Q: 2
You are designing a multi-tier application within an OCI Virtual Cloud Network (VCN). The application
comprises a public-facing web tier in one subnet, an application tier in another, and a database tier
in a third. For security reasons, you want to ensure that only the application tier can initiate
connections to the database tier. The web tier needs to be able to communicate with the application
tier, but not directly with the database tier. You are using private IP addresses within your VCN.
Which procedural step is MOST effective to achieve this network isolation?
Options
Discussion
Gotta go with C here. Security lists per subnet is the OCI standard for isolating tiers, way simpler than messing with routing or one big NSG. Pretty sure that's what Oracle wants.
C. that's what I've seen recommended for subnet isolation. No need for routing tricks if security lists are tight enough.
Honestly kinda lost on this one, but I'll go with C. Someone back me up?
D imo
Its D
Probably C, NSGs in A sound tempting but Oracle exams favor security lists for subnet-level granularity. B is a trap since it lumps them together.
C/D? I get why some pick D for 'defense in depth,' but with OCI VCNs, security lists (C) already block direct web-to-db access. Routing changes in D feel extra unless you want to enforce pathing. Pretty sure C is best here but open to debate.
Why add route table changes if security lists alone isolate tiers? D looks like a trap for most effective.
Nah, it's not D. C is what Oracle usually wants on these since routing changes add unneeded steps here. D looks tempting but it's a trap.
C, no other config needed for VCN internal isolation.
Be respectful. No spam.
