1z0-1124-25 Practice Exam Questions with Answers Oracle Cloud Infrastructure 2025 Networking Professional Certification

Requirements:Secure, scalable authentication for Cloud Shell scripting.

Methods:

API Keys:Manual, less secure if stored.

Instance Principals:Credential-less, dynamic.

Terraform with Vault:Secure but complex for scripting.

Evaluate Options:

A:API keys in script are insecure; not scalable.

B:Persistent storage risks exposure; less secure.

C:Instance Principals use IAM, no credentials; best fit.

D:Overkill for simple scripting, better for IaC; less suited.

Conclusion:Instance Principals offer security and scalability.

Instance Principals simplify automation. The Oracle Networking Professional study guide states,"Instance Principals allow Cloud Shell to authenticate via dynamic groups without storing credentials, ideal for secure, scalable scripting" (OCI Networking Documentation, Section: Authentication in Cloud Shell). This avoids key management issues.

Problem:DNSSEC validation fails post-setup.

DNSSEC Chain:Requires DS record in parent zone for trust.

Evaluate Causes:

A:Low TTL affects caching, not validation; unlikely.

B:Missing DS in parent zone breaks chain; most likely.

C:Resolver config is client-side, not affecting external tools; incorrect.

D:OCI uses standard algorithms; highly unlikely.

Conclusion:Registrar delay in publishing DS is the primary cause.

DNSSEC relies on the parent zone. The Oracle Networking Professional study guide explains, "DNSSEC validation fails if the registrar hasn’t published the DS record in the parent zone, as this breaks the chain of trust" (OCI Networking Documentation, Section: DNSSEC Troubleshooting). This is a common post-enablement issue.

Requirement Analysis:The solution must ensure private access to Object Storage without public internet traversal, while being cost-effective.

Evaluate OCI Components:

Internet Gateway:Provides public internet access, unsuitable for private connectivity.

NAT Gateway:Allows outbound internet access from private subnets, but traffic still exits OCI.

Service Gateway:Enables private access to OCI services like Object Storage within the same region.

DRG with FastConnect:Used for on-premises connectivity, not intra-OCI service access.

Option Assessment:

A:Uses public internet, violating the security policy.

B:HTTPS encrypts data, but traffic traverses the internet via NAT, violating the policy.

C:Service Gateway keeps traffic within OCI’s private network, meeting security and cost goals.

D:Overly complex and costly, with public endpoints contradicting the requirement.

Conclusion:Service Gateway with regional Object Storage endpoints ensures private, secure, and cost-effective access.

The Service Gateway is designed for private access to OCI services like Object Storage, avoiding the public internet. The Oracle Networking Professional study guide states, "A Service Gateway allows instances in a private subnet to access supported OCI services without an Internet Gateway or NAT Gateway, ensuring traffic remains within the Oracle network" (OCI Networking Documentation, Section: Service Gateway). Using the Oracle Services Network service CIDR label for the region ensures compatibility with Object Storage endpoints, optimizing cost and security.

Objective:Filter BGP routes on OCI to accept only specific on-premises prefixes.

BGP Attributes Overview:

AS Path Prepending:Lengthens AS path to influence route preference, not filtering.

MED:Influences exit point selection, not route acceptance.

RD/RT:Used in MPLS VPNs for tenant isolation, not simple prefix filtering.

Prefix Lists:Directly filter prefixes based on IP ranges.

Evaluate Options:

A:AS Path Prepending affects preference, not filtering; unsuitable.

B:MED influences path selection, not route rejection; incorrect.

C:RD/RT is for VPN contexts, not applicable here.

D:Prefix Lists explicitly allow/deny prefixes, meeting the requirement.

Conclusion:Prefix Lists on the FastConnect virtual circuit provide precise control over accepted routes.

Prefix Lists are the most effective BGP tool for filtering routes in OCI. The Oracle Networking Professional study guide notes, "Prefix Lists can be applied to FastConnect virtual circuits to filter BGP advertisements, ensuring only approved prefixes are learned by OCI" (OCI Networking Documentation, Section: FastConnect and BGP). This prevents routing conflicts by rejecting unwanted prefixes, aligning with the security and control requirements.

Requirement Breakdown: Maintain a specific public IP for external communication with high availability (HA).

Option A: Private IP with NAT Gateway is for outbound traffic from private subnets, not inbound public access. It doesn’t support a fixed public IP for external clients.

Option B: Network Load Balancer (NLB) preserves client IPs (source IP) but doesn’t allow reserving a specific public IP. IPs are assigned dynamically, failing the requirement.

Option C: Flexible Load Balancer (Application Load Balancer) supports reserving a public IP, ensuring the legacy IP is maintained. It also provides HA across Availability Domains (ADs).

Option D: Multiple load balancers with DNS round-robin don’t maintain a single IP—clients see different IPs, violating the requirement.

Conclusion: Option C meets both the specific IP and HA needs efficiently.

Per Oracle documentation:

"The Application Load Balancer (Flexible Load Balancer) allows you to reserve a public IP address, which can be associated with the load balancer for consistent external access."

"It provides high availability by distributing traffic across multiple backend instances."This supports Option C. Reference:Load Balancer Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Balance/Concepts/balanceoverview.htm).

Problem: OKE pods can’t resolve private DB IP despite VCN DNS working.

Option A: CoreDNS in OKE must forward to VCN’s resolver for private IPs; misconfiguration is a common issue—correct.

Option B: Security lists block traffic, not resolution; VCN DNS isn’t hosted on the DB—incorrect.

Option C: Public endpoint affects API access, not internal DNS—incorrect.

Option D: Route tables don’t control DNS resolution—incorrect.

Conclusion: Option A is the most probable cause.

Oracle notes:

"CoreDNS in OKE must be configured to forward queries to the VCN’s DNS resolver (.169 address) for private IP resolution."This supports Option A. Reference:OKE DNS Configuration - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contengdns.htm).

Requirement Analysis: Strict compliance mandates logging all user access to private resources in a multi-tier setup.

Option A Assessment: Dynamic port forwarding with no logging fails compliance, as it provides no audit trail.

Option B Assessment: Managed Bastion sessions in OCI offer detailed logging (e.g., session start/end times, user IDs), integrated with OCI Logging. This meets compliance needs with a managed, scalable solution.

Option C Assessment: SSH port forwarding with minimal logs doesn’t provide the detailed auditing required for strict compliance.

Option D Assessment: A jump server with manual logging is error-prone, lacks scalability, and isn’t a managed OCI service, making it less suitable.

Conclusion: Option B provides the most robust, compliance-ready solution with detailed logging.

From Oracle’s Bastion documentation:

"OCI Bastion provides managed SSH sessions with detailed logging capabilities, capturing user access details for audit and compliance. Enable session logging to record all activities."This supports Option B as the best choice. Reference:Bastion Service Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Bastion/Concepts/bastionoverview.htm).

Needs: Private, dedicated connection for large data transfers to Object Storage.

Option A: VPN with Service Gateway uses public internet, limiting bandwidth—incorrect.

Option B: Internet Gateway exposes traffic publicly—incorrect.

Option C: FastConnect Private Peering provides a dedicated link, and Service Gateway ensures private Object Storage access—correct.

Option D: DRG with Internet Gateway isn’t private—incorrect.

Conclusion: Option C best meets the need.

Oracle states:

"FastConnect Private Peering combined with a Service Gateway enables secure, high-bandwidth access to Object Storage from on-premises networks."This supports Option C. Reference:FastConnect and Service Gateway - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#servicegateway).

Objective: Identify the feature for dynamic route learning via DRG.

Option A: Service Gateway is for OCI services—incorrect.

Option B: LPG is for VCN peering—incorrect.

Option C: BGP enables dynamic route exchange between DRG and on-premises—correct.

Option D: Internet Gateway is for public access—incorrect.

Conclusion: Option C is the correct feature.

Oracle notes:

"BGP on the DRG dynamically learns routes from on-premises networks over FastConnect or VPN, propagating them to VCNs."This confirms Option C. Reference:BGP with DRG - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm#BGP).

Requirements: Centralized DRG with tenant isolation.

Option A: Separate DRGs complicate management—incorrect.

Option B: NSGs work but are less secure than routing isolation—less optimal.

Option C: Single DRG with per-VCN route tables restricting routes to FastConnect only ensures isolation at the routing level—correct.

Option D: Compartments don’t isolate traffic at DRG—incorrect.

Conclusion: Option C is the most effective.

Oracle states:

"Use separate DRG route tables per VCN attachment to isolate traffic. Include only FastConnect routes to prevent VCN-to-VCN communication."This supports Option C. Reference:DRG Route Tables - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm).

Requirement:Restrict inter-subnet communication unless permitted.

Options Analysis:

A:Removing default route breaks all routing, overly restrictive; incorrect.

B:Separate VCNs are excessive, complex; less practical.

C:NSGs provide granular, explicit control; optimal approach.

D:External firewall adds complexity, not VCN-native; inefficient.

NSG Advantage:Instance-level rules enforce policy within VCN.

Conclusion:NSGs are the most appropriate solution.

NSGs enable precise security within a VCN. The Oracle Networking Professional study guide states, "Network Security Groups (NSGs) allow you to define strict ingress and egress rules for instances, ensuring inter-subnet communication is explicitly permitted as per security policies" (OCI Networking Documentation, Section: Network Security Groups). This is more efficient than VCN separation or external firewalls.

Objective:Efficiently propagate on-premises route updates to multiple VCNs.

DRG Capabilities:Supports route distribution to attached VCNs.

Analyze Options:

A:Manual updates are inefficient and error-prone; unsuitable.

B:Centralized DRG with route distribution automates propagation; efficient.

C:Multiple DRGs add complexity and manual effort; inefficient.

D:Service Gateway is for OCI services, not route updates; incorrect.

Conclusion:Centralized DRG with route distribution is the most efficient method.

Route distribution in a DRG simplifies multi-region routing. The Oracle Networking Professional study guide notes, "Using a centralized DRG with route distribution enabled allows routes learned from on-premises networks to be automatically propagated to all attached VCNs, reducing management overhead" (OCI Networking Documentation, Section: DRG Route Distribution). This leverages OCI’s automation capabilities.

Goal: Apply least privilege for Cloud Shell to run diagnostics (ping, traceroute, nc) within a VCN.

Option A: Read permission on all virtual-network-family resources is too broad, granting unnecessary access beyond diagnostics—violates least privilege.

Option B: Instance Principals use temporary credentials tied to the Cloud Shell instance, enhancing security. A dynamic group with “read” and “use” permissions on NSGs and VNICs allows inspecting configurations and running diagnostics (e.g., via VNICs), meeting the exact need—correct.

Option C: Inspect permission only provides metadata access, insufficient for running diagnostics (e.g., no “use” for traffic)—incorrect.

Option D: Use permission on virtual-network-family at tenancy level is overly permissive, granting access to all network resources—violates least privilege.

Conclusion: Option B is the most restrictive and secure, aligning with least privilege.

Oracle states:

"Instance Principals allow services like Cloud Shell to authenticate without static credentials. Policies with ‘read’ and ‘use’ on specific resources (e.g., network-security-groups, vnics) enable diagnostics while adhering to least privilege."This supports Option B. Reference:Instance Principals - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Identity/Tasks/instanceprincipals.htm).

Analyze Connectivity Successes:Instance A can ping its subnet gateway (10.0.1.1), indicating that local subnet routing and security rules are functioning for IPv4. It can also ping Instance B’s IPv6 address (fc00:1:2::20), confirming that IPv6 routing and security rules between subnets are operational.

Identify the Failure:Instance A cannot ping Instance B’s IPv4 address (10.0.2.20). Since security lists and NSGs allow all traffic, the issue is unlikely to be a security configuration problem.

Examine Routing for Instance A:The route table for Instance A’s subnet (10.0.1.0/24) has a rule directing traffic to 10.0.2.0/24 via the VCN Local Peering Gateway (LPG). In OCI, LPGs are used for intra-region VCN peering, but here, both instances are in the same VCN, so this rule is likely a misconfiguration or irrelevant unless peering is involved. However, the successful IPv6 ping suggests basic connectivity exists.

Check Return Path from Instance B:For a ping to succeed, Instance B must send ICMP replies back to Instance A (10.0.1.10). Instance B’s subnet (10.0.2.0/24) needs a route table entry to send traffic to 10.0.1.0/24. Without this, replies are dropped, causing the IPv4 ping to fail. The IPv6 success indicates that IPv6 routing is correctly configured both ways, possibly via SLAAC or default routes.

Evaluate Options:

A:Incorrect. IPv6 is enabled, as Instance A pings Instance B’s IPv6 address.

B:Correct. Missing route for 10.0.1.0/24 in Instance B’s subnet prevents IPv4 replies.

C:Incorrect. Security lists and NSGs can filter IPv6 traffic in OCI.

D:Incorrect. Ping supports IPv6, as evidenced by the successful IPv6 ping.

The most probable cause is a missing route in Instance B’s subnet route table. In OCI, each subnet has its own route table, and for instances in different subnets within the same VCN to communicate, both subnets must have appropriate routes. The successful IPv6 ping suggests that IPv6 routing is intact (likely due to default behavior or SLAAC), but IPv4 requires explicit routing. Per the Oracle Networking Professional study guide, "Route tables must be configured to direct traffic to the appropriate next hop for inter-subnet communication within a VCN" (OCI Networking Documentation, Section: Virtual Cloud Networks).

Requirements:VCN isolation, inter-VCN traffic via on-premises appliances.

DRG Role:Central hub for VCN and FastConnect connectivity.

Evaluate Options:

A:DRG routes inter-VCN traffic via FastConnect to on-premises; meets isolation and inspection needs.

B:Transit Routing allows direct VCN-to-VCN communication, bypassing on-premises; incorrect.

C:Bypassing DRG with VPNs is complex and unsupported; incorrect.

D:LPG is for intra-region peering, not DRG-to-FastConnect; incorrect.

Conclusion:Option A enforces the policy via DRG route tables.

DRG route tables control traffic flow. The Oracle Networking Professional study guide states, "To force inter-VCN traffic through an on-premises network via FastConnect, configure DRG route tables to route VCN-destined traffic to the FastConnect attachment, ensuring isolation and inspection" (OCI Networking Documentation, Section: DRG Routing). This setup leverages a single DRG effectively.

Problem: App tier can’t reach DB tier despite open security lists.

Option A: Flow Logs show traffic details but require analysis, slowing diagnosis—less efficient.

Option B: Connection Diagnostics tests connectivity (e.g., ping, traceroute) between resources, quickly pinpointing failures—correct.

Option C: Network Firewall controls traffic, not diagnoses—incorrect.

Option D: Bastion is for access, not troubleshooting—incorrect.

Conclusion: Connection Diagnostics is the best tool for quick isolation.

Oracle states:

"Connection Diagnostics provides rapid testing of network connectivity between OCI resources, ideal for isolating issues like tier-to-tier failures.”This validates Option B. Reference:Network Troubleshooting - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/troubleshooting.htm#connectiondiagnostics).

Objective: Identify a VPN disadvantage for large dataset migration.

Option A: VPNs can be secure with IPSec; not inherently less secure—incorrect.

Option B: VPNs are automatable with IaC (e.g., Terraform)—incorrect.

Option C: Public internet limits VPN throughput due to bandwidth and latency variability—correct disadvantage.

Option D: VPNs are compatible with OCI services—incorrect.

Conclusion: Option C is the key disadvantage.

Oracle notes:

"Public internet-based VPNs face throughput limitations due to bandwidth and latency variability, impacting large data migrations.”This supports Option C. Reference:VPN Limitations - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPSec.htm#limitations).

Requirement:Centralized logging of Network Firewall traffic for analysis.

OCI Services:

Audit Service:Logs API calls, not network traffic.

Logging Analytics:Analyzes logs but needs log ingestion.

Service Connector Hub with Logging:Moves firewall logs to OCI Logging.

Cloud Guard:Monitors security posture, not detailed logging.

Evaluate Options:

A:Audit Service is for API events; incorrect.

B:Logging Analytics requires log source; incomplete.

C:Service Connector Hub with Logging captures and stores firewall logs; best fit.

D:Cloud Guard is for threat detection, not logging; incorrect.

Conclusion:Service Connector Hub with OCI Logging meets the requirement.

OCI Network Firewall logs require integration with OCI Logging. The Oracle Networking Professional study guide states, "Service Connector Hub can be configured to transfer Network Firewall logs to OCI Logging for centralized storage and analysis, meeting auditing requirements" (OCI Networking Documentation, Section: Network Firewall Logging). This ensures every session is logged and auditable.

Requirement: IAM permission to accept cross-tenancy LPG peering.

Option A: “Manage” allows creating and accepting peering—correct.

Option B: “Use” permits using existing LPGs, not accepting requests—incorrect.

Option C: “Inspect” is read-only, insufficient—incorrect.

Option D: “Read” on virtual-network-family doesn’t cover LPG management—incorrect.

Conclusion: Option A is required.

Oracle states:

"To accept a cross-tenancy peering request, the target tenancy needs ‘manage local-peering-gateways’ permission."This confirms Option A. Reference:Local VCN Peering - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/localVCNpeering.htm).

Requirement:Private VCN connection across tenancies.

Services:

Internet Gateway:Public access; incorrect.

Service Gateway:OCI services, not VCNs; incorrect.

RPC:Cross-tenancy private peering; correct.

DRG with LPG:LPG is intra-region, not cross-tenancy; incorrect.

Evaluate Options:

A:Public; incorrect.

B:Service-focused; incorrect.

C:Designed for this scenario; correct.

D:Misaligned components; incorrect.

Conclusion:RPC is the right service.

RPC enables cross-tenancy peering. The Oracle Networking Professional study guide notes, "Remote Peering Connections (RPCs) establish private connectivity between VCNs in different tenancies over OCI’s private backbone" (OCI Networking Documentation, Section: Remote Peering Connections). This ensures no public internet traversal.

Goal:Automate certificate renewal in OCI Certificates.

Feature Check:OCI Certificates supports automatic renewal.

Evaluate Options:

A:Manual renewal risks disruption; inefficient.

B:Automatic Renewal with DNS validation automates process; best fit.

C:Vault stores secrets, no renewal automation; incorrect.

D:False; OCI Certificates has auto-renewal; incorrect.

Conclusion:Automatic Renewal is the optimal feature.

OCI Certificates offers automated renewal. The Oracle Networking Professional study guide states, "Enable the 'Automatic Renewal' option in OCI Certificates and configure DNS validation to ensure certificates are renewed before expiration, preventing disruptions" (OCI Networking Documentation, Section: OCI Certificates). This leverages OCI’s built-in automation.

Requirement: Low-latency, direct access to an on-premises SQL Server via FastConnect.

Option A: Internet Gateway with a public endpoint exposes the SQL Server to the internet, increasing latency and security risks—incorrect.

Option B: Service Gateway is for OCI services (e.g., Object Storage), not on-premises resources—incorrect.

Option C: FastConnect with a DRG provides a private, low-latency link. No additional OCI endpoint is needed; the SQL Server’s private IP is accessed directly via DRG routing—correct.

Option D: Private Endpoints are for OCI services within the VCN (e.g., ADB), not on-premises resources—incorrect.

Conclusion: Option C leverages FastConnect and DRG for direct, secure access.

Oracle documentation notes:

"FastConnect with a DRG enables private, low-latency connectivity to on-premises networks. Configure route tables to access on-premises resources directly; no additional endpoints are required."This supports Option C. Reference:FastConnect Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm).

Requirements:Private, encrypted connectivity to on-premises, no public internet.

Gateway Options:

Service Gateway:For OCI services, not on-premises.

Internet Gateway:Public internet access, unsuitable.

DRG with FastConnect:Private on-premises connectivity.

NAT Gateway:Outbound internet, not private to on-premises.

Evaluate Options:

A:Limited to OCI services; incorrect.

B:Uses public internet; violates policy.

C:FastConnect via DRG ensures private, encrypted link; correct.

D:Public IPs contradict requirement; incorrect.

Conclusion:DRG with FastConnect is the most appropriate.

FastConnect provides private connectivity via DRG. The Oracle Networking Professional study guide states, "A Dynamic Routing Gateway with FastConnect establishes a dedicated, private connection to on-premises networks, ensuring data encryption and isolation from the public internet" (OCI Networking Documentation, Section: FastConnect). This meets security and privacy needs.

Requirements:End-to-end encryption, no public internet for Object Storage access.

Options Analysis:

Service Gateway:Private access to Object Storage.

NAT Gateway:Public internet access; unsuitable.

Private Endpoint:Alternative private access, but newer feature.

HTTPS:Ensures in-transit encryption.

Evaluate Options:

A:Encryption at rest doesn’t cover transit; incomplete.

B:NAT uses public internet; violates policy; incorrect.

C:Service Gateway with HTTPS ensures full encryption and privacy; correct.

D:Private Endpoint with HTTPS is valid but less common than Service Gateway; slightly less optimal historically.

Conclusion:Service Gateway with HTTPS is most secure and compliant.

Service Gateway is standard for private Object Storage access. The Oracle Networking Professional study guide states, "A Service Gateway with HTTPS API calls ensures end-to-end encrypted traffic to Object Storage without public internet traversal" (OCI Networking Documentation, Section: Service Gateway). This meets security mandates effectively.

Symptoms:VPN tunnel drops intermittently despite stable internet and IKE settings.

VPN Components:Requires IKE (UDP 500/4500) and ESP (IP 50) traffic.

Evaluate Options:

A:Incorrect CPE IP would prevent tunnel establishment, not intermittent drops; incorrect.

B:DRG outage would cause full downtime, not intermittent; unlikely.

C:Security rules blocking IKE/ESP intermittently (e.g., rate limiting) is common; most likely.

D:NAT-Traversal issues typically prevent initial setup, not intermittent drops; less likely.

Conclusion:Security rule misconfiguration is the most probable cause.

VPN stability depends on unblocked IKE and ESP traffic. The Oracle Networking Professional study guide notes, "Intermittent VPN tunnel drops are often caused by security rules or firewalls blocking IKE (UDP 500/4500) or ESP (IP Protocol 50) traffic" (OCI Networking Documentation, Section: Site-to-Site VPN Troubleshooting). This aligns with the scenario’s symptoms.

Requirement:Private access to Object Storage from a private subnet.

Components:

Internet Gateway:Public internet access; unsuitable.

NAT Gateway:Outbound internet; unsuitable.

Service Gateway:Private OCI service access; fits requirement.

Network Firewall:Security, not routing; incorrect.

Evaluate Options:

A:Public internet; violates policy.

B:Public internet; violates policy.

C:Keeps traffic in OCI network; correct.

D:Doesn’t enable access; incorrect.

Conclusion:Service Gateway ensures private access.

Service Gateway is designed for private OCI service access. The Oracle Networking Professional study guide explains, "A Service Gateway allows private subnet instances to access Object Storage without traversing the public internet, ensuring secure data transfer within OCI" (OCI Networking Documentation, Section: Service Gateway). This meets the security requirement.

Requirements: Secure, reliable, low-latency, bidirectional access with redundancy.

Option A: VPN via DRG is secure but lacks low latency and redundancy—insufficient.

Option B: FastConnect via DRG offers low latency and security but no redundancy—partial fit.

Option C: Public endpoints are insecure and high-latency—incorrect.

Option D: FastConnect for primary low-latency access, VPN as backup for redundancy—correct and most appropriate.

Conclusion: Option D meets all criteria.

Oracle states:

"FastConnect with DRG provides secure, low-latency hybrid connectivity. Add a Site-to-Site VPN for redundancy to ensure reliability."This supports Option D. Reference:Hybrid Cloud Connectivity - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/hybridcloud.htm).

Requirements:Encrypt FastConnect traffic with minimal bandwidth impact.

IPSec Options:

DRG VPN:Native OCI solution over FastConnect.

Firewall Appliances:Adds overhead and complexity.

Compute Instances:Resource-intensive, not scalable.

Internet VPN:Uses public internet, against requirements.

Evaluate Options:

A:DRG VPN with AES-GCM (low-overhead encryption) leverages FastConnect; optimal.

B:Firewalls with AES-256 add overhead, reducing bandwidth; less effective.

C:Compute-based VPN is inefficient and public-facing; unsuitable.

D:Public internet VPN violates privacy requirement; incorrect.

Conclusion:DRG VPN with AES-GCM is the most effective solution.

OCI supports IPSec over FastConnect via DRG. The Oracle Networking Professional study guide explains, "A Site-to-Site VPN over FastConnect using the DRG provides encrypted traffic with low-overhead algorithms like AES-GCM, maintaining high bandwidth" (OCI Networking Documentation, Section: FastConnect with VPN). This meets regulatory and performance needs efficiently.

Requirements:Global access, geo-routing, advanced traffic management, DDoS protection.

Load Balancer Options:

Regional LB:Single-region, no global routing or advanced policies.

NLB:Layer 4, no HTTP-based traffic management or DDoS features.

Global LB with Steering Policies:Layer 7, supports geo-routing and policies.

Flexible LB:Not a specific OCI service.

Assess Fit:

A:Lacks global and advanced features; unsuitable.

B:No Layer 7 or DDoS protection; incorrect.

C:Meets all requirements with geo-routing, steering policies, and WAF integration; best fit.

D:Non-existent service; incorrect.

Conclusion:Global LB with steering policies is the best solution.

The Global Load Balancer with Traffic Management Steering Policies supports global applications. The Oracle Networking Professional study guide explains, "Global Load Balancer enables geo-based routing and advanced traffic policies like A/B testing and weighted distribution, integrating with OCI WAF for DDoS protection" (OCI Networking Documentation, Section: Load Balancing - Traffic Management). This aligns with all specified requirements.

Requirements: HA and IPv6 support for public web app.

Option A: ULA is private, not routable; NAT for IPv6 is inefficient—incorrect.

Option B: ULA doesn’t support public IPv6 clients—incorrect.

Option C: Public IPv6 CIDR is correct, but IPv4-only LB with NAT lacks direct IPv6—less resilient.

Option D: Public IPv6 CIDR with dual-stack LB and instances ensures full IPv6 support and HA across ADs—correct.

Conclusion: Option D maximizes resilience and connectivity.

Oracle states:

"For public IPv6 applications, use a public IPv6 CIDR block and configure Load Balancers and instances for both IPv4 and IPv6 to ensure resilience."This supports Option D. Reference:IPv6 in OCI - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingIPv6.htm).

Goal: Private, secure, least-privilege access to Object Storage across subnets.

Option A: Internet Gateway uses public access, violating privacy—incorrect.

Option B: NAT Gateway is for internet, not OCI services—incorrect.

Option C: Service Gateway provides private access; IAM policies enforce least privilege; route tables manage traffic—correct.

Option D: Private Endpoints per bucket/subnet are inefficient and unscalable—incorrect.

Conclusion: Option C is efficient and secure.

Oracle states:

"A Service Gateway enables private access to Object Storage. Use IAM policies for least-privilege access and route tables for traffic control."This supports Option C. Reference:Service Gateway Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/servicegateway.htm).