50 Oracle Cloud Infrastructure 2025 Architect Professional Practice Questions: Question Bank 2025

A team is designing a new public-facing web application on OCI. Requirements: (1) TLS must terminate at the edge, (2) traffic must be distributed across multiple application instances, and (3) the application instances must not have public IP addresses. Which architecture best meets these requirements?

A security architect must ensure that only approved OCI services can be called from resources in a private subnet without using the internet, and all such traffic must stay on Oracle's backbone. Which OCI feature should be used?

A company needs to enforce that all newly created Object Storage buckets are encrypted using customer-managed keys and that noncompliant buckets are prevented at creation time. Which approach best satisfies this requirement?

You are migrating workloads and want to allow private instances to download OS updates and packages from the public internet without assigning them public IP addresses. Which OCI component should you add to the VCN?

A SaaS provider deploys microservices on OCI and needs to securely provide database credentials to compute instances and rotate them periodically without embedding secrets in images or code. Which OCI service combination is most appropriate?

A company operates two VCNs in the same region: a shared services VCN (DNS, logging, CI/CD) and an application VCN. They need private connectivity between the VCNs with minimal latency and without transiting the public internet. The networks must remain isolated from other VCNs. What is the best OCI connectivity option?

An application running on a Compute instance in a private subnet cannot reach Object Storage. The subnet has a route rule to a Service Gateway, and the instance can resolve Object Storage hostnames. A network engineer suspects security rules. Which change is most likely required?

A regulated workload requires that administrators have no standing privileges and can perform production changes only through time-bound, auditable elevation with approvals. Which OCI capability best addresses this requirement?

An enterprise needs end-to-end private connectivity from on-premises to multiple OCI regions. Requirements: (1) consistent routing control, (2) centralized inspection using a hub-and-spoke model, and (3) ability to attach multiple VCNs and on-premises networks. Which design best fits?

A company must migrate hundreds of VMs from an on-premises environment to OCI with minimal downtime. After migration, VMs should boot on OCI Compute with similar network configurations, and cutover should be orchestrated in waves. Which approach best aligns with these requirements?

A team must ensure that all OCI Object Storage buckets in a compartment are encrypted with customer-managed keys and that bucket deletion is prevented unless explicitly approved. Which approach best meets this requirement?

A startup wants to publish a private API for internal microservices running on OCI. The API must be reachable only from within their VCNs (including across regions) and should use a managed gateway service rather than self-managed proxies. Which solution is most appropriate?

An application in a private subnet cannot reach the internet to download OS patches. The route table includes a default route (0.0.0.0/0) to a NAT Gateway. Security lists allow outbound traffic. What is the most likely cause?

A company runs a mission-critical database on OCI and needs near-real-time block-level replication to a standby in another region, with automated role transitions during planned switchovers. Which OCI service best fits this requirement?

A security team wants to ensure administrators can manage OCI resources but cannot read sensitive data in Object Storage. The application teams need to read/write objects. Which design best enforces separation of duties?

A SaaS provider hosts workloads for multiple customers in OCI. They require strong network isolation per customer while still sharing a central services VCN (logging, inspection) and avoiding overlapping IP issues. Which architecture is most appropriate?

A team is migrating a large dataset from an on-premises NAS to OCI. They need to preserve POSIX permissions, support NFS clients in OCI, and minimize application changes. Which target storage service is the best fit?

An application is deployed across multiple availability domains using an OCI Load Balancer. Users intermittently experience 502 errors during peak load. Backend health checks show occasional timeouts. Which action is the most appropriate first step to troubleshoot and stabilize the service?

A company must centrally enforce that only approved OCI images are used to launch compute instances across multiple compartments. They want a preventive control that blocks noncompliant launches. Which solution best meets the requirement?

A team wants to securely grant an external auditor time-bound, read-only access to specific resources in a single compartment without creating a local user. Which approach is recommended?

You need to ensure all newly created Object Storage buckets across multiple compartments automatically enforce encryption with customer-managed keys, and prevent teams from creating buckets without this control. Which approach best meets this requirement?

A team wants private access from compute instances in a private subnet to OCI services such as Object Storage and Autonomous Database without using an internet gateway or NAT gateway. What should you implement?

You need to share a single Object Storage bucket with an external partner for 48 hours. The partner should have read-only access without creating an OCI user for them. Which is the best solution?

A workload requires end-to-end TLS with client certificate validation at the edge, and the backend application must see the original client certificate details. Which OCI Load Balancing configuration is most appropriate?

You are designing a multi-VCN architecture. Two VCNs in the same region must communicate privately. You need transitive routing so that VCN-A can reach VCN-C through a central hub, and you want to scale to many spokes. What is the recommended design?

A security team requires that compute instances can retrieve secrets at runtime without embedding credentials in images. Secrets must be rotated, and access must be controlled by instance identity. Which solution best fits?

You are migrating hundreds of VMs from on-premises to OCI. The target architecture uses multiple compartments and standard tagging. You need repeatable, auditable provisioning with the ability to preview changes before applying them. Which approach is most appropriate?

A critical service runs on a regional subnet and must survive an Availability Domain outage. The application is stateful, and you need to minimize RPO while allowing automatic failover between instances in different ADs. Which design is most appropriate?

A company must enforce that all API calls to OCI services originate only from its corporate network ranges, including calls made by OCI users and administrators. Which control most directly enforces this requirement?

After implementing OS Management for patching, you notice that instances in a private subnet are not reporting to the service. There is no internet gateway and no NAT gateway. The VCN has a service gateway configured. What is the most likely missing piece?

A team wants all new Object Storage buckets in a compartment to be private by default and to prevent accidental public exposure. Which OCI capability best enforces this requirement continuously?

You need to give an OCI function the ability to read objects from a single Object Storage bucket, without embedding user credentials in code. What is the recommended approach?

A web application uses multiple compute instances in a public subnet behind a public load balancer. You must allow the instances to download OS patches from the internet, but you must not allow inbound connections directly to the instances from the internet. Which design meets the requirement?

You are designing DNS for a multi-tier application. The company wants the same DNS name to direct users to the closest healthy regional endpoint and to fail over to another region if the primary region becomes unavailable. Which OCI service and feature best satisfies this?

A security team requires that only approved container images can be deployed to a managed Kubernetes cluster. They also want automatic vulnerability scanning of images. Which OCI approach best meets these requirements?

A team is migrating a large on-premises dataset to OCI Object Storage. They want to minimize load on the source system and transfer only changed data after the initial copy. Which approach is most appropriate?

A production application is deployed across three availability domains in a single region. After a subnet CIDR change request, several instances cannot reach an OCI public service endpoint, while others work. VCN security lists and NSGs appear correct. What is the MOST likely OCI configuration issue?

A company must enforce that databases and boot volumes are always encrypted with customer-managed keys, and keys must be rotated according to internal policy. Which design best satisfies this requirement in OCI?

You are designing a multi-account (multi-tenancy) integration where a SaaS provider must access resources in customer tenancies with least privilege and without sharing long-lived secrets. Which OCI capability is best suited for this pattern?

A mission-critical application uses a stateful tier on compute instances that must survive planned maintenance and instance host failures with minimal downtime. The application cannot be easily re-architected immediately. Which OCI design best improves resilience for this stateful tier?

You need to quickly verify whether a given OCI subnet can reach the internet without changing any resources. Which OCI feature is BEST suited for this point-in-time validation?

A security team wants to enforce that only corporate-owned devices can access OCI resources through the Console and APIs, using strong authentication and conditional access. Which OCI capability is the MOST appropriate to implement this requirement?

A team wants a private, optimized path from compute instances in a VCN to Oracle services such as Object Storage, without traversing the public internet. What should they deploy?

An organization has 40 OCI compartments and wants to restrict who can create public IP addresses across the tenancy while allowing network administrators to manage private networking resources. Which approach best matches OCI best practices?

A multi-tier application requires east-west inspection between subnets and centralized egress control. The solution must scale and avoid embedding security appliances on every instance. Which OCI architecture best meets these requirements?

You are migrating a database-backed application to OCI. The application cannot tolerate IP changes for the database endpoint during maintenance or failover. Which OCI feature should you use to provide a stable private IP for the database service?

A compliance requirement states that object data must be encrypted with customer-managed keys and that access to the key must be auditable and revocable. Which OCI approach best satisfies this?

A DevOps team wants to reduce outages caused by manual changes to network security rules. They need peer review, traceability, and repeatable deployments across multiple environments (dev/test/prod). What is the BEST approach in OCI?

A regulated workload requires that only approved OCI services be used in a compartment, and any attempt to create disallowed resource types must be prevented. Additionally, the security team wants automated remediation for misconfigurations that slip through. Which combination is MOST appropriate?

A global application uses multiple OCI regions. The architecture requires private connectivity between VCNs in different regions with transitive routing through a central hub network, while keeping spoke VCNs isolated from each other unless explicitly allowed. Which design is MOST appropriate?