Oracle Cloud Infrastructure Foundations Associate Advanced Practice Exam: Hard Questions 2025

A startup runs a multi-tier application in OCI across two Availability Domains (ADs) in the same region. They need to explain to an auditor which failures their design can tolerate without losing service: an AD outage, a region-wide outage, or a single physical server failure. They also want to identify which OCI construct most directly represents the blast-radius boundary they are leveraging. Which statement is MOST accurate?

A team must migrate a large on-prem dataset to OCI and keep it current for several weeks while applications are cut over in phases. Network links are unreliable, and the dataset is too large to transfer only over the internet within the required window. They also need to minimize application changes and ensure the final cutover involves only a short delta sync. Which approach BEST fits these constraints using OCI capabilities?

A security team wants to ensure developers can only create compute instances using a pre-approved set of images and shapes. They also want violations to be prevented (not merely detected) and want the control to apply consistently across multiple compartments. Which OCI capability BEST meets this requirement?

An application uses a public load balancer in a VCN. The backend compute instances are in a private subnet with no public IPs. Users report intermittent timeouts. The load balancer health check shows some backends as unhealthy, but SSH is not possible directly to the instances. You suspect a network security rule issue. Which change is MOST likely to resolve the issue while preserving a least-privilege posture?

A company deploys a three-tier web app. The web tier is in a public subnet behind a public load balancer. The app and database tiers are in private subnets. The app tier needs to download patches from the internet, but the database tier must never initiate outbound internet connections. Which is the BEST design using OCI networking components?

A compliance requirement states: 'All customer data at rest must be encrypted using customer-managed keys, and key access must be limited to a dedicated security team. Application teams may use storage services but must not be able to decrypt data directly.' Which OCI approach BEST satisfies this?

A platform team uses compartments to separate environments (Dev, Test, Prod). They want to enforce that only the platform team can create or modify networking (VCNs, subnets, gateways), while application teams can manage compute instances and load balancers within their environment compartments. They also want to avoid duplicating policies per compartment where possible. Which is the BEST approach?

A batch processing workload runs nightly on OCI Compute and writes results to Object Storage. The team wants to minimize operational overhead and ensure that if a job fails, they can quickly determine whether it was due to compute resource exhaustion, network issues, or application errors. They also need a centralized view over time and the ability to set alarms. Which combination of OCI services BEST addresses this?

A company uses multiple compartments and wants to detect and prioritize risky configurations such as publicly exposed buckets, permissive security list rules, and overly broad IAM policies. They also want prescriptive recommendations and the ability to automate response actions for certain findings. Which OCI service BEST fits this requirement?

A team needs to grant a CI/CD system running outside OCI the ability to deploy resources (compute, networking, and Object Storage) into a specific compartment. Security requires no long-lived user credentials or API keys stored in the pipeline. They also want the ability to tightly scope and rotate trust. Which approach is BEST in OCI?