50 Oracle Cloud Infrastructure 2025 Networking Professional Practice Questions: Question Bank 2025

You are designing a VCN with public and private subnets. Instances in a private subnet must download OS updates from the internet, but must not accept any inbound internet-initiated connections. Which design best meets this requirement?

A team is deploying an OCI Load Balancer for an HTTPS application and needs the load balancer to terminate TLS and forward traffic unencrypted to backend instances on port 8080. Which configuration is required?

You need private access from a VCN to Oracle Object Storage without sending traffic over the public internet. Which OCI component should you use?

A security engineer wants to reduce the attack surface by allowing inbound traffic to a compute instance only from known public IP ranges, and to block all other sources. Where should this be enforced most directly for a VNIC in a subnet?

Your company has two VCNs in the same region and different compartments. They must communicate privately using private IPs, and the connectivity must not be transitive to any third VCN. Which solution is most appropriate?

An application behind an OCI Load Balancer must route requests to different backend sets based on URL path (for example, /api to one pool and /static to another). Which load balancer feature enables this?

You have an on-premises network connected to OCI using FastConnect and a DRG. Instances in a private subnet cannot reach on-premises hosts, but they can reach other OCI subnets. You confirm that security rules allow the traffic. What is the most likely missing configuration?

You need to restrict egress from a subnet so that instances can reach only a specific set of internal destination CIDRs and a small number of TCP ports. Which approach is most appropriate?

A multinational enterprise requires deterministic, low-latency private connectivity between on-premises and OCI, and also requires a backup path that automatically takes over if the primary circuit fails. Which design best meets these requirements?

A security team mandates that traffic between two VCNs in the same region must be inspected by a centralized firewall appliance VCN before reaching the destination VCN (hub-and-spoke). Spoke-to-spoke traffic must also traverse the firewall. Which OCI architecture best supports this requirement at scale?

You need to allow a private subnet instance to reach the internet for OS updates while preventing any inbound connections from the internet. Which OCI networking design meets this requirement?

A web application uses an OCI Load Balancer. The backend servers must see the original client IP address for logging and rate limiting. Which load balancer feature should you use?

You want private access from a VCN to Oracle services such as Object Storage without using the public internet. What should you implement?

An on-premises network connects to OCI using IPSec VPN to a DRG. Some subnets in the VCN are reachable from on-prem, but newly added VCN CIDR blocks are not. Security lists allow the traffic. What is the MOST likely missing configuration?

A company uses FastConnect with a private virtual circuit to connect on-premises to multiple VCNs in OCI. They want to centralize connectivity through a hub VCN and avoid managing many separate connections. Which architecture is recommended?

Your security team wants to restrict east-west traffic between application tiers within the same VCN while keeping subnet CIDRs unchanged. Which approach is BEST practice for granular segmentation?

A public load balancer fronts an API. You need to ensure only clients from a specific set of corporate IP ranges can reach the listener, while health checks and backend traffic remain unaffected. Where should you apply the restriction?

You must provide private, low-latency connectivity from OCI workloads to a SaaS provider that is available through OCI’s network of cloud on-ramps (without traversing the public internet). Which OCI capability is most appropriate?

Two VCNs in the same region are peered using Local Peering Gateways (LPGs). Instances can communicate one-way (VCN-A to VCN-B) but not the reverse. Security lists/NSGs allow the traffic. What is the MOST likely cause?

Your company uses a DRG as a transit hub connecting on-premises (FastConnect), two spoke VCNs, and a third-party network appliance VCN for inspection. You want all traffic from spoke VCNs to on-premises to be forced through the inspection VCN, while spoke-to-spoke traffic should remain direct through the DRG. Which DRG design is MOST appropriate?

You created a Network Load Balancer (NLB) and a backend set of compute instances. Health checks are passing, but clients intermittently fail to connect and the instances show the client IP as the NLB IP instead of the original client. Which configuration best preserves the original client IP at the backend?

A team is troubleshooting an OCI VCN where instances in a private subnet cannot resolve external domain names. They can resolve private DNS names for resources within the VCN. There is a NAT Gateway for egress, and security rules allow outbound traffic. What is the most likely missing component?

Your organization requires that traffic between two OCI VCNs in different regions stay on Oracle’s private backbone and not traverse the public internet. Which solution best meets this requirement?

A security team wants centralized enforcement so that all traffic between a spoke VCN and the internet must pass through an inspection firewall appliance deployed in a hub VCN. Spoke VCNs should not have direct internet egress. Which architecture is the best fit in OCI?

You need to allow compute instances in a private subnet to access Object Storage without using public IPs. Which OCI component should you use?

An application behind an OCI Load Balancer must ensure that only TLS 1.2+ is used and that clients connect using HTTPS, but backend instances should receive unencrypted HTTP for simplicity. Which configuration best meets this requirement?

A site-to-site IPSec VPN is up, but traffic to a newly added on-premises subnet is not flowing. The CPE can reach OCI subnets, but OCI instances cannot reach the new on-prem subnet. You are using BGP over IPSec. What is the most likely cause in OCI?

You must ensure that a production VCN can use the same RFC1918 CIDR ranges as an on-premises network (overlapping addresses), but still establish connectivity for a limited set of services. Which approach is most appropriate in OCI?

A security operations team wants to detect and alert on suspicious inbound traffic patterns to public-facing resources in a VCN, with minimal operational overhead. Which OCI service is the best fit?

You are designing a highly available hybrid connectivity solution from on-premises to OCI for mission-critical workloads. Requirements include redundancy against a single circuit failure and automatic failover. Which design best meets these requirements?

You need to publish a private DNS name (for example, app.internal) that resolves only for instances inside a specific VCN, and you want OCI to automatically manage the DNS service without running your own DNS servers. What is the recommended approach?

A backend set in an OCI Load Balancer is configured with a health check on port 443, but all backends remain in CRITICAL state. You can curl the application successfully from a bastion host in the same subnet as the backends. What is the MOST likely cause?

You are asked to create a highly available IPSec VPN from an on-premises data center to OCI, and the on-premises device supports two tunnels. Which OCI component is used to terminate the VPN tunnels?

You need to restrict egress from a private subnet so that instances can access Oracle Cloud Infrastructure Object Storage without traversing the public internet and without assigning public IPs. Which solution meets this requirement?

Your organization uses a hub-and-spoke design with a central DRG. A new spoke VCN must reach on-premises networks and also other spokes, but you want to avoid manually maintaining many specific routes in each spoke VCN. Which DRG capability best addresses this?

A team wants to allow traffic to a set of compute instances only from other instances that share the same application role, regardless of their IP addresses (which may change). Which approach is MOST appropriate?

You created a WAF policy to protect an OCI Load Balancer, but users still reach the application even when you intentionally trigger a rule that should block requests. The WAF policy is associated with the correct load balancer. What is the MOST likely configuration issue?

A public OCI Load Balancer must terminate TLS and route requests to different backend sets based on the URL path (for example, /api to one pool and /static to another). Which configuration is required?

A company uses FastConnect with a private virtual circuit to a DRG. They want OCI to learn on-premises prefixes dynamically, and they also need on-premises to learn multiple VCN CIDRs attached to the same DRG. Which method should be used?

You are implementing IPv6 in an existing VCN that already uses IPv4. You assign IPv6 prefixes to subnets and VNICs, but instances cannot reach the internet over IPv6. IPv4 internet access works. Which change is REQUIRED to enable outbound IPv6 internet connectivity?

You need to ensure that the backend servers of a public OCI Load Balancer are never directly reachable from the internet, while still allowing the Load Balancer to reach them. Which design best meets this requirement?

Two VCNs are connected using Local Peering Gateway (LPG). Instances in VCN-A cannot reach instances in VCN-B. Security list rules appear correct, but traceroute shows packets stop at the source subnet. Which misconfiguration is the MOST likely cause?

You are asked to quickly block all outbound traffic from a set of compute instances in a subnet, without modifying each instance. The instances are already grouped in an NSG. What is the recommended approach?

A SaaS application is fronted by an OCI public Load Balancer. You must ensure end-user source IP is visible to the backend application. Which Load Balancer configuration is MOST appropriate?

You are designing a hub-and-spoke topology using a DRG to connect multiple VCN spokes. The hub VCN includes an OCI Network Firewall for traffic inspection between spokes and to on-premises. Which routing approach is recommended to ensure all spoke-to-spoke traffic is inspected?

A web application uses an OCI Load Balancer with HTTPS listener and backend servers in a private subnet. Users intermittently receive 502 errors, and Load Balancer metrics show backend connection failures. Health checks are passing. Which is the MOST likely cause?

Your on-premises network is connected to OCI using FastConnect through a third-party provider and DRG. You need a redundant design that keeps connectivity even if the provider’s single physical location becomes unavailable. Which approach best achieves this?

You enabled VCN Flow Logs for a subnet and want to investigate why a specific instance cannot reach a database on TCP 1521. Which flow log observation most directly indicates that a security rule is blocking the traffic?

A company uses a DRG to connect multiple VCNs and on-premises via BGP. After adding a new spoke VCN, on-premises learns the spoke CIDR, but the spoke cannot reach on-premises. Existing spokes work. Security rules allow the traffic. What is the MOST likely DRG-related cause?

You must design an OCI network where workloads in multiple subnets access OCI services (Object Storage, Autonomous Database) privately, and you must prevent data exfiltration to public endpoints for those services. Which combination is MOST appropriate?