1z0-1124-25 Oracle Cloud Infrastructure 2025 Networking Professional Questions and Answers

Requirements:Encrypt FastConnect traffic with minimal bandwidth impact.

IPSec Options:

DRG VPN:Native OCI solution over FastConnect.

Firewall Appliances:Adds overhead and complexity.

Compute Instances:Resource-intensive, not scalable.

Internet VPN:Uses public internet, against requirements.

Evaluate Options:

A:DRG VPN with AES-GCM (low-overhead encryption) leverages FastConnect; optimal.

B:Firewalls with AES-256 add overhead, reducing bandwidth; less effective.

C:Compute-based VPN is inefficient and public-facing; unsuitable.

D:Public internet VPN violates privacy requirement; incorrect.

Conclusion:DRG VPN with AES-GCM is the most effective solution.

OCI supports IPSec over FastConnect via DRG. The Oracle Networking Professional study guide explains, "A Site-to-Site VPN over FastConnect using the DRG provides encrypted traffic with low-overhead algorithms like AES-GCM, maintaining high bandwidth" (OCI Networking Documentation, Section: FastConnect with VPN). This meets regulatory and performance needs efficiently.

Requirements: Private, low-latency cross-region VCN connectivity.

Option A: RPCs with route table updates enable private, direct peering via DRG—correct.

Option B: IPSec VPN adds latency over internet—incorrect.

Option C: Service Gateways are for OCI services—incorrect.

Option D: NAT Gateways use public IPs, not private—incorrect.

Conclusion: Option A is necessary.

Oracle states:

"Use Remote Peering Connections (RPCs) with DRG to connect VCNs across regions privately. Update route tables for CIDR routing."This supports Option A. Reference:Remote VCN Peering - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm).

Objective: Block all outbound internet traffic from a private subnet, ensuring compliance despite misconfigurations.

Option A: ALLOW to 0.0.0.0/0 permits all traffic, contradicting the requirement.

Option B: DROP to NAT Gateway IP only blocks traffic to the NAT Gateway, not all internet traffic (e.g., misconfigured routes bypassing NAT).

Option C: REJECT to 0.0.0.0/0 blocks all outbound traffic to any IP, sending an ICMP unreachable message. This ensures no internet access, even if misconfigured, and aids troubleshooting.

Option D: ALLOW to Service Gateway permits OCI service access, not internet blocking.

Conclusion: Option C is the most comprehensive and compliant solution.

Oracle’s Network Firewall guide states:

"Use REJECT with a destination of 0.0.0.0/0 to block all outbound traffic and notify the source, ideal for strict egress control."This matches Option C’s purpose. Reference:Network Firewall Policies - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/NetworkFirewall/Tasks/managingpolicies.htm).

Goal: Balance security and performance with encryption in a VCN.

Option A: TLS only to the load balancer leaves internal traffic unencrypted, risking exposure—insufficient security.

Option B: mTLS everywhere maximizes security but adds significant overhead (e.g., certificate management), impacting performance—overkill.

Option C: NSGs/Security Lists control access but don’t encrypt traffic—lacks protection for sensitive data.

Option D: TLS between OKE and Compute secures app-tier communication. Oracle Database Vault ensures ADB traffic is encrypted efficiently, leveraging built-in features—balanced approach.

Conclusion: Option D optimizes security and performance.

Oracle states:

"Use TLS for application traffic between tiers. Autonomous Database with Database Vaultprovides encryption in transit and at rest, minimizing overhead."This supports Option D. Reference:Security in OCI Networking - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/securityoverview.htm).

Objective: Identify a VPN disadvantage for large dataset migration.

Option A: VPNs can be secure with IPSec; not inherently less secure—incorrect.

Option B: VPNs are automatable with IaC (e.g., Terraform)—incorrect.

Option C: Public internet limits VPN throughput due to bandwidth and latency variability—correct disadvantage.

Option D: VPNs are compatible with OCI services—incorrect.

Conclusion: Option C is the key disadvantage.

Oracle notes:

"Public internet-based VPNs face throughput limitations due to bandwidth and latency variability, impacting large data migrations.”This supports Option C. Reference:VPN Limitations - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/settingupIPSec.htm#limitations).

Problem: Instances with IPv6-only traffic can’t ping external IPv6 addresses despite FastConnect and IPv6 prefixes.

Option A: OCI supports Bring Your Own IP (BYOIP) for IPv6, including global unicast addresses, so this is incorrect.

Option B: NAT Gateways are for IPv4 outbound traffic, not IPv6—irrelevant here.

Option C: For IPv6-only instances to reach external IPv6 addresses (beyond FastConnect),an Internet Gateway (IGW) is required with a default route (::/0) in the subnet route table. This enables public IPv6 connectivity—correct.

Option D: Service Gateway is for OCI services, not general IPv6 internet access—incorrect.

Conclusion: Option C fixes the issue by enabling IPv6 internet access.

Oracle states:

"To enable IPv6 traffic to the internet, attach an Internet Gateway to the VCN and add a route rule for ::/0. OCI supports BYOIP for public IPv6 prefixes."This aligns with Option C. Reference:IPv6 in OCI - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingIPv6.htm).

Goal:Minimize maintenance of Bastion session configurations.

Bastion Options:

Individual Sessions:High maintenance per instance.

Dynamic Port Forwarding:Flexible but user-managed, prone to errors.

Centralized Service:Predefined targets, low maintenance.

Separate Hosts:Increases complexity and overhead.

Evaluate Options:

A:Per-instance sessions require constant updates; inefficient.

B:SOCKS5 shifts burden to users; moderate maintenance.

C:Centralized with managed sessions reduces effort; optimal.

D:Multiple hosts multiply management tasks; worst option.

Conclusion:Centralized Bastion with managed sessions is most efficient.

OCI Bastion service supports centralized management. The Oracle Networking Professional study guide notes, "A centralized Bastion service with managed sessions and predefined target configurations minimizes administrative overhead by streamlining access to private subnet resources" (OCI Networking Documentation, Section: Bastion Service). This approach leverages OCI’s automation capabilities.

Objective:Filter BGP routes on OCI to accept only specific on-premises prefixes.

BGP Attributes Overview:

AS Path Prepending:Lengthens AS path to influence route preference, not filtering.

MED:Influences exit point selection, not route acceptance.

RD/RT:Used in MPLS VPNs for tenant isolation, not simple prefix filtering.

Prefix Lists:Directly filter prefixes based on IP ranges.

Evaluate Options:

A:AS Path Prepending affects preference, not filtering; unsuitable.

B:MED influences path selection, not route rejection; incorrect.

C:RD/RT is for VPN contexts, not applicable here.

D:Prefix Lists explicitly allow/deny prefixes, meeting the requirement.

Conclusion:Prefix Lists on the FastConnect virtual circuit provide precise control over accepted routes.

Prefix Lists are the most effective BGP tool for filtering routes in OCI. The Oracle Networking Professional study guide notes, "Prefix Lists can be applied to FastConnect virtual circuits to filter BGP advertisements, ensuring only approved prefixes are learned by OCI" (OCI Networking Documentation, Section: FastConnect and BGP). This prevents routing conflicts by rejecting unwanted prefixes, aligning with the security and control requirements.

Goal: Efficient, cost-optimized data transfer minimizing egress charges.

Option A: Public internet incurs high egress costs—incorrect.

Option B: Hub-and-spoke doubles egress/ingress charges—less efficient.

Option C: Third-party platform at peering points reduces egress by leveraging direct connections—correct.

Option D: Storage Gateway is for hybrid, not multicloud efficiency—incorrect.

Conclusion: Option C is the most efficient strategy.

Oracle states:

"A third-party integration platform at peering points minimizes egress charges by using direct interconnects for multicloud data transfers.”This validates Option C. Reference:Multicloud Cost Optimization - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/multicloud.htm#costoptimization).

Goal: Restrict subnet traffic to a specific on-premises IP range via FastConnect.

Option A: Internet Gateway is for public access, not FastConnect—incorrect.

Option B: Default security list applies broadly, lacking granularity; NSGs are more effective—less optimal.

Option C: Custom route table with DRG ensures FastConnect routing; NSGs provide precise, instance-level traffic restriction—correct.

Option D: LPG is for same-region VCN peering, not on-premises—incorrect.

Conclusion: Option C is the most effective method.

Oracle notes:

"Use a custom route table with a DRG route rule for FastConnect traffic. NSGs offer granular control to restrict traffic to specific IP ranges."This supports Option C. Reference:FastConnect and NSG Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm & docs.oracle.com/en-us/iaas/Content/Network/Concepts/NSGs.htm).

Purpose:Secure access to private subnet resources via Bastion.

Placement Considerations:Must be internet-accessible yet isolated.

Evaluate Options:

A:Private subnet lacks internet access for Bastion; incorrect.

B:Dedicated public subnet balances accessibility and isolation; correct.

C:Separate VCN adds complexity, unnecessary; less optimal.

D:Ambiguous phrasing, but implies exposure; less precise than B.

Conclusion:Dedicated public subnet is the best placement.

OCI Bastion requires public access with security. The Oracle Networking Professional study guide notes, "Place the Bastion host in a public subnet with a dedicated configuration to allow secure SSH access to private subnet resources without exposing them directly" (OCI Networking Documentation, Section: Bastion Host Placement). Option B ensures this balance.

Requirements:HTTP/HTTPS + TCP, advanced routing, WAF protection.

Load Balancers:

NLB:Layer 4, no HTTP routing or WAF; unsuitable.

ALB:Layer 7, supports routing and WAF; fits perfectly.

Flexible LB:Not a specific OCI service; incorrect.

LBaaS:Generic term, not a product; incorrect.

Evaluate Options:

A:Lacks Layer 7 and WAF; incorrect.

B:Meets all needs with ALB + WAF; correct.

C:Non-existent; incorrect.

D:Too vague; incorrect.

Conclusion:Application Load Balancer is most suitable.

ALB supports complex e-commerce needs. The Oracle Networking Professional study guide states, "Application Load Balancer operates at Layer 7, offering content-based and path-based routing, and integrates with OCI WAF for exploit protection" (OCI Networking Documentation, Section: Application Load Balancer). This aligns with all requirements.

Objective: Improve OCI-AWS data transfer performance.

Option A: Region distance affects latency—valid.

Option B: Dedicated interconnect boosts bandwidth and stability—valid.

Option C: Compute pricing doesn’t influence inter-cloud bandwidth—invalid.

Option D: WAN optimization can enhance transfer efficiency—valid.

Conclusion: Option C is not a design consideration for performance.

Oracle notes:

"To optimize OCI-AWS connectivity, consider region proximity, dedicated interconnects, or WAN optimization. Compute pricing is unrelated to network performance."This excludes Option C. Reference:Hybrid Cloud Networking - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/hybridcloud.htm).

Requirement: OCI-AWS traffic must stay in the US for sovereignty compliance.

Option A: A FastConnect partner guaranteeing US-only transit ensures compliance via a private, controlled path—correct.

Option B: DRG and VGW with VPN don’t guarantee US-only routing over public internet—incorrect.

Option C: Generic VPN can’t control internet paths despite US gateways—incorrect.

Option D: Public internet with DNS restrictions doesn’t enforce routing—incorrect.

Conclusion: Option A is the most critical consideration.

Oracle states:

"Choose a FastConnect partner that can guarantee geographic routing constraints, such as US-only transit, to meet data sovereignty requirements."This supports Option A. Reference:FastConnect Compliance - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#compliance).

Requirement:Centralized logging of Network Firewall traffic for analysis.

OCI Services:

Audit Service:Logs API calls, not network traffic.

Logging Analytics:Analyzes logs but needs log ingestion.

Service Connector Hub with Logging:Moves firewall logs to OCI Logging.

Cloud Guard:Monitors security posture, not detailed logging.

Evaluate Options:

A:Audit Service is for API events; incorrect.

B:Logging Analytics requires log source; incomplete.

C:Service Connector Hub with Logging captures and stores firewall logs; best fit.

D:Cloud Guard is for threat detection, not logging; incorrect.

Conclusion:Service Connector Hub with OCI Logging meets the requirement.

OCI Network Firewall logs require integration with OCI Logging. The Oracle Networking Professional study guide states, "Service Connector Hub can be configured to transfer Network Firewall logs to OCI Logging for centralized storage and analysis, meeting auditing requirements" (OCI Networking Documentation, Section: Network Firewall Logging). This ensures every session is logged and auditable.

Requirements: High bandwidth, low latency, leveraging direct fiber connectivity.

Option A: Site-to-Site VPN uses the public internet, lacking consistency and bandwidth—incorrect.

Option B: Internet Gateway is for public access, not dedicated connections—incorrect.

Option C: FastConnect Colocation uses direct fiber at Oracle locations, ensuring high bandwidth and minimal latency—correct.

Option D: DRG with remote peering is for VCN-to-VCN connectivity, not optimized for on-premises fiber—incorrect (DRG is part of FastConnect but not the service itself).

Conclusion: FastConnect Colocation is the most suitable.

Oracle states:

"FastConnect Colocation with Oracle leverages direct fiber connections at Oracle facilities, providing consistent, high-bandwidth, and low-latency access to OCI."This supports Option C. Reference:FastConnect Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#colocation).

Goal: Filter Flow Logs for traffic rejected by a specific security list rule.

Option A: “action” = “REJECT” identifies rejected traffic; “securityListRule” with rule ID pinpoints the exact rule—correct.

Option B: “status” and “securityRule” aren’t standard Flow Log fields (“action” and “securityListRule” are)—incorrect.

Option C: “direction” and “port” filter traffic but don’t specify rejection or rule—incorrect.

Option D: “type” and “rule” aren’t valid Flow Log fields—incorrect.

Conclusion: Option A is the precise filtering method.

Oracle states:

"In Flow Logs, use the ‘action’ field (‘REJECT’) and ‘securityListRule’ field (rule ID) to filter traffic rejected by a specific security list rule.”This validates Option A. Reference:Flow Logs Fields - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/flowlogs.htm#fields).

Objective: Identify the OCI component for dynamic routing in a hybrid setup.

Option A: Internet Gateway enables public internet access, not private hybrid routing—incorrect.

Option B: DRG is a virtual router that dynamically routes traffic between on-premises networks and VCNs via FastConnect or VPN, using protocols like BGP—correct.

Option C: Service Gateway provides private access to OCI services, not on-premises connectivity—incorrect.

Option D: LPG peers VCNs within the same region, not with on-premises—incorrect.

Conclusion: DRG is essential for hybrid dynamic routing.

Oracle documentation confirms:

"The Dynamic Routing Gateway (DRG) enables dynamic routing between your on-premises network and VCNs, supporting hybrid cloud connectivity via FastConnect or VPN."This validates Option B. Reference:Dynamic Routing Gateway Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/managingDRGs.htm).

Requirements: HA, HTTP/HTTPS support, health checks, cost-effectiveness.

Option A: NLB with TCP is Layer 4, lacks HTTP/HTTPS features—incorrect.

Option B: Flexible Load Balancer (Application LB) supports Layer 7 HTTP/HTTPS and health checks, ideal for production—correct.

Option C: NLB with UDP is irrelevant for HTTP/HTTPS—incorrect.

Option D: Flexible LB with TCP only limits Layer 7 features—incorrect.

Conclusion: Option B meets all needs efficiently.

Oracle states:

"The Application Load Balancer (Flexible LB) supports HTTP/HTTPS with health checks, suitable for production workloads."This supports Option B. Reference:Load Balancer Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Balance/Concepts/balanceoverview.htm).

Goal: End-to-end encryption (client-to-LB and LB-to-backend).

Option A: HTTP backend set leaves LB-to-backend unencrypted—incorrect.

Option B: HTTPS listener and backend set with certificates ensures full encryption—correct and mandatory.

Option C: Backend-only certificates lack LB termination—incorrect.

Option D: TCP proxy bypasses LB encryption—incorrect.

Conclusion: Option B is mandatory for end-to-end encryption.

Oracle states:

"For end-to-end encryption, configure the HTTPS listener with an SSL certificate and set the backend protocol to HTTPS, requiring certificates on backend instances."This validates Option B. Reference:Load Balancer SSL - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managingssl.htm).

Objective: Identify the OCI resource for private, low-latency VCN-to-VCN connectivity in the same region.

Option A: DRG connects VCNs to external networks (e.g., on-premises) or across regions, not for same-region peering—incorrect.

Option B: LPG is designed for private peering of VCNs within the same region, ensuring low-latency communication—correct.

Option C: Internet Gateway provides public internet access, not private connectivity—incorrect.

Option D: Service Gateway connects VCNs to OCI services, not other VCNs—incorrect.

Conclusion: Option B is the appropriate resource.

Oracle documentation states:

"A Local Peering Gateway (LPG) enables private connectivity between two VCNs in the same region, providing direct, low-latency communication."This confirms Option B. Reference:Local VCN Peering Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/localVCNpeering.htm).

Requirements: App tier only initiates to DB; web tier to app tier only.

Option A: NSGs with forced routing through app tier adds complexity and latency—less effective.

Option B: Single NSG lacks subnet-level isolation—incorrect.

Option C: Separate security lists per subnet with ingress/egress rules enforce isolation; route tables ensure proper VCN routing—correct and effective.

Option D: Security lists are good, but routing web-to-DB via app tier is unnecessary—incorrect.

Conclusion: Option C achieves isolation efficiently.

Oracle states:

"Use separate security lists per subnet with ingress/egress rules to isolate tiers. Route tables manage intra-VCN traffic without forced hops."This supports Option C. Reference:Security Lists Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Concepts/securitylists.htm).

Requirement:Restrict inter-subnet communication unless permitted.

Options Analysis:

A:Removing default route breaks all routing, overly restrictive; incorrect.

B:Separate VCNs are excessive, complex; less practical.

C:NSGs provide granular, explicit control; optimal approach.

D:External firewall adds complexity, not VCN-native; inefficient.

NSG Advantage:Instance-level rules enforce policy within VCN.

Conclusion:NSGs are the most appropriate solution.

NSGs enable precise security within a VCN. The Oracle Networking Professional study guide states, "Network Security Groups (NSGs) allow you to define strict ingress and egress rules for instances, ensuring inter-subnet communication is explicitly permitted as per security policies" (OCI Networking Documentation, Section: Network Security Groups). This is more efficient than VCN separation or external firewalls.

Goal:Prefer FastConnect routes over public internet in OCI.

BGP Attributes:

Local Preference:Higher value prefers a path within an AS.

AS Path:Shorter path preferred, but manipulated on sender side.

Prefix Length:More specific wins, but not controllable here.

MED:Influences inbound traffic, not OCI preference.

Evaluate Options:

A:Higher Local Preference ensures FastConnect priority; correct.

B:AS Path is set by on-premises, not OCI; incorrect.

C:Prefix specificity is on-premises controlled; incorrect.

D:MED affects on-premises, not OCI; incorrect.

Conclusion:Local Preference is the right attribute.

Local Preference controls route preference in BGP. The Oracle Networking Professional study guide states, "To prioritize FastConnect routes in OCI, increase the Local Preference for routes learned via the FastConnect virtual circuit over other paths" (OCI Networking Documentation, Section: BGP Configuration). This ensures OCI prefers the private path.

Objective: Load balance OCI-to-on-premises traffic over two FastConnect circuits.

Option A: Different MEDs prioritize one path, not balance—incorrect.

Option B: Same prefixes and attributes enable Equal-Cost Multi-Path (ECMP) routing, balancing traffic—correct.

Option C: AS Path Prepending prefers one path—incorrect.

Option D: Local preference prioritizes one path—incorrect.

Conclusion: Option B ensures load balancing.

Oracle states:

"For load balancing over multiple FastConnect circuits, advertise identical prefixes with the same BGP attributes to enable ECMP."This supports Option B. Reference:FastConnect BGP - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/fastconnect.htm#BGP).

Requirement: Private, IAM-secured access to Object Storage.

Option A: Public subnet with Internet Gateway uses public IPs—violates policy.

Option B: NAT Gateway is for internet access, not private OCI services—incorrect.

Option C: Service Gateway enables private access to Object Storage, paired with IAM for auth—correct.

Option D: Public subnet with firewall still relies on public IPs—incorrect.

Conclusion: Option C meets all requirements.

Oracle states:

"Use a Service Gateway for private access to OCI Object Storage from a private subnet, with IAM policies for authentication and authorization."This supports Option C. Reference:Service Gateway Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/servicegateway.htm).

Goal: Balance global load balancing with regional WAF protection near users.

Option A: Single WAF in one region creates a bottleneck and increases latency—insufficient.

Option B: GLB distributes globally to regional Load Balancers, each with a WAF, ensuringprotection close to users—correct.

Option C: WAF before GLB centralizes protection, adding latency and a single failure point—incorrect.

Option D: Source IP routing with regional WAFs is less optimal than GLB’s health-based routing—less effective.

Conclusion: Option B optimizes both goals.

Oracle states:

"OCI GLB distributes traffic across regions. Pair with regional Load Balancers and WAFs for localized protection and optimal performance."This supports Option B. Reference:Global Load Balancer Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Balance/Concepts/globalbalance.htm).

Problem:VPN instability during peak hours due to latency and packet loss.

Evaluate Actions:

A:Optimizing IKE/IPSec reduces overhead; improves stability.

B:QoS prioritizes VPN traffic; enhances reliability.

C:Increasing MTU may worsen fragmentation if path MTU isn’t matched; least effective.

D:Dedicated interconnect eliminates internet issues; most effective.

MTU Insight:Raising MTU without path MTU discovery risks more fragmentation, not less.

Conclusion:Increasing MTU is least likely to help.

VPN stability requires addressing network conditions. The Oracle Networking Professional study guide notes, "Adjusting IKE/IPSec parameters or using QoS can stabilize VPN tunnels, while increasing MTU without path MTU alignment may exacerbate fragmentation" (OCI Networking Documentation, Section: VPN Troubleshooting). Dedicated interconnects are ideal, but MTU adjustment is risky here.

Requirements: Secure, reliable, low-latency, bidirectional access with redundancy.

Option A: VPN via DRG is secure but lacks low latency and redundancy—insufficient.

Option B: FastConnect via DRG offers low latency and security but no redundancy—partial fit.

Option C: Public endpoints are insecure and high-latency—incorrect.

Option D: FastConnect for primary low-latency access, VPN as backup for redundancy—correct and most appropriate.

Conclusion: Option D meets all criteria.

Oracle states:

"FastConnect with DRG provides secure, low-latency hybrid connectivity. Add a Site-to-Site VPN for redundancy to ensure reliability."This supports Option D. Reference:Hybrid Cloud Connectivity - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/hybridcloud.htm).

Goal: Force spoke-to-spoke traffic via a network appliance in hub-and-spoke topology.

Option A: Static routes on DRG to appliance ensure transitive routing—correct.

Option B: Service Gateway is for OCI services—incorrect.

Option C: Internet Gateway is public, not hub-and-spoke—incorrect.

Option D: LPG bypasses the appliance—incorrect.

Conclusion: Option A is necessary.

Oracle notes:

"In a hub-and-spoke topology, configure DRG route tables with static routes to the network appliance’s private IP for transitive routing between spokes."This supports Option A. Reference:Hub-and-Spoke Topology - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/hubspoke.htm).

Objective: Identify the service for Load Balancer traffic logs.

Option A: Flow Logs capture VCN traffic, not specific to Load Balancer—incorrect.

Option B: Service Logs are generic, not Load Balancer-specific—incorrect.

Option C: Load Balancer Logs provide detailed client and health check data—correct.

Option D: Audit Logs track API actions, not traffic—incorrect.

Conclusion: Load Balancer Logs are the best fit.

Oracle states:

"Load Balancer Logs offer detailed insights into client connections and backend health checks for Network Load Balancers.”This validates Option C. Reference:Load Balancer Logging - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Balance/Tasks/managinglogs.htm).

Requirement: Private communication between VCNs in different OCI regions via DRG.

Option A: LPGs are for same-region VCN peering, not cross-region—incorrect.

Option B: Service Gateways are for OCI service access, not VCN-to-VCN routing—incorrect.

Option C: Attaching both VCNs to a single DRG (via Remote Peering Connections implicitly) and configuring route tables enables cross-region communication over OCI’s backbone. This is the standard approach.

Option D: Internet Gateways use public IPs, which is insecure and not private—incorrect.

Conclusion: Option C is the necessary configuration for DRG-based cross-region connectivity.

Oracle documentation confirms:

"To connect VCNs in different regions, attach each to a DRG using Remote Peering Connections (RPCs). Configure DRG route tables to route traffic between VCN CIDRs."Option C reflects this setup (RPCs are implied). Reference:VCN Peering Overview - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Network/Tasks/remoteVCNpeering.htm).

Goal: Secure, granular access control to ADB from private subnet instances.

Option A: Public endpoint with NSGs exposes ADB to the internet, increasing risk despite NSG restrictions—less secure than private options.

Option B: Service Gateway provides private access to OCI services, but it’s not specific to ADB instances and lacks the instance-level granularity of private endpoints.

Option C: Private ADB endpoint assigns a private IP within the VCN, keeping traffic internal. NSGs allow precise, stateful control to specific instances, offering the most granular security.

Option D: DRG is for external connections (e.g., on-premises), not internal VCN-to-ADB access.

Conclusion: Option C provides the most secure and granular control.

Oracle documentation notes:

"Private endpoints for Autonomous Database provide a private IP within your VCN, ensuring traffic stays off the public internet. Use NSGs for fine-grained access control to specific instances."This supports Option C. Reference:Autonomous Database Networking - Oracle Help Center(docs.oracle.com/en-us/iaas/Content/Database/Tasks/adbconnecting.htm).