50 Oracle Cloud Infrastructure 2025 Multicloud Architect Professional Practice Questions: Question Bank 2025

An enterprise is designing a multicloud architecture with workloads split between OCI and another cloud provider. They want a consistent approach to defining and provisioning infrastructure across both clouds, with code reviews and repeatable deployments. Which approach is the BEST fit?

A company federates workforce identities from an external Identity Provider (IdP) to OCI. They want to minimize long-lived credentials and enforce least privilege for administrators. Which OCI capability BEST supports this requirement?

Two VCNs in the same OCI region must communicate privately using their private IP ranges. The network team wants the simplest OCI-native solution without deploying virtual appliances. Which solution should you choose?

An application is deployed across multiple fault domains within one OCI region. The business asks for protection against an entire regional outage with minimal data loss and the ability to bring the service back up in another region. Which strategy BEST aligns with this requirement?

A multicloud application uses OCI Object Storage to host static content. The security team requires that objects are not publicly accessible, but content must still be delivered to end users with low latency globally. What is the BEST design?

A company has separate OCI compartments for Dev and Prod. They want to ensure that Dev administrators can manage only Dev resources, while a central security team can audit both compartments. Which approach BEST meets this requirement?

An organization connects OCI to an on-premises data center using FastConnect and also has an IPSec VPN as backup. During a FastConnect outage, traffic does not fail over to VPN as expected. What is the MOST likely missing configuration?

A multicloud workload requires private access from OCI compute instances to OCI services (such as Object Storage) without traversing the public internet. The security team mandates that instances must not have public IP addresses. Which OCI component should you implement?

A regulated enterprise uses federated SSO into OCI and wants administrators to have elevated privileges only when needed, with approvals and full auditability. They also want to avoid permanently assigning broad IAM policies. Which design is MOST appropriate?

A mission-critical service runs active-active across two OCI regions and also integrates with a second cloud provider. The business requires automated regional failover with minimal user impact and consistent DNS behavior across providers. Which architecture choice BEST meets this requirement?

An enterprise uses Microsoft Entra ID as its primary identity provider. They want users to sign in once and access the OCI Console and also assume OCI IAM roles for API/CLI access without creating local OCI users. Which approach best meets this requirement?

A team needs to provide a third-party auditor read-only access to security-related events and configurations in OCI for 30 days. They must follow least privilege and avoid granting broad tenancy-wide permissions. What is the best solution?

Two workloads run in different clouds: an application tier in OCI and a database in another cloud. The traffic must stay on private IP space (no internet) and use predictable routing. Which connectivity approach is most appropriate?

A multicloud architecture requires consistent enforcement that OCI Object Storage buckets cannot be made public. The security team wants preventive controls rather than only detection. Which OCI capability best addresses this?

An application deployed across multiple OCI regions uses a global traffic manager to steer users to the closest region. During a regional outage, traffic should automatically fail over to a healthy region. Which design element is required to enable safe automated failover?

A company connects OCI to an on-premises network and a second cloud through an OCI DRG. After adding a new VCN attachment, instances in the VCN cannot reach on-premises networks, but on-premises can reach the VCN. Security lists and NSGs are confirmed correct. What is the most likely cause in OCI?

A security engineer wants to ensure that compute instances in OCI can access OCI services (for example, Object Storage) without sending traffic over the public internet, and without using NAT gateways. What is the recommended OCI feature?

A multicloud solution uses short-lived credentials for workloads running on OCI compute instances. The team wants to avoid storing long-lived secrets and must support automatic key rotation. Which OCI approach best fits?

A regulated enterprise must implement a multi-region disaster recovery strategy for an OCI-hosted application while also integrating with a second cloud for analytics. They require (1) defined RTO/RPO targets, (2) regular DR testing, and (3) minimal manual steps during failover. Which combination best meets these requirements?

A company uses federated identities and strict compartment boundaries. An application running on OCI instances must read objects from a specific bucket in a different compartment. They used instance principals, but access is denied. Audit logs show requests are made by the instance principal. Which is the most likely fix?

Your organization uses Microsoft Entra ID as the corporate identity provider. You want users to sign in to the OCI Console with their existing corporate credentials and have group membership drive OCI permissions. Which approach is the recommended design?

A team wants an OCI workload to access an Azure-hosted REST API without storing secrets on the instance. The workload runs on OCI Compute and should use a managed identity-style approach. What is the best OCI-native solution?

You are designing private connectivity between OCI and another cloud provider where traffic must stay off the public internet. The solution must support dynamic routing and route propagation to multiple VCNs via a hub. Which OCI components best meet this requirement?

After setting up OCI-to-other-cloud private connectivity, instances in a private OCI subnet cannot reach an IP range hosted in the other cloud. The security rules allow it. Which is the most likely missing configuration in OCI?

A multicloud application requires end-to-end encryption in transit, and the security team mandates that TLS certificates be managed centrally with automatic rotation. The application runs across OCI and another cloud. Which OCI service is most appropriate for managing the certificates used by OCI load balancers and gateways?

A company wants a hub-and-spoke network in OCI to connect multiple VCNs and also connect to another cloud via private connectivity. They require isolation so that some spokes can reach the other cloud but not each other. Which design best satisfies this?

Your organization is implementing a multicloud landing zone. They want to prevent teams from creating overly permissive network security rules (for example, allowing 0.0.0.0/0 to sensitive ports) while still allowing self-service provisioning. What is the best OCI-native governance approach?

A production workload is deployed active-active across OCI and another cloud. The application uses a single logical DNS name. You must design failover so that if one cloud becomes unhealthy, traffic is shifted automatically based on health checks. Which approach best fits this requirement?

A regulated enterprise requires that only approved OCI regions and services can be used by application teams. The controls must be enforceable (preventive) rather than purely detective. Which combination is most appropriate?

A multicloud architecture uses private connectivity between OCI and another cloud. During a disaster recovery event, the other cloud must reach OCI DR subnets, but only a subset of routes should be advertised to avoid asymmetric routing. What is the best OCI mechanism to control which routes are shared externally?

A company runs containerized microservices on Azure Kubernetes Service (AKS) and wants to call an OCI Autonomous Database over a private path with minimal operational overhead. The security team requires that database traffic does not traverse the public internet. Which approach best meets the requirement?

An enterprise uses Azure Active Directory (Microsoft Entra ID) as the identity provider and wants OCI Console and API access to be controlled by Azure AD group membership. What is the recommended integration pattern?

A workload spans OCI and AWS. The application tier runs in AWS, while OCI hosts shared services (logging and database). During troubleshooting, engineers see that OCI instances cannot resolve AWS private hostnames over the interconnect. Network connectivity is confirmed at the IP layer. What is the most likely missing configuration?

A company must ensure that only approved OCI regions and services can be used by federated users coming from an external IdP. Which OCI capability is primarily used to enforce this governance control?

A multicloud architect needs to design a failover plan where an application runs active in OCI and has a warm standby in another cloud. The requirement is to minimize RTO while keeping cost lower than fully active-active. Which strategy best fits?

A security team wants to ensure that OCI Compute instances used to integrate with Google Cloud APIs never store long-lived keys on disk. Which approach is most aligned with this requirement?

An architect needs to connect multiple VCNs to a single on-premises network and also connect those VCNs to a partner network in another cloud. The design should support scalable routing without managing many separate IPSec tunnels. Which OCI component is central to this design?

A team is migrating a service from on-prem to OCI, but dependent applications remain in AWS for several months. They want to validate OCI network security changes continuously and detect accidental exposure (for example, overly permissive security lists/NSGs) as configurations evolve. Which OCI-native approach best supports this ongoing validation?

A company uses OCI Object Storage for backups and must replicate critical backup objects to another OCI region and also make them recoverable if ransomware encrypts primary data. Which design best meets both regional DR and ransomware recovery goals?

A team wants to grant a CI/CD pipeline running outside OCI permission to push images to OCI Container Registry (OCIR) without creating a long-lived IAM user credential. Which option is most appropriate?

An enterprise uses Microsoft Entra ID (Azure AD) as its identity provider and wants OCI Console access for users with least privilege. The security team requires that group membership in Entra ID automatically maps to OCI groups to control IAM policies. What is the recommended approach?

You need a private, low-latency connection from an OCI VCN to a Microsoft Azure VNet without traversing the public internet. Which connectivity option best meets this requirement?

A team wants to enforce that OCI resources can only be created with an approved set of tags and that certain compartments cannot create public IP addresses. Which OCI capability is designed to enforce these rules proactively?

A workload in OCI needs to call Azure services using OAuth 2.0 tokens without storing long-lived client secrets. The company uses a CI/CD pipeline and wants short-lived credentials with automatic rotation. What is the best solution pattern?

A company has a hub-and-spoke network in OCI. Multiple application VCNs (spokes) must reach Azure resources over a single private connectivity path. They also want centralized egress inspection. Which OCI design best fits this requirement?

After configuring an IPSec Site-to-Site VPN between OCI and another cloud, the tunnels show as UP, but instances in a private subnet cannot reach the remote network. You confirmed the instances can reach the OCI VPN headend. What is the most likely missing configuration in OCI?

A security team wants to minimize blast radius in a multicloud design. They require that production workloads in OCI and Azure use separate identities and cannot share the same permissions, but they also want a unified sign-in experience. Which design satisfies both requirements?

You need a cross-region disaster recovery plan for an OCI-hosted application that uses Object Storage for artifacts and a database service. The RPO requirement is low, and the plan must include periodic failover testing without impacting production. What is the best approach?

A multicloud application spans OCI and Azure. Compliance requires that all egress from OCI to Azure must be inspected, but the organization also requires end-to-end encryption between services. During inspection, the security team proposes decrypting TLS traffic at the hub firewall and re-encrypting it to Azure. What is the best-practice concern with this approach?

A company uses private connectivity between OCI and Azure. They observe intermittent packet loss only for certain subnets when traffic goes from Azure to OCI. Both sides use overlapping RFC1918 CIDRs in different environments, and NAT is used in some places. What is the most likely root cause and the most appropriate fix?