Oracle Cloud Infrastructure 2025 Foundations Associate Advanced Practice Exam: Hard Questions 2025

A startup has workloads deployed in multiple OCI regions. They want a single, consistent way to authenticate users from their corporate identity provider (IdP) while ensuring that access is limited to specific compartments. The security team also requires that user lifecycle (joiner/mover/leaver) is managed in the IdP, not in OCI. Which approach best meets these requirements with least operational overhead?

A team deploys a private web application on Compute instances in a private subnet with no public IPs. Users access it only through an OCI Load Balancer in a public subnet. After enabling a Network Security Group (NSG) on the backend instances, health checks start failing and the load balancer marks all backends as unhealthy. Security insists that the app port must not be open broadly. What is the most likely missing configuration?

A company uses Object Storage for critical artifacts. They must ensure that deletion is prevented for a defined retention period, even by administrators, but after the retention period objects can be deleted normally. They also want an audit trail of deletion attempts. Which combination best satisfies this requirement?

A production application uses multiple microservices on OCI. The team wants to restrict blast radius and simplify governance so that each microservice team can manage its own resources, while a central platform team manages shared networking and security standards. They also need clear quota boundaries and cost visibility per microservice. Which OCI design best aligns with these goals?

A database backup process running on a private Compute instance needs to upload backups to Object Storage without sending traffic over the public internet. The instance has no public IP and is not allowed to use an Internet Gateway. The team also wants to avoid managing public endpoints. What is the most appropriate networking configuration?

A team needs to grant an application running on OCI Compute permission to read secrets from OCI Vault and to write logs to an OCI service, without storing any user credentials, API keys, or configuration files on disk. The instances are in an auto-scaling group and frequently replaced. Which authentication method is the best fit?

An operations team wants to be alerted when a specific Compute instance’s CPU utilization stays above 90% for 15 minutes. They also want the alert to trigger an automated action to restart a process via a serverless mechanism, and they need to reduce noise from short spikes. Which solution best matches this requirement using OCI-native observability and automation components?

A company uses a single VCN with multiple subnets across two availability domains. They deploy an internet-facing application behind a public load balancer. A security review finds that backend instances can still be reached directly from the internet. The team claims they used a load balancer, so direct access should not be possible. Which misconfiguration most likely explains the finding?

A platform team wants to enforce consistent tagging across all compartments so that resources missing required tags are quickly identified and remediated. They also want to control who can create and modify tag namespaces/keys, while still allowing application teams to apply approved tags. Which governance approach best meets these needs?

An enterprise is planning a migration to OCI. They require a highly available connectivity model from on-premises to OCI with predictable performance. They want automatic failover if one circuit/provider has an issue, and they need private access to OCI resources in the VCN. Which design is the most appropriate?