Oracle Cloud Infrastructure 2025 Architect Professional Practice Exam 2025: Latest Questions

A company wants to publish a static marketing website globally with low latency and minimal operational overhead. The content must be served over HTTPS with a custom domain and should tolerate regional outages. What is the recommended OCI architecture?

Your security team requires that all newly created Object Storage buckets automatically encrypt data using customer-managed keys and that key usage is auditable. Which approach best meets this requirement?

A team needs private access from instances in a VCN to OCI services (such as Object Storage) without traversing the public internet. What should you configure?

An architect wants to reduce blast radius by separating duties and limiting administrative access between networking and application teams. Which OCI capability best supports this goal?

A three-tier application must be highly available within a region. The web tier should be accessible from the internet, while app and database tiers must be private. Which VCN design is most appropriate?

Users report intermittent 502 errors from an OCI Load Balancer. Backend servers are healthy when accessed directly. Which is the most likely OCI configuration issue to check first?

A company must enforce that database administrators cannot access application secrets in clear text, while applications can retrieve secrets at runtime. Which design best meets this requirement in OCI?

You are migrating a fleet of on-prem VMs to OCI. The requirement is to automate provisioning, keep configurations consistent across environments, and support repeatable deployments. Which approach is most aligned with OCI best practices?

A regulated workload requires that all API calls across multiple compartments are centrally logged and that security analysts can detect anomalous activity (for example, unexpected IAM policy changes) with minimal delay. Which solution best satisfies this requirement?

A global application runs active-active in two OCI regions. The application uses private IPs for east-west traffic and must ensure that in-region traffic stays local, but cross-region traffic can route over private connectivity. The design must support future addition of a third region without readdressing. Which networking design is most appropriate?

An administrator needs to allow an external auditor to review OCI resources across several compartments for 30 days. The auditor must not be able to change any configuration, and access should be easy to revoke. What is the BEST approach?

A VCN has multiple subnets. You want to restrict egress from a private subnet so that instances can reach only OCI Object Storage and nowhere else on the internet. Which design meets this requirement with minimal operational overhead?

You need to enforce that all newly created Object Storage buckets must be encrypted with a customer-managed key (not Oracle-managed). Which OCI capability is the MOST appropriate to enforce this proactively across compartments?

A multi-tier application runs on OCI Compute in a private subnet. Users access it through a public load balancer. After a security hardening change, the health checks for the backend instances started failing, but SSH access to instances still works via Bastion. What is the MOST likely cause?

A company wants to standardize network provisioning across environments (dev/test/prod) and ensure changes are reviewed and auditable. They also want repeatable deployments with minimal drift. Which approach is BEST?

A team is designing a highly available web application across two Availability Domains within the same region. They want to minimize service disruption if a single AD becomes unavailable. Which design is MOST appropriate?

A security team requires centralized visibility into configuration changes on critical networking resources (VCNs, route tables, security lists, NSGs) and wants near real-time alerting when changes occur. Which combination best satisfies this?

An application stores large files in Object Storage. A new compliance requirement mandates that objects must be immutable for 7 years after upload, including protection from deletion by administrators. Which feature best addresses this requirement?

A company is migrating a mission-critical on-premises database to OCI. The database must continue to serve reads and writes during the transition, and the team wants the lowest possible cutover time with continuous replication until switchover. Which migration approach is MOST appropriate?

You must design a hub-and-spoke network in OCI where multiple application VCNs (spokes) share a centralized security inspection layer in a hub VCN. Requirements: avoid asymmetric routing, support transitive routing between spokes through the hub, and keep blast radius small. What is the BEST architecture?

A customer wants to access a private OCI API endpoint (for example, a private load balancer or a private API endpoint) from on-premises over FastConnect. They must ensure traffic does NOT traverse the public internet and that DNS resolution returns only private IP addresses for the endpoint. Which design best meets this requirement?

Your organization needs to enforce that Object Storage buckets can only be created with encryption using customer-managed keys (CMKs) from OCI Vault. You must prevent noncompliant bucket creation across multiple compartments. Which approach is the MOST appropriate?

A team is building a multi-tier application in a single OCI region. The web tier in a public subnet must accept HTTPS from the internet, while the application tier in a private subnet must only accept traffic from the web tier on TCP 8443. Which is the BEST practice to implement this control?

A database running on an OCI compute instance shows intermittent connectivity drops from application servers in the same VCN. The application servers and database are in different subnets. Security Lists appear correct. You discover that the database instance has two VNICs attached and the application connects using the database’s secondary VNIC IP. What is a likely cause and the BEST fix?

A company needs to migrate 30 TB of unstructured data from an on-premises NAS to OCI Object Storage. The WAN link is constrained and the migration must complete quickly with minimal impact on production traffic. Data integrity verification is required. Which solution is MOST appropriate?