the appliance are critical for transitive routing.

Transitive routing with a network appliance requires explicit routing configuration. The Oracle Networking Professional study guide notes, "To enable transitive routing through a network appliance, configure static routes in the DRG route table pointing to the appliance’s private IP as the next hop" (OCI Networking Documentation, Section: Transitive Routing with DRG). This ensures traffic is processed by the appliance between VCNs.

Requirement:Private access to Object Storage from a private subnet.

Components:

Internet Gateway:Public internet access; unsuitable.

NAT Gateway:Outbound internet; unsuitable.

Service Gateway:Private OCI service access; fits requirement.

Network Firewall:Security, not routing; incorrect.

Evaluate Options:

A:Public internet; violates policy.

B:Public internet; violates policy.

C:Keeps traffic in OCI network; correct.

D:Doesn’t enable access; incorrect.

Conclusion:Service Gateway ensures private access.

Service Gateway is designed for private OCI service access. The Oracle Networking Professional study guide explains, "A Service Gateway allows private subnet instances to access Object Storage without traversing the public internet, ensuring secure data transfer within OCI" (OCI Networking Documentation, Section: Service Gateway). This meets the security requirement.

Objective:Filter BGP routes on OCI to accept only specific on-premises prefixes.

BGP Attributes Overview:

AS Path Prepending:Lengthens AS path to influence route preference, not filtering.

MED:Influences exit point selection, not route acceptance.

RD/RT:Used in MPLS VPNs for tenant isolation, not simple prefix filtering.

Prefix Lists:Directly filter prefixes based on IP ranges.

Evaluate Options:

A:AS Path Prepending affects preference, not filtering; unsuitable.

B:MED influences path selection, not route rejection; incorrect.

C:RD/RT is for VPN contexts, not applicable here.

D:Prefix Lists explicitly allow/deny prefixes, meeting the requirement.

Conclusion:Prefix Lists on the FastConnect virtual circuit provide precise control over accepted routes.

Prefix Lists are the most effective BGP tool for filtering routes in OCI. The Oracle Networking Professional study guide notes, "Prefix Lists can be applied to FastConnect virtual circuits to filter BGP advertisements, ensuring only approved prefixes are learned by OCI" (OCI Networking Documentation, Section: FastConnect and BGP). This prevents routing conflicts by rejecting unwanted prefixes, aligning with the security and control requirements.

Requirement: Private communication between VCNs in different OCI regions via DRG.

Option A: LPGs are for same-region VCN peering, not cross-region—incorrect.

Option B: Service Gateways are for OCI service access, not VCN-to-VCN routing—incorrect.

Option C: Attaching both VCNs to a single DRG (via Remote Peering Connections implicitly) and configuring route tables enables cross-region communication over OCI’s backbone. This is the standard approach.

Option D: Internet Gateways use public IPs, which is insecure and not private—incorrect.

Conclusion: Option C is the necessary configuration for DRG-based cross-region connectivity.

Oracle documentation confirms:

"To connect VCNs in different regions, attach each to a DRG using Remote Peering Connections (RPCs). Configure DRG route tables to route traffic between VCN CIDRs."Option C reflects this setup (RPCs are implied). Reference:VCN Peering Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm).

Problem:Private subnet instances can’t access Object Storage via Service Gateway.

Setup Check:Route rules point to Service Gateway; NSGs allow traffic.

Evaluate Causes:

A:Incorrect CIDR labels block Object Storage access; likely.

B:Internet Gateway irrelevant for Service Gateway; incorrect.

C:NSGs confirmed open, security lists secondary; less likely.

D:NAT Gateway not used here; incorrect.

Conclusion:Misconfigured Service Gateway CIDR is the most likely issue.

Service Gateway requires specific CIDR labels. The Oracle Networking Professional study guide states, "For private subnets to access Object Storage via a Service Gateway, the gateway must be configured with the correct regional Oracle Services CIDR label" (OCI Networking Documentation, Section: Service Gateway Configuration). Misconfiguration prevents access despite proper routing.

Symptoms:VPN tunnel drops intermittently despite stable internet and IKE settings.

VPN Components:Requires IKE (UDP 500/4500) and ESP (IP 50) traffic.

Evaluate Options:

A:Incorrect CPE IP would prevent tunnel establishment, not intermittent drops; incorrect.

B:DRG outage would cause full downtime, not intermittent; unlikely.

C:Security rules blocking IKE/ESP intermittently (e.g., rate limiting) is common; most likely.

D:NAT-Traversal issues typically prevent initial setup, not intermittent drops; less likely.

Conclusion:Security rule misconfiguration is the most probable cause.

VPN stability depends on unblocked IKE and ESP traffic. The Oracle Networking Professional study guide notes, "Intermittent VPN tunnel drops are often caused by security rules or firewalls blocking IKE (UDP 500/4500) or ESP (IP Protocol 50) traffic" (OCI Networking Documentation, Section: Site-to-Site VPN Troubleshooting). This aligns with the scenario’s symptoms.

Requirement: Provide VLAN config info for FastConnect setup.

Option A: CIDR blocks are for routing, not VLAN setup—incorrect.

Option B: VLAN ID defines the circuit, BGP ASN and peering IPs establish routing—essential and correct.

Option C: MTU is a performance setting, not required for VLAN config—incorrect.

Option D: OCID and compartment ID are for OCI management, not provider setup—incorrect.

Conclusion: Option B provides the necessary VLAN configuration details.

Oracle states:

"For FastConnect, provide the provider with a VLAN ID, your BGP ASN, and BGP peering IPs to configure the virtual circuit."This confirms Option B. Reference:FastConnect Configuration - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#providerconfig).

Requirement: OCI-AWS traffic must stay in the US for sovereignty compliance.

Option A: A FastConnect partner guaranteeing US-only transit ensures compliance via a private, controlled path—correct.

Option B: DRG and VGW with VPN don’t guarantee US-only routing over public internet—incorrect.

Option C: Generic VPN can’t control internet paths despite US gateways—incorrect.

Option D: Public internet with DNS restrictions doesn’t enforce routing—incorrect.

Conclusion: Option A is the most critical consideration.

Oracle states:

"Choose a FastConnect partner that can guarantee geographic routing constraints, such as US-only transit, to meet data sovereignty requirements."This supports Option A. Reference:FastConnect Compliance - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#compliance).

Objective: Load balance OCI-to-on-premises traffic over two FastConnect circuits.

Option A: Different MEDs prioritize one path, not balance—incorrect.

Option B: Same prefixes and attributes enable Equal-Cost Multi-Path (ECMP) routing, balancing traffic—correct.

Option C: AS Path Prepending prefers one path—incorrect.

Option D: Local preference prioritizes one path—incorrect.

Conclusion: Option B ensures load balancing.

Oracle states:

"For load balancing over multiple FastConnect circuits, advertise identical prefixes with the same BGP attributes to enable ECMP."This supports Option B. Reference:FastConnect BGP - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#BGP).

Needs: Secure, reliable hybrid multicloud access.

Option A: Multiple VPNs are secure but complex and less reliable over internet—less optimal.

Option B: Public internet with app security is insecure—incorrect.

Option C: FastConnect to OCI provides a private base; SD-WAN extends securely to AWS/Azure with encryption and HA—correct.

Option D: FastConnect to OCI with VPNs to others risks OCI as a single point of failure—less reliable.

Conclusion: Option C is the most secure and reliable.

Oracle advises:

"For hybrid multicloud, use FastConnect for primary connectivity and SD-WAN to extend securely to other clouds with encryption and policy control."This supports Option C. Reference:Multicloud Best Practices - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/multicloud.htm#bestpractices).

Objective:Efficiently propagate on-premises route updates to multiple VCNs.

DRG Capabilities:Supports route distribution to attached VCNs.

Analyze Options:

A:Manual updates are inefficient and error-prone; unsuitable.

B:Centralized DRG with route distribution automates propagation; efficient.

C:Multiple DRGs add complexity and manual effort; inefficient.

D:Service Gateway is for OCI services, not route updates; incorrect.

Conclusion:Centralized DRG with route distribution is the most efficient method.

Route distribution in a DRG simplifies multi-region routing. The Oracle Networking Professional study guide notes, "Using a centralized DRG with route distribution enabled allows routes learned from on-premises networks to be automatically propagated to all attached VCNs, reducing management overhead" (OCI Networking Documentation, Section: DRG Route Distribution). This leverages OCI’s automation capabilities.

Goal: Secure, granular access control to ADB from private subnet instances.

Option A: Public endpoint with NSGs exposes ADB to the internet, increasing risk despite NSG restrictions—less secure than private options.

Option B: Service Gateway provides private access to OCI services, but it’s not specific to ADB instances and lacks the instance-level granularity of private endpoints.

Option C: Private ADB endpoint assigns a private IP within the VCN, keeping traffic internal. NSGs allow precise, stateful control to specific instances, offering the most granular security.

Option D: DRG is for external connections (e.g., on-premises), not internal VCN-to-ADB access.

Conclusion: Option C provides the most secure and granular control.

Oracle documentation notes:

"Private endpoints for Autonomous Database provide a private IP within your VCN, ensuring traffic stays off the public internet. Use NSGs for fine-grained access control to specific instances."This supports Option C. Reference:Autonomous Database Networking - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbconnecting.htm).

Context: Zero Trust requires strict access control.

Option A: IAM policies are still required—incorrect.

Option B: Private endpoints limit access to specific service instances, aligning with Zero Trust—correct.

Option C: Ports are controlled by NSGs/security lists—incorrect.

Option D: Private endpoints are for private access, not internet—incorrect.

Conclusion: Option B enhances security.

Oracle states:

"Private endpoints restrict access to specific OCI service instances, enhancing Zero Trust by limiting exposure compared to Service Gateways."This supports Option B. Reference:Private Endpoints - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/privateendpoints.htm).

Requirement:Private, secure access to OIC from a private subnet.

Endpoint Types:

Public:Internet-based; violates policy.

Service Gateway:For OCI services like Object Storage, not OIC.

Private:VCN-internal access to services; fits OIC.

Regional:Ambiguous, not specific; incorrect.

Evaluate Options:

A:Public internet; incorrect.

B:Wrong service target; incorrect.

C:Private within VCN; correct.

D:Undefined scope; incorrect.

Conclusion:Private Endpoint ensures secure connectivity.

Private Endpoints secure OIC access. The Oracle Networking Professional study guide notes, "A Private Endpoint allows applications in a private subnet to access Oracle Integration Cloud (OIC) within the OCI network, avoiding public internet exposure" (OCI Networking Documentation, Section: Private Endpoints). This meets the security policy directly.

Zero Trust Principles:Require explicit, identity-based access controls at every network stage.

Evaluate OCI Services:

Internet Gateway:Enables public internet access, no identity-based control.

Service Gateway:Provides private service access, no granular routing control.

NSGs:Offer stateful, identity-based rules at the VNIC level.

DRG:Facilitates routing, not identity-based access control.

NSG Fit:NSGs allow rules based on VNIC identity, source/destination IP, and ports, aligning with Zero Trust.

Conclusion:NSGs are the best fit for granular, identity-based routing control.

NSGs are pivotal for Zero Trust in OCI. The Oracle Networking Professional study guide states, "Network Security Groups provide granular, stateful security rules that can be applied to specific VNICs, enabling identity-based access controls essential for Zero Trust architectures" (OCI Networking Documentation, Section: Network Security Groups). Unlike security lists (subnet-level), NSGs offer instance-level precision.

Goal: Minimum BGP setup for private FastConnect peering.

Option A: Public ASN isn’t required; private ASNs work—incorrect.

Option B: Private ASN is allowed, but doesn’t specify IPs—insufficient.

Option C: Public IPs aren’t needed for private peering—incorrect.

Option D: Valid ASNs (public or private) and non-overlapping private IPs are the minimum for BGP—correct.

Conclusion: Option D meets the requirements.

Oracle notes:

"For BGP over FastConnect private peering, provide a valid ASN (public or private) and a non-overlapping IP range for peering."This confirms Option D. Reference:FastConnect BGP Configuration - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#BGP).

Understand the Requirement: The goal is high availability (HA) and automatic failover for a Site-to-Site VPN between an on-premises network and OCI with minimal disruption.

Evaluate Option A: A single VPN connection with one tunnel lacks redundancy. If the tunnel fails, there’s no failover mechanism, as OCI doesn’t inherently provide automatic failover for a single tunnel. This is a single point of failure.

Evaluate Option B: A single VPN connection with two tunnels using different CPE IP addresses leverages OCI’s IPSec VPN capabilities. OCI supports multiple tunnels per VPN connection, and using distinct CPE IPs (e.g., via different ISPs or devices) ensures that if one tunnel fails (due to ISP or CPE failure), the second tunnel remains active. OCI’s Dynamic Routing Gateway (DRG) automatically reroutes traffic to the active tunnel using IKE and IPSec health checks.

Evaluate Option C: Two separate VPN connections, each with one tunnel and different CPE IPs, also provide HA. Using BGP, routes are advertised redundantly. However, managing two VPN connections is more complex than a single connection with two tunnels, and BGP failover might introduce slight delays compared to IPSec tunnel failover.

Evaluate Option D: Two tunnels with the same CPE IP address within one VPN connection don’t provide true HA. If the CPE or its ISP fails, both tunnels fail, as they share a single point of failure.

Conclusion: Option B is the simplest, most resilient configuration that ensures automatic failover with minimal disruption using OCI’s native VPN capabilities.

OCI’s Site-to-Site VPN supports multiple tunnels within a single IPSec connection for redundancy. According to the Oracle Help Center:

"You can configure multiple tunnels for a single IPSec connection to provide redundancy. OCI uses IKE (Internet Key Exchange) to monitor tunnel health and automatically fails over to an active tunnel if one becomes unavailable."

"For maximum availability, use different CPE public IP addresses for each tunnel (e.g., different ISPs or devices)."This aligns with Option B, ensuring HA without the complexity of separate VPN connections or BGP. Reference:Site-to-Site VPN Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPSec.htm).

Objective: Identify the essential Service Connector Hub task for routing Flow Logs to Object Storage.

Option A (Ingest Logs): Ingesting is for bringing external logs into OCI, but Flow Logs are already OCI-native—incorrect.

Option B (Process Logs): “Process Logs” isn’t a specific task type in Service Connector Hub—incorrect.

Option C (Deliver Logs): Deliver Logs moves logs to a target (e.g., Object Storage), ensuring storage—correct and essential.

Option D (Transform Logs): Transforming modifies logs optionally, but delivery is required for storage—incorrect as the primary task.

Conclusion: Deliver Logs is the essential task type for this scenario.

Oracle documentation states:

"The Deliver Logs task in Service Connector Hub moves logs, such as VCN Flow Logs, to a specified destination like Object Storage for storage and analysis."This supports Option C. Reference:Service Connector Hub Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/ServiceConnectorHub/Concepts/serviceconnectorhub.htm).

Goal: Support Zero Trust with packet flow monitoring.

Option A: Static routing defines paths, not monitoring—incorrect.

Option B: Security lists control access, not monitor—incorrect.

Option C: Flow logs track traffic; audit trails log actions—essential for Zero Trust—correct.

Option D: Public IPs enable access, not monitoring—incorrect.

Conclusion: Option C is essential.

Oracle states:

"Flow logs and audit trails provide continuous monitoring and verification of packet flows, critical for Zero Trust Packet Routing."This supports Option C. Reference:Zero Trust in OCI - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/zerotrust.htm).

Problem:DNSSEC validation fails post-setup.

DNSSEC Chain:Requires DS record in parent zone for trust.

Evaluate Causes:

A:Low TTL affects caching, not validation; unlikely.

B:Missing DS in parent zone breaks chain; most likely.

C:Resolver config is client-side, not affecting external tools; incorrect.

D:OCI uses standard algorithms; highly unlikely.

Conclusion:Registrar delay in publishing DS is the primary cause.

DNSSEC relies on the parent zone. The Oracle Networking Professional study guide explains, "DNSSEC validation fails if the registrar hasn’t published the DS record in the parent zone, as this breaks the chain of trust" (OCI Networking Documentation, Section: DNSSEC Troubleshooting). This is a common post-enablement issue.

Objective: Identify the service for Load Balancer traffic logs.

Option A: Flow Logs capture VCN traffic, not specific to Load Balancer—incorrect.

Option B: Service Logs are generic, not Load Balancer-specific—incorrect.

Option C: Load Balancer Logs provide detailed client and health check data—correct.

Option D: Audit Logs track API actions, not traffic—incorrect.

Conclusion: Load Balancer Logs are the best fit.

Oracle states:

"Load Balancer Logs offer detailed insights into client connections and backend health checks for Network Load Balancers.”This validates Option C. Reference:Load Balancer Logging - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managinglogs.htm).

Requirements: Low latency, high security with encryption for migration.

Option A: VPN with IPSec offers encryption but has higher latency over public internet—less optimal.

Option B: ExpressRoute and FastConnect provide a private, low-latency link; TLS adds end-to-end encryption—correct and best combination.

Option C: Data Factory with HTTPS is encrypted but slow and not real-time—incorrect.

Option D: VPN with Load Balancer SSL termination breaks end-to-end encryption—incorrect.

Conclusion: Option B balances performance and security.

Oracle notes:

"For latency-sensitive migrations, use FastConnect with ExpressRoute via colocation, enhanced by TLS for secure, high-performance data transfer.”This supports Option B. Reference:Multicloud Connectivity - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/multicloud.htm).

Requirements: HA and IPv6 support for public web app.

Option A: ULA is private, not routable; NAT for IPv6 is inefficient—incorrect.

Option B: ULA doesn’t support public IPv6 clients—incorrect.

Option C: Public IPv6 CIDR is correct, but IPv4-only LB with NAT lacks direct IPv6—less resilient.

Option D: Public IPv6 CIDR with dual-stack LB and instances ensures full IPv6 support and HA across ADs—correct.

Conclusion: Option D maximizes resilience and connectivity.

Oracle states:

"For public IPv6 applications, use a public IPv6 CIDR block and configure Load Balancers and instances for both IPv4 and IPv6 to ensure resilience."This supports Option D. Reference:IPv6 in OCI - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingIPv6.htm).

Requirements: Outbound internet access, no inbound exposure, and private OCIR access.

Option A: Internet Gateway allows inbound traffic, violating the no-exposure rule—incorrect.

Option B: NAT Gateway enables outbound-only internet access, but Internet Gateway adds inbound exposure—incorrect.

Option C: NAT Gateway provides outbound internet access without inbound exposure; Service Gateway enables private OCIR access—correct.

Option D: DRG is for external networks, not internet/OCIR access; Internet Gateway exposes servers—incorrect.

Conclusion: Option C satisfies all requirements.

Oracle states:

"Use a NAT Gateway for outbound internet access from private subnets without inbound connectivity. Use a Service Gateway for private access to OCI services like OCIR."This supports Option C. Reference:NAT and Service Gateway Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/NATgateway.htm & docs.oracle.com/en-us/iaas/Content/Network/Tasks/servicegateway.htm).

Requirements:Low-latency, minimal overhead for TCP connections, no session persistence.

Load Balancer Types:

Application Load Balancer (ALB):Layer 7, higher overhead, suited for HTTP/HTTPS.

Network Load Balancer (NLB):Layer 4, low overhead, ideal for TCP/UDP.

Evaluate Options:

A:ALB with HTTP checks is for HTTP traffic, adds overhead; unsuitable.

B:NLB with TCP checks is optimized for TCP, low latency; best fit.

C:ALB with TCP checks still has Layer 7 overhead; less efficient.

D:“Flexible Load Balancer” isn’t a specific OCI service; incorrect.

Conclusion:NLB minimizes latency and overhead for TCP connections.

The Network Load Balancer is designed for high-performance TCP scenarios. The Oracle Networking Professional study guide states, "Network Load Balancer operates at Layer 4, providing low-latency, high-throughput load balancing for TCP/UDP traffic with minimal overhead, ideal for database connections" (OCI Networking Documentation, Section: Load Balancing). TCP health checks ensure instance availability without session persistence complexity.

Requirements:Global access, geo-routing, advanced traffic management, DDoS protection.

Load Balancer Options:

Regional LB:Single-region, no global routing or advanced policies.

NLB:Layer 4, no HTTP-based traffic management or DDoS features.

Global LB with Steering Policies:Layer 7, supports geo-routing and policies.

Flexible LB:Not a specific OCI service.

Assess Fit:

A:Lacks global and advanced features; unsuitable.

B:No Layer 7 or DDoS protection; incorrect.

C:Meets all requirements with geo-routing, steering policies, and WAF integration; best fit.

D:Non-existent service; incorrect.

Conclusion:Global LB with steering policies is the best solution.

The Global Load Balancer with Traffic Management Steering Policies supports global applications. The Oracle Networking Professional study guide explains, "Global Load Balancer enables geo-based routing and advanced traffic policies like A/B testing and weighted distribution, integrating with OCI WAF for DDoS protection" (OCI Networking Documentation, Section: Load Balancing - Traffic Management). This aligns with all specified requirements.

Goal: Layer 7 routing for OKE microservices via a single entry point.

Option A: Manual configuration is inefficient and doesn’t support path-based routing—incorrect.

Option B: LoadBalancer service provisions a Layer 4 balancer, not Layer 7 path routing—incorrect.

Option C: NodePort with NLB is Layer 4, less secure, and lacks path routing—incorrect.

Option D: Ingress controller with Regional Load Balancer (Application LB) provides Layer 7 routing based on paths—correct and efficient.

Conclusion: Option D is the best integration method.

Oracle states:

"Use a Kubernetes Ingress controller with OCI Regional Load Balancer for Layer 7 routing to OKE microservices based on request paths."This supports Option D. Reference:OKE Networking - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengnetworking.htm).

Requirement: Secure outbound connection to a public API without exposing the instance.

Option A: Internet Gateway allows inbound and outbound traffic, exposing the instance—violates policy.

Option B: NAT Gateway enables outbound-only internet access from a private subnet. A security list restricts traffic to the API’s IP, ensuring security—correct.

Option C: Service Gateway is for OCI services, not third-party APIs—incorrect.

Option D: DRG with FastConnect is for private connections (e.g., on-premises), not internet APIs—incorrect.

Conclusion: Option B meets the policy and connectivity needs.

Oracle notes:

"A NAT Gateway allows instances in a private subnet to initiate outbound internet traffic without receiving inbound connections. Use security lists to restrict destinations."This supports Option B. Reference:NAT Gateway Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/NATgateway.htm).

Goal: Restrict subnet traffic to a specific on-premises IP range via FastConnect.

Option A: Internet Gateway is for public access, not FastConnect—incorrect.

Option B: Default security list applies broadly, lacking granularity; NSGs are more effective—less optimal.

Option C: Custom route table with DRG ensures FastConnect routing; NSGs provide precise, instance-level traffic restriction—correct.

Option D: LPG is for same-region VCN peering, not on-premises—incorrect.

Conclusion: Option C is the most effective method.

Oracle notes:

"Use a custom route table with a DRG route rule for FastConnect traffic. NSGs offer granular control to restrict traffic to specific IP ranges."This supports Option C. Reference:FastConnect and NSG Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm & docs.oracle.com/en-us/iaas/Content/Network/Concepts/NSGs.htm).

Objective: Identify essential info for CPE to establish a Site-to-Site VPN with OCI.

Option A: Region and availability domain are for OCI resource placement, not CPE config—incorrect.

Option B: The DRG’s public IP is the VPN endpoint, and the IKE pre-shared key authenticates the tunnel—essential and correct.

Option C: OCID and compartment ID are for OCI management, not CPE setup—incorrect.

Option D: Subnet CIDRs are for routing, configured later, not for tunnel establishment—incorrect.

Conclusion: Option B provides the critical VPN connection details.

Oracle documentation states:

"To configure your CPE for Site-to-Site VPN, you need the public IP address of the DRG (VPN headend) and the IKE pre-shared key from the OCI console."This confirms Option B. Reference:Setting Up IPSec VPN - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPSec.htm).

Problem:OKE web tier pods cannot reach the application tier.

Traffic Flow:Web tier (OKE) initiates outbound (egress) traffic to application tier (port 8080).

NSG Role:Controls traffic at VNIC level; must allow egress from OKE and ingress to app tier.

Evaluate Options:

A:Missing egress rule on OKE NSG blocks traffic; plausible but incomplete context.

B:Ingress on OKE NSG affects incoming traffic, not outbound to app tier; incorrect.

C:No ingress on OKE NSG doesn’t block egress to app tier; incorrect.

D:Egress limited to internet blocks app tier access (port 8080); most likely.

Conclusion:Missing egress rule to app tier NSG is the primary issue.

NSGs require explicit egress rules for outbound traffic. The Oracle Networking Professional study guide notes, "For OKE pods to communicate with other tiers, the node pool’s NSG must include egress rules to the destination NSG or CIDR on the required ports" (OCI Networking Documentation, Section: Network Security Groups with OKE). Option D reflects a common misconfiguration in IaC setups.