Oracle 1z0-1072-22 Oracle Cloud Infrastructure 2022 Architect Associate Exam Practice Test

Access to Your On-Premises Network

There are two ways to connect your on-premises network to Oracle Cloud Infrastructure:

VPN Connect: Offers multiple IPSec tunnels between your existing network's edge and your VCN, by way of a DRG that you create and attach to your VCN.

Oracle Cloud Infrastructure FastConnect: Offers a private connection between your existing network's edge and Oracle Cloud Infrastructure. Traffic does not traverse the internet. Both private peering and public peering are supported. That means your on-premises hosts can access private IPv4 addresses in your VCN as well as regional public IPv4 addresses in Oracle Cloud Infrastructure (for example, Object Storage or public load balancers in your VCN).

You can use one or both types of the preceding connections. If you use both, you can use them simultaneously, or in a redundant configuration. These connections come to your VCN by way of a single DRG that you create and attach to your VCN. Without that DRG attachment and a route rule for the DRG, traffic does not flow between your VCN and on-premises network. At any time, you can detach the DRG from your VCN but maintain all the remaining components that form the rest of the connection. You could then reattach the DRG again, or attach it to another VCN.

References: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Concepts/fastconnectoverv iew.htm

You use a DRG when connecting your existing on-premises network to your virtual cloud network (VCN) with one (or both) of these:

IPSec VPN

Oracle Cloud Infrastructure FastConnect

You also use a DRG when peering a VCN with a VCN in a different region:

Remote VCN Peering (Across Regions)

https://www.oracle.com/webfolder/technetwork/tutori als/obe/cloud/adwc/OBE_Provisioning_Autonomous_Data_Warehouse_Cloud_bak/provisioning_autonomous_data_warehouse_cloud.html

A mount target is an NFS endpoint that lives in a VCN subnet of your choice and provides network access for file systems. The mount target provides the IP address or DNS name that is used together with a unique export path to mount the file system. A single mount target can export many file systems. Typically, you create your first mount target and export when you create your first file system. The mount target maintains an export set which contains all of the exports for its associated file systems.

Limitations and Considerations

Each availability domain is limited to two mount targets by default. However, you can export up to 100 file systems through each mount target.

See Service Limits for a list of applicable limits and instructions for requesting a limit increase.

Each mount target requires three internal IP addresses in the subnet to function. Two of the IP addresses are used during mount target creation. The third IP address must remain available for the mount target to use for high availability failover.

The File Storage service doesn't "reserve" the third IP address required for high availability failover. Use care when designing your subnets and file systems to ensure that sufficient IP addresses remain available for your mount targets.

A – Backups are encrypted and stored in Oracle Cloud Infrastructure Object Storage, and can be restored as new volumes to any availability domain within the same region they are stored.

D- You can restore a block volume backup to a larger volume size. To do this, check Custom Block Volume Size (GB), and then specify the new size. You can only increase the size of the volume, you cannot decrease the size.

Dynamic groups allow you to group Oracle Cloud Infrastructure computer instances as "principal" actors (similar to user groups).

When you create a dynamic group, rather than adding members explicitly to the group, you instead define a set of matching rules to define the group members. For example, a rule could specify that all instances in a particular compartment are members of the dynamic group. The members can change dynamically as instances are launched and terminated in that compartment.

A dynamic group has no permissions until you write at least one policy that gives that dynamic group permission to either the tenancy or a compartment. When writing the policy, you can specify the dynamic group by using either the unique name or the dynamic group's OCID. Per the preceding note, even if you specify the dynamic group name in the policy, IAM internally uses the OCID to determine the dynamic group.

All databases created in Oracle Cloud Infrastructure are encrypted using transparent data encryption (TDE).

Oracle Cloud Infrastructure encrypts all managed backups in the object store. Oracle uses the Database Transparent Encryption feature by default for encrypting the backups. and the customers can manage the TDE Wallet after DB Systems are provisioned.

VPN Connect provides a site-to-site IPSec VPN between your on-premises network and your virtual cloud network (VCN). The IPSec protocol suite encrypts IP traffic before the packets are transferred from the source to the destination and decrypts the traffic when it arrives.

On general, IPSec can be configured in the following modes:

Transport mode: IPSec encrypts and authenticates only the actual payload of the packet, and the header information stays intact.

Tunnel mode (supported by Oracle): IPSec encrypts and authenticates the entire packet. After encryption, the packet is then encapsulated to form a new IP packet that has different header information.

Oracle Cloud Infrastructure supports only the tunnel mode for IPSec VPNs.

Each Oracle IPSec VPN consists of multiple redundant IPSec tunnels. For a given tunnel, you can use either Border Gateway Protocol (BGP) dynamic routing or static routing to route that tunnel's traffic. More details about routing follow.

IPSec VPN site-to-site tunnels offer the following advantages:

Public internet lines are used to transmit data, so dedicated, expensive lease lines from one site to another aren't necessary.

The internal IP addresses of the participating networks and nodes are hidden from external users.

The entire communication between the source and destination sites is encrypted, significantly lowering the chances of information theft.

Remote VCN peering is the process of connecting two VCNs in different regions (but the same tenancy ). The peering allows the VCNs' resources to communicate using private IP addresses without routing the traffic over the internet or through your on-premises network. Without peering, a given VCN would need an internet gateway and public IP addresses for the instances that need to communicate with another VCN in a different region.

At a high level, the Networking service components required for a remote peering include:

- Two VCNs with non-overlapping CIDRs, in different regions that support remote peering. The VCNs must be in the same tenancy.

- A dynamic routing gateway (DRG) attached to each VCN in the peering relationship. Your VCN already has a DRG if you're using an IPSec VPN or an Oracle Cloud Infrastructure FastConnect private virtual circuit.

A remote peering connection (RPC) on each DRG in the peering relationship.

A connection between those two RPCs.

Supporting route rules to enable traffic to flow over the connection, and only to and from select subnets in the respective VCNs (if desired).

Supporting security rules to control the types of traffic allowed to and from the instances in the subnets that need to communicate with the other VCN.

Object Lifecycle Management lets you automatically manage the archiving and deletion of objects. By using Object Lifecycle Management to manage your Object Storage and Archive Storage data, you can reduce your storage costs and the amount of time you spend managing data.

Use object name filters to specify which objects the lifecycle rule applies to.

You can add object filters in any order. Object Lifecycle Management evaluates the precedence of the rules as follows:

Pattern exclusions

Pattern inclusions

Prefix inclusions

The mount target provides the IP address or DNS name that is used together with a unique export path to mount the file system.

You can move mount targets from one compartment to another.

References:

A fault domain is a grouping of hardware and infrastructure within an availability domain. Each availability domain contains three fault domains. Fault domains provide anti-affinity: they let you distribute your instances so that the instances are not on the same physical hardware within a single availability domain.

References: https://cloud.oracle.com/storage/object-storage/features

References: https://docs.cloud.oracle.com/iaas/Content/General/Concepts/regions.htm#one

All data is encrypted at rest. and In-transit encryption provides a way to secure your data between instances and mounted file systems using TLS v. 1.2 (Transport Layer Security) encryption.

File Storage service supports the AUTH_UNIX style of authentication and permission checking for remote NFS client requests.

https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingVNICs.htm#Source/D

By default, every VNIC performs the source/destination check on its network traffic. The VNIC looks at the source and destination listed in the header of each network packet. If the VNIC is not the source or destination, then the packet is dropped.

If the VNIC needs to forward traffic (for example, if it needs to perform Network Address Translation (NAT)), you must disable the source/destination check on the VNIC. For instructions, see To update an existing VNIC. For information about the general scenario, see Using a Private IP as a Route Target.

The Oracle Cloud Infrastructure provider is used to interact with the many resources supported by the Oracle Cloud Infrastructure. The provider needs to be configured with credentials for the Oracle Cloud Infrastructure account.

https://docs.cloud.oracle.com/iaas/Con tent/Object/Tasks/usingpreauthenticatedrequests.htm

You can create an unlimited number of pre-authenticated requests.

You can’t edit a pre-authenticated request. If you want to change user access options in response to changing requirements, you must create a new pre‑authenticated request.

URL: https://docs.cloud.oracle.com/iaas/Content/Object/Tasks/managingbuckets.htm

You can change a bucket’s access from public to private or from private to public. Changing the type of access doesn’t affect existing pre-authenticated requests. Existing pre-authenticated requests still work.

References: https://docs.cloud.oracle.com/iaas/Content/Compute/Concepts/computeoverview.htm

References: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/managingdynamicgroups.htm

References: https://blogs.oracle.com/cloud-infrastructure/introducing-oracle-cloud-infrastructure-data-transfer-service

On autonomous there’s no patching needed. But on the regular DB Cloud services you need to patch the DB and the OS. During the creation on the OCDB the first DB is created automatically

Oracle automatically takes care of Operating system Installation/Configuration,  Grid Infrastructure, ASM diskgroup Creation/Configuration , and database software Installation and first database on the DB System. that's all when Creating DB Systems. and then the customer responsible to apply the patches to the database and OS

You create an internet gateway in the context of a specific VCN. In other words, the internet gateway is automatically attached to a VCN. However, you can disable and re-enable the internet gateway at any time.

For traffic to flow between a subnet and an internet gateway, you must create a route rule accordingly in the subnet's route table (for example, destination CIDR = 0.0.0.0/0 and target = internet gateway). If the internet gateway is disabled, that means no traffic will flow to or from the internet even if there's a route rule that enables that traffic.

For the purposes of access control, you must specify the compartment where you want the internet gateway to reside. If you're not sure which compartment to use, put the internet gateway in the same compartment as the cloud network.

With multipart upload, you split the object you want to upload into individual parts. Individual parts can be as large as 50 GiB or as small as 10 MiB. (Object Storage waives the minimum part size restriction for the last uploaded part.) Decide what part number you want to use for each part. Part numbers can range from 1 to 10,000. You do not need to assign contiguous numbers, but Object Storage constructs the object by ordering part numbers in ascending order.

The maximum size for an uploaded object is 10 TiB

While a multipart upload is still active, you can keep adding parts as long as the total number is less than 10,000.

https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/usingmultipartuploads.htm

“You can add secondary VNICs to an instance after it’s launched. Each secondary VNIC can be in a subnet in the same VCN as the primary VNIC, or in a different subnet that is either in the same VCN or a different one. However, all the VNICs must be in the same availability domain as the instance.”

https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Tasks/managingVNICs.htm

To accept traffic from the internet, you create a public load balancer. The service assigns it a public IP address that serves as the entry point for incoming traffic. You can associate the public IP address with a friendly DNS name through any DNS vendor.

A public load balancer is regional in scope. If your region includes multiple availability domains, a public load balancer requires either a regional subnet (recommended) or two availability domain-specific (AD-specific) subnets, each in a separate availability domain. With a regional subnet, the Load Balancing service creates a primary load balancer and a standby load balancer, each in a different availability domain, to ensure accessibility even during an availability domain outage. If you create a load balancer in two AD-specific subnets, one subnet hosts the primary load balancer and the other hosts a standby load balancer. If the primary load balancer fails, the public IP address switches to the secondary load balancer. The service treats the two load balancers as equivalent and you cannot specify which one is "primary".

Whether you use regional or AD-specific subnets, each load balancer requires one private IP address from its host subnet. The Load Balancing service supplies a floating public IP address to the primary load balancer. The floating public IP address does not come from your backend subnets.

You cannot specify a private subnet for your public load balancer.

The backend servers (Compute instances) associated with a backend set can exist anywhere, as long as the associated network security groups (NSGs), security lists, and route tables allow the intended traffic flow.

Oracle recommends that you create your load balancer in a regional subnet.

Oracle recommends that you distribute your backend servers across all availability domains within the region.