1z0-1124-25 Oracle Cloud Infrastructure 2025 Networking Professional Free Practice Exam Questions (2025 Updated)

Zero Trust Context:Assumes no inherent trust, requiring explicit controls at all network stages.

Evaluate Principles:

Implicit Trust:Assumes trust, opposite of Zero Trust; incorrect.

Least Privilege:Grants minimal access, explicitly enforced; aligns with Zero Trust.

Perimeter Security:Relies on boundary protection, not Zero Trust; incorrect.

Network Segmentation:Isolates networks, a tactic not a principle; incomplete.

Conclusion:Least Privilege is the core principle for explicit access control.

Zero Trust Packet Routing in OCI emphasizes Least Privilege. The Oracle Networking Professional study guide states, "The Least Privilege principle in Zero Trust requires that access controls be explicitly defined and enforced at every network communication stage, ensuring no implicit trust" (OCI Networking Documentation, Section: Zero Trust Networking). This drives granular security policies.

Problem:Instances lack IPv6 addresses despite VCN IPv6 configuration.

OCI IPv6 Behavior:IPv6 requires subnet enablement and OS support via SLAAC.

Evaluate Options:

A:Incorrect. OCI doesn’t auto-assign IPv6 without OS configuration.

B:Correct. SLAAC must be enabled on the instance OS for auto-assignment.

C:Incorrect. IPv6 works in both public and private subnets.

D:Incorrect. IPv4 and IPv6 assignments are independent.

Conclusion:Enabling SLAAC on the OS ensures automatic IPv6 assignment.

IPv6 in OCI relies on SLAAC for automatic address assignment. The Oracle Networking Professional study guide states, "To enable IPv6 on instances, the VCN and subnet must have IPv6 CIDR blocks, and the instance OS must support SLAAC to automatically configure IPv6 addresses" (OCI Networking Documentation, Section: IPv6 Configuration). Without SLAAC, instances default to IPv4 only.

Context: Tunnel flapping over FastConnect vs. public internet.

Option A: Congestion/packet loss is less likely over FastConnect’s dedicated link than the unpredictable public internet—correct.

Option B: Mismatched keys/parameters would prevent tunnel establishment, not flapping—equally likely in both.

Option C: MTU issues cause fragmentation in both scenarios—equally likely.

Option D: BGP flapping is more relevant with FastConnect’s dynamic routing—more likely here.

Conclusion: Option A is less likely over FastConnect.

Oracle notes:

"FastConnect provides a stable, dedicated connection, reducing congestion and packet loss compared to public internet VPNs."This supports Option A. Reference:IPSec over FastConnect - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPSec.htm#fastconnect).

Identify the Goal: Troubleshoot efficiently to determine if stateful inspection is causing intermittent connectivity issues.

Option A Evaluation: Disabling stateful inspection globally removes all security checks, potentially restoring connectivity but disrupting the entire VCN’s security. This is inefficient and risky.

Option B Evaluation: Creating a bypass rule for the application server avoids inspection, which could confirm the issue but weakens security for that server. It’s a workaround, not a diagnostic step, and requires policy changes during troubleshooting.

Option C Evaluation: Reviewing firewall logs for denied traffic is targeted and non-disruptive. Logs show if stateful inspection is dropping packets (e.g., due to session timeouts or rule mismatches), directly identifying the cause without altering configurations.

Option D Evaluation: Recreating the firewall is highly disruptive, time-consuming, and doesn’t guarantee insight into the current issue. It’s not a troubleshooting step.

Conclusion: Option C is the most efficient, as it leverages logs for precise diagnosis without impacting operations.

Per Oracle’s Network Firewall documentation:

"Network Firewall logs provide detailed information about allowed and denied traffic, including source/destination IPs, ports, and protocols. Use logs to troubleshoot connectivity issues by identifying dropped packets due to stateful inspection or rule mismatches."

"Stateful inspection tracks connection states; misconfigurations can lead to dropped sessions."This confirms logs are the best tool for diagnosing stateful inspection issues. Reference:Network Firewall Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/NetworkFirewall/overview.htm).

Requirement:Private VCN connection across tenancies.

Services:

Internet Gateway:Public access; incorrect.

Service Gateway:OCI services, not VCNs; incorrect.

RPC:Cross-tenancy private peering; correct.

DRG with LPG:LPG is intra-region, not cross-tenancy; incorrect.

Evaluate Options:

A:Public; incorrect.

B:Service-focused; incorrect.

C:Designed for this scenario; correct.

D:Misaligned components; incorrect.

Conclusion:RPC is the right service.

RPC enables cross-tenancy peering. The Oracle Networking Professional study guide notes, "Remote Peering Connections (RPCs) establish private connectivity between VCNs in different tenancies over OCI’s private backbone" (OCI Networking Documentation, Section: Remote Peering Connections). This ensures no public internet traversal.

Goal: Maximum security and isolation for IPSec over FastConnect.

Option A: Direct IPSec between on-premises networks bypasses OCI, ensuring complete isolation—correct and most secure.

Option B: NSGs/security lists control traffic but allow OCI traversal, less isolated—incorrect.

Option C: Third-party firewall adds complexity and OCI dependency, reducing isolation—incorrect.

Option D: Flow logs monitor, don’t isolate—incorrect.

Conclusion: Option A provides the highest isolation.

Oracle notes:

"For maximum isolation with third-party networks, configure IPSec directly between on-premises endpoints, avoiding OCI traversal."This supports Option A. Reference:IPSec over FastConnect - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPSec.htm#fastconnect).

Goal: Balance security and performance with encryption in a VCN.

Option A: TLS only to the load balancer leaves internal traffic unencrypted, risking exposure—insufficient security.

Option B: mTLS everywhere maximizes security but adds significant overhead (e.g., certificate management), impacting performance—overkill.

Option C: NSGs/Security Lists control access but don’t encrypt traffic—lacks protection for sensitive data.

Option D: TLS between OKE and Compute secures app-tier communication. Oracle Database Vault ensures ADB traffic is encrypted efficiently, leveraging built-in features—balanced approach.

Conclusion: Option D optimizes security and performance.

Oracle states:

"Use TLS for application traffic between tiers. Autonomous Database with Database Vaultprovides encryption in transit and at rest, minimizing overhead."This supports Option D. Reference:Security in OCI Networking - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/securityoverview.htm).

Context: Inter-tenancy VCN peering connects VCNs across different OCI tenancies using Remote Peering Connections (RPCs).

Option A: Authentication of the root user is handled by IAM policies, not the peer ID, which is a technical identifier—incorrect.

Option B: The peer ID is the OCID of the RPC created by the requesting tenancy. It uniquely identifies the RPC, allowing the accepting tenancy to target and establish the peering—correct.

Option C: CIDR blocks are part of VCN configuration and shared separately, not via thepeer ID—incorrect.

Option D: Security rules are defined by NSGs or security lists, not the peer ID—incorrect.

Conclusion: The peer ID’s purpose is to identify the requesting tenancy’s RPC, making Option B the correct answer.

From Oracle’s documentation:

"For inter-tenancy peering, the requesting tenancy provides the OCID of its Remote Peering Connection (RPC), known as the peer ID, to the accepting tenancy. The accepting tenancy uses this ID to establish the peering."This confirms Option B. Reference:Remote VCN Peering Across Tenancies - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm#cross-tenancy).

Problem Scope:Load balancer (public subnet) cannot reach application servers (private subnet).

Connectivity Flow:Load balancer initiates traffic to application servers; application servers respond. Key checkpoints: routing and security rules.

Analyze Routing:Private subnets typically don’t route to an Internet Gateway by default; they use NAT or Service Gateways. Misrouting (Option B) would affect outbound traffic, not inbound from the load balancer.

Security Rules:

Ingress (App Servers):Must allow traffic from the load balancer’s IP range.

Egress (Load Balancer):Must allow traffic to the application servers.

Evaluate Options:

A:Missing ingress rule on application servers’ security list blocks load balancer traffic; most likely.

B:Incorrect default route affects outbound, not inbound; less likely.

C:NAT misconfiguration impacts outbound, not inbound; incorrect.

D:Load balancer egress is necessary but secondary to application server ingress.

Conclusion:Ingress rule absence on the application server subnet is the primary blocker.

Security lists control traffic at the subnet level in OCI. The Oracle Networking Professional study guide explains, "For a load balancer in a public subnet to communicate with instances in a private subnet, the private subnet’s security list must include an ingress rule allowing traffic from the load balancer’s IP range" (OCI Networking Documentation, Section: Security Lists). Since Terraform deployed the infrastructure, a misconfigured security list is a common oversight.

Requirements: High bandwidth, low latency, leveraging direct fiber connectivity.

Option A: Site-to-Site VPN uses the public internet, lacking consistency and bandwidth—incorrect.

Option B: Internet Gateway is for public access, not dedicated connections—incorrect.

Option C: FastConnect Colocation uses direct fiber at Oracle locations, ensuring high bandwidth and minimal latency—correct.

Option D: DRG with remote peering is for VCN-to-VCN connectivity, not optimized for on-premises fiber—incorrect (DRG is part of FastConnect but not the service itself).

Conclusion: FastConnect Colocation is the most suitable.

Oracle states:

"FastConnect Colocation with Oracle leverages direct fiber connections at Oracle facilities, providing consistent, high-bandwidth, and low-latency access to OCI."This supports Option C. Reference:FastConnect Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#colocation).

Transitive Routing Goal:Traffic from a VCN to an on-premises network via DRG.

DRG Role:Acts as a virtual router connecting VCNs and on-premises networks.

Routing Options:

Static Routes:Manually defined, less scalable for dynamic environments.

Dynamic Routing (BGP):Automatically exchanges routes, ideal for hybrid setups.

Evaluate Options:

A:Static routes work but require manual updates; less efficient.

B:BGP dynamically propagates routes, ensuring correct routing; best fit.

C:LPG is for intra-region peering, not on-premises connectivity; incorrect.

D:Service Gateway is for OCI services, not on-premises; incorrect.

Conclusion:BGP ensures scalable, accurate routing through the DRG.

The DRG supports transitive routing with dynamic protocols like BGP. The Oracle Networking Professional study guide states, "For transitive routing between VCNs and on-premises networks via a DRG, configuring BGP on the DRG and CPE enables automatic route propagation, ensuring traffic is correctly routed" (OCI Networking Documentation, Section: Dynamic Routing Gateway). BGP is preferred over static routes for hybrid cloud scenarios.

Objective:Enable transitive routing via a network appliance (e.g., firewall) between VCNs.

Transitive Routing Setup:DRG connects VCNs; appliance processes traffic.

Key Requirement:DRG must route traffic to the appliance’s private IP.

Evaluate Options:

A:Service Gateway is for OCI services, not transitive routing; incorrect.

B:Static routes on DRG to appliance ensure correct traffic flow; essential.

C:Load Balancer is optional, not essential for routing; incorrect.

D:LPG is for intra-region VCN peering, not appliance-DRG connection; incorrect.

Conclusion:DRG static routes to the appliance are critical for transitive routing.

Transitive routing with a network appliance requires explicit routing configuration. The Oracle Networking Professional study guide notes, "To enable transitive routing through a network appliance, configure static routes in the DRG route table pointing to the appliance’s private IP as the next hop" (OCI Networking Documentation, Section: Transitive Routing with DRG). This ensures traffic is processed by the appliance between VCNs.

Objective: Identify essential info for CPE to establish a Site-to-Site VPN with OCI.

Option A: Region and availability domain are for OCI resource placement, not CPE config—incorrect.

Option B: The DRG’s public IP is the VPN endpoint, and the IKE pre-shared key authenticates the tunnel—essential and correct.

Option C: OCID and compartment ID are for OCI management, not CPE setup—incorrect.

Option D: Subnet CIDRs are for routing, configured later, not for tunnel establishment—incorrect.

Conclusion: Option B provides the critical VPN connection details.

Oracle documentation states:

"To configure your CPE for Site-to-Site VPN, you need the public IP address of the DRG (VPN headend) and the IKE pre-shared key from the OCI console."This confirms Option B. Reference:Setting Up IPSec VPN - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPSec.htm).

Objective: Block all outbound internet traffic from a private subnet, ensuring compliance despite misconfigurations.

Option A: ALLOW to 0.0.0.0/0 permits all traffic, contradicting the requirement.

Option B: DROP to NAT Gateway IP only blocks traffic to the NAT Gateway, not all internet traffic (e.g., misconfigured routes bypassing NAT).

Option C: REJECT to 0.0.0.0/0 blocks all outbound traffic to any IP, sending an ICMP unreachable message. This ensures no internet access, even if misconfigured, and aids troubleshooting.

Option D: ALLOW to Service Gateway permits OCI service access, not internet blocking.

Conclusion: Option C is the most comprehensive and compliant solution.

Oracle’s Network Firewall guide states:

"Use REJECT with a destination of 0.0.0.0/0 to block all outbound traffic and notify the source, ideal for strict egress control."This matches Option C’s purpose. Reference:Network Firewall Policies - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/NetworkFirewall/Tasks/managingpolicies.htm).

Objective:Efficiently propagate on-premises route updates to multiple VCNs.

DRG Capabilities:Supports route distribution to attached VCNs.

Analyze Options:

A:Manual updates are inefficient and error-prone; unsuitable.

B:Centralized DRG with route distribution automates propagation; efficient.

C:Multiple DRGs add complexity and manual effort; inefficient.

D:Service Gateway is for OCI services, not route updates; incorrect.

Conclusion:Centralized DRG with route distribution is the most efficient method.

Route distribution in a DRG simplifies multi-region routing. The Oracle Networking Professional study guide notes, "Using a centralized DRG with route distribution enabled allows routes learned from on-premises networks to be automatically propagated to all attached VCNs, reducing management overhead" (OCI Networking Documentation, Section: DRG Route Distribution). This leverages OCI’s automation capabilities.

Requirement: Provide VLAN config info for FastConnect setup.

Option A: CIDR blocks are for routing, not VLAN setup—incorrect.

Option B: VLAN ID defines the circuit, BGP ASN and peering IPs establish routing—essential and correct.

Option C: MTU is a performance setting, not required for VLAN config—incorrect.

Option D: OCID and compartment ID are for OCI management, not provider setup—incorrect.

Conclusion: Option B provides the necessary VLAN configuration details.

Oracle states:

"For FastConnect, provide the provider with a VLAN ID, your BGP ASN, and BGP peering IPs to configure the virtual circuit."This confirms Option B. Reference:FastConnect Configuration - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#providerconfig).

Objective:Grant requesting tenancy permission to initiate an RPC to the target tenancy.

RPC Process:Requires the requesting tenancy to create and connect the RPC, which needs specific IAM permissions in the target tenancy.

IAM Verbs:

manage:Broad permissions, too permissive for RPC initiation.

use:Allows creation and connection of RPCs, precise for this task.

inspect:Read-only, insufficient for initiating connections.

read:Read-only, insufficient for initiating connections.

Evaluate Options:

A:Too broad, includes unnecessary permissions; incorrect.

B:Precise permission for RPC initiation; correct.

C:Read-only, doesn’t allow connection; incorrect.

D:Read-only, doesn’t allow connection; incorrect.

Conclusion:"use remote-peering-connections" is the essential policy.

RPCs require specific IAM policies for cross-tenancy connectivity. The Oracle Networking Professional study guide states, "To initiate a Remote Peering Connection, the requesting tenancy needs an IAM policy with the 'use remote-peering-connections' verb targeting the acceptor tenancy’s OCID" (OCI Networking Documentation, Section: Remote Peering Connections). This ensures controlled access for connection establishment.

Requirements:Private subnet, no internet, access to other VCN subnets, HA database.

Analyze Components:

Public Subnet:Internet-exposed, against policy.

Private Subnet:No internet, aligns with policy.

Service Gateway:For OCI services, not ADB connectivity.

DRG:For inter-VCN routing.

NSGs:Granular traffic control.

Evaluate Options:

A:Public subnet violates no-internet policy; incorrect.

B:Service Gateway for Object Storage/Yum irrelevant to ADB; incomplete.

C:Private subnet, NSGs, DRG, and CIDR planning meet all needs; correct.

D:Public subnet with internet access; violates policy.

Conclusion:Option C is the most effective approach.

Autonomous Database requires private deployment for security. The Oracle Networking Professional study guide notes, "For Autonomous Database on Dedicated Exadata, use a private subnet with NSGs for access control and a DRG for inter-VCN connectivity, reserving CIDR for scalability" (OCI Networking Documentation, Section: Autonomous Database Networking). Service Gateway isn’t used for ADB access, but the private setup ensures compliance.

Goal: Support Zero Trust with packet flow monitoring.

Option A: Static routing defines paths, not monitoring—incorrect.

Option B: Security lists control access, not monitor—incorrect.

Option C: Flow logs track traffic; audit trails log actions—essential for Zero Trust—correct.

Option D: Public IPs enable access, not monitoring—incorrect.

Conclusion: Option C is essential.

Oracle states:

"Flow logs and audit trails provide continuous monitoring and verification of packet flows, critical for Zero Trust Packet Routing."This supports Option C. Reference:Zero Trust in OCI - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/zerotrust.htm).